UI: allow retries for MFA form errors #27574
Conversation
github-actions
bot
added
the
hashicorp-contributed-pr
noelledaley
changed the title
|
CI Results: |
noelledaley
added
backport/1.17.x
backport/ent/1.16.x+ent
noelledaley
force-pushed
the
ui/fix-mfa-reattempts
branch
from
456306a
to
8e8ad5c
Compare
|
Build Results: |
| @@ -173,9 +173,11 @@ module('Integration | Component | mfa-form', function (hooks) { | |||
| // TODO JLR: It doesn't appear that cancelTimers is working and tests wait for the full countdown | |||
| test('it should show countdown on passcode already used and rate limit errors', async function (assert) { | |||
| const messages = { | |||
| used: 'code already used; new code is available in 45 seconds', | |||
| used: 'code already used; new code is available in 30 seconds', | |||
| // there an intentional typo in the error message (30s seconds) | |||
There was a problem hiding this comment.
Thank you for this comment! "Typo" is a little ambiguous. I wonder if it's worth explicitly saying "the backend returns duplicate duration s" or something to make it clearer what the typo is?
Also, were you able to verify if this test failed or passed with the prior code when the seconds didn't end in 0? If so, it may be worth mentioning that somewhere that the regex didn't account for times ended in 0
There was a problem hiding this comment.
yep, the tests failed once i used the old regex. and i added a comment about the backend returning a duplicate string, thanks!
noelledaley
force-pushed
the
ui/fix-mfa-reattempts
branch
from
8e8ad5c
to
d06bea2
Compare
ui/app/components/mfa/mfa-form.js
Outdated
| const delayRegExMatches = errorMessage.match(/(\d+\w seconds)/); | ||
| if (delayRegExMatches) { | ||
| delay = delayRegExMatches[0].split(' ')[0]; | ||
| } else { | ||
| // default to 30 seconds if no delay is found | ||
| delay = 30; | ||
| } | ||
| this.countdown = parseInt(delay); |
There was a problem hiding this comment.
fixing this ding-dang regex was what resolved the bug 🙃
i also opted to add a safe default of 30s in case the API error message changes again too. it'll only apply if the error message contains the phrases from lines 89-90 above though, which will prevent us from adding a timeout if the API errors for an unrelated reason.
| assert.dom('[data-test-mfa-validate]').isDisabled('Button is disabled during countdown'); | ||
| assert.dom('[data-test-mfa-passcode]').isDisabled('Input is disabled during countdown'); | ||
| assert.dom('[data-test-inline-error-message]').exists('Alert message renders'); | ||
| } | ||
| }); | ||
|
|
||
| test('it defaults countdown to 30 seconds if error message does not indicate when user can try again ', async function (assert) { |
There was a problem hiding this comment.
test coverage for the default timeout that i added
| // parse validity period from error string to initialize countdown | ||
| this.countdown = parseInt(message.match(/(\d\w seconds)/)[0].split(' ')[0]); | ||
| const delayRegExMatches = errorMessage.match(/(\d+\w seconds)/); |
There was a problem hiding this comment.
Great idea wrapping this in a conditional!
ui/app/components/mfa/mfa-form.js
Outdated
| if (delayRegExMatches) { | ||
| delay = delayRegExMatches[0].split(' ')[0]; | ||
| } else { | ||
| // default to 30 seconds if no delay is found |
There was a problem hiding this comment.
This also means we'll set a default if the parsed integer is 0. 🤔 I think this is okay...(I'm not sure a 0s period is even possible) Maybe adding to the comment here to remind future devs that this else block will also be hit if the delay is zero?
There was a problem hiding this comment.
fair point, i'll update the conditional to if (delayRegExMatches && delayRegExMatches.length) to make that more explicit 😎
noelledaley
force-pushed
the
ui/fix-mfa-reattempts
branch
from
31d61fa
to
29a98ae
Compare
noelledaley
force-pushed
the
ui/fix-mfa-reattempts
branch
from
29a98ae
to
3b57f9c
Compare
noelledaley
added
the
backport/ent/1.15.x+ent
🛠️ Description
Fixes a bug where the MFA form wasn't displaying an error message nor countdown when a user tried to enter an incorrect one-time password too many times.
Fixes JIRA ticket # VAULT-28437
📸 Screenshots
Before (notice missing error banner)
After (error banner & countdown shown, button disabled)
🏗️ How to Build and Test the Change
To replicate this you'll need to set up MFA and a userpass user. I recommend having two browser windows open: one for the
rootuser and one for a userpass user.testwith all privileges (so the user can eventually enable MFA on their login):userpassauth methodtestpolicyVaultas the issuer (though it doesn't really matter). Enter 2 as the max validation attempts. Under Enforcements select "skip this step".60c04ac9-943b-79f6-f466-e1f1d2c2fe19inmfa/methods/60c04ac9-943b-79f6-f466-e1f1d2c2fe19TODO only if you're a HashiCorp employee
getting backported to N-2, use the new style
backport/ent/x.x.x+entlabelsinstead of the old style
backport/x.x.xlabels.the normal
backport/x.x.xlabel (there should be only 1).of a public function, even if that change is in a CE file, double check that
applying the patch for this PR to the ENT repo and running tests doesn't
break any tests. Sometimes ENT only tests rely on public functions in CE
files.
in the PR description, commit message, or branch name.
description. Also, make sure the changelog is in this PR, not in your ENT PR.