1 files changed, 26 insertions, 0 deletions

diff --git a/test/integration/twofa_test.rb b/test/integration/twofa_test.rb
index 7aa8ec4ac..d81bf6291 100644
--- a/test/integration/twofa_test.rb
+++ b/test/integration/twofa_test.rb
@@ -102,6 +102,7 @@ class TwofaTest < Redmine::IntegrationTest
   end
 
   test "should generate and accept backup codes" do
+    # this also checks that all actions with secrets aren't cached
     log_user('jsmith', 'jsmith')
     get "/my/account"
     assert_response :success
@@ -109,6 +110,7 @@ class TwofaTest < Redmine::IntegrationTest
     assert_redirected_to "/my/twofa/totp/activate/confirm"
     follow_redirect!
     assert_response :success
+    assert_includes @response.headers['Cache-Control'], 'no-store'
 
     totp = ROTP::TOTP.new User.find_by_login('jsmith').twofa_totp_key
     post "/my/twofa/totp/activate", params: {twofa_code: totp.now}
@@ -121,12 +123,14 @@ class TwofaTest < Redmine::IntegrationTest
     assert_redirected_to "/my/twofa/backup_codes/confirm"
     follow_redirect!
     assert_response :success
+    assert_includes @response.headers['Cache-Control'], 'no-store'
     assert_select 'form', /Please enter your two-factor authentication code/i
 
     post "/my/twofa/backup_codes/create", params: {twofa_code: "wrong"}
     assert_redirected_to "/my/twofa/backup_codes/confirm"
     follow_redirect!
     assert_response :success
+    assert_includes @response.headers['Cache-Control'], 'no-store'
     assert_select 'form', /Please enter your two-factor authentication code/i
 
     # prevent replay attack prevention from kicking in
@@ -136,6 +140,7 @@ class TwofaTest < Redmine::IntegrationTest
     assert_redirected_to "/my/twofa/backup_codes"
     follow_redirect!
     assert_response :success
+    assert_includes @response.headers['Cache-Control'], 'no-store'
     assert_select ".flash", /your backup codes have been generated/i
 
     assert code = response.body.scan(/<code>([a-z0-9]{4} [a-z0-9]{4} [a-z0-9]{4})<\/code>/).flatten.first
@@ -155,6 +160,7 @@ class TwofaTest < Redmine::IntegrationTest
     }
     assert_redirected_to "/account/twofa/confirm"
     follow_redirect!
+    assert_includes @response.headers['Cache-Control'], 'no-store'
 
     assert_select "#login-form h3", /two-factor authentication/i
     post "/account/twofa", params: {twofa_code: code}
@@ -213,6 +219,26 @@ class TwofaTest < Redmine::IntegrationTest
     end
   end
 
+  test "should deny showing twofa information again" do
+    log_user('jsmith', 'jsmith')
+    get "/my/account"
+    assert_response :success
+    post "/my/twofa/totp/activate/init"
+    assert_redirected_to "/my/twofa/totp/activate/confirm"
+    follow_redirect!
+    assert_response :success
+
+    totp = ROTP::TOTP.new User.find_by_login('jsmith').twofa_totp_key
+    post "/my/twofa/totp/activate", params: {twofa_code: totp.now}
+    assert_redirected_to "/my/account"
+    follow_redirect!
+    assert_response :success
+    assert_select '.flash', /Two-factor authentication successfully enabled/i
+
+    get "/my/twofa/totp/activate/confirm"
+    assert_redirected_to "/my/account"
+  end
+
   def test_enable_twofa_should_destroy_tokens
     recovery_token = Token.create!(:user_id => 2, :action => 'recovery')
     autologin_token = Token.create!(:user_id => 2, :action => 'autologin')