[FIX] Fix default redirection URL not taken into account (#600)

* Remove unused mongo docker-compose file.

* Default redirection URL was not taken into account.

* Fix possible storage options in config template.

* Remove useless checks in u2f registration endpoints.

* Add default redirection url in config of duo suite.

* Fix log line in response handler of 2FA methods.

* Fix integration tests.

Co-authored-by: Amir Zarrinkafsh <nightah@me.com>

1 files changed, 111 insertions, 0 deletions

diff --git a/internal/handlers/handler_sign_u2f_step2_test.go b/internal/handlers/handler_sign_u2f_step2_test.go
new file mode 100644
index 000000000..5453fe95e
--- /dev/null
+++ b/internal/handlers/handler_sign_u2f_step2_test.go
@@ -0,0 +1,111 @@
+package handlers
+
+import (
+	"encoding/json"
+	"testing"
+
+	"github.com/authelia/authelia/internal/mocks"
+	"github.com/authelia/authelia/internal/session"
+	"github.com/golang/mock/gomock"
+	"github.com/stretchr/testify/suite"
+	"github.com/tstranex/u2f"
+)
+
+type HandlerSignU2FStep2Suite struct {
+	suite.Suite
+
+	mock *mocks.MockAutheliaCtx
+}
+
+func (s *HandlerSignU2FStep2Suite) SetupTest() {
+	s.mock = mocks.NewMockAutheliaCtx(s.T())
+	userSession := s.mock.Ctx.GetSession()
+	userSession.Username = "john"
+	userSession.U2FChallenge = &u2f.Challenge{}
+	userSession.U2FRegistration = &session.U2FRegistration{}
+	s.mock.Ctx.SaveSession(userSession)
+}
+
+func (s *HandlerSignU2FStep2Suite) TearDownTest() {
+	s.mock.Close()
+}
+
+func (s *HandlerSignU2FStep2Suite) TestShouldRedirectUserToDefaultURL() {
+	u2fVerifier := NewMockU2FVerifier(s.mock.Ctrl)
+
+	u2fVerifier.EXPECT().
+		Verify(gomock.Any(), gomock.Any(), gomock.Any(), gomock.Any()).
+		Return(nil)
+
+	s.mock.Ctx.Configuration.DefaultRedirectionURL = "http://redirection.local"
+
+	bodyBytes, err := json.Marshal(signU2FRequestBody{
+		SignResponse: u2f.SignResponse{},
+	})
+	s.Require().NoError(err)
+	s.mock.Ctx.Request.SetBody(bodyBytes)
+
+	SecondFactorU2FSignPost(u2fVerifier)(s.mock.Ctx)
+	s.mock.Assert200OK(s.T(), redirectResponse{
+		Redirect: "http://redirection.local",
+	})
+}
+
+func (s *HandlerSignU2FStep2Suite) TestShouldNotReturnRedirectURL() {
+	u2fVerifier := NewMockU2FVerifier(s.mock.Ctrl)
+
+	u2fVerifier.EXPECT().
+		Verify(gomock.Any(), gomock.Any(), gomock.Any(), gomock.Any()).
+		Return(nil)
+
+	bodyBytes, err := json.Marshal(signU2FRequestBody{
+		SignResponse: u2f.SignResponse{},
+	})
+	s.Require().NoError(err)
+	s.mock.Ctx.Request.SetBody(bodyBytes)
+
+	SecondFactorU2FSignPost(u2fVerifier)(s.mock.Ctx)
+	s.mock.Assert200OK(s.T(), nil)
+}
+
+func (s *HandlerSignU2FStep2Suite) TestShouldRedirectUserToSafeTargetURL() {
+	u2fVerifier := NewMockU2FVerifier(s.mock.Ctrl)
+
+	u2fVerifier.EXPECT().
+		Verify(gomock.Any(), gomock.Any(), gomock.Any(), gomock.Any()).
+		Return(nil)
+
+	bodyBytes, err := json.Marshal(signU2FRequestBody{
+		SignResponse: u2f.SignResponse{},
+		TargetURL:    "https://mydomain.local",
+	})
+	s.Require().NoError(err)
+	s.mock.Ctx.Request.SetBody(bodyBytes)
+
+	SecondFactorU2FSignPost(u2fVerifier)(s.mock.Ctx)
+	s.mock.Assert200OK(s.T(), redirectResponse{
+		Redirect: "https://mydomain.local",
+	})
+}
+
+func (s *HandlerSignU2FStep2Suite) TestShouldNotRedirectToUnsafeURL() {
+	u2fVerifier := NewMockU2FVerifier(s.mock.Ctrl)
+
+	u2fVerifier.EXPECT().
+		Verify(gomock.Any(), gomock.Any(), gomock.Any(), gomock.Any()).
+		Return(nil)
+
+	bodyBytes, err := json.Marshal(signU2FRequestBody{
+		SignResponse: u2f.SignResponse{},
+		TargetURL:    "http://mydomain.local",
+	})
+	s.Require().NoError(err)
+	s.mock.Ctx.Request.SetBody(bodyBytes)
+
+	SecondFactorU2FSignPost(u2fVerifier)(s.mock.Ctx)
+	s.mock.Assert200OK(s.T(), nil)
+}
+
+func TestRunHandlerSignU2FStep2Suite(t *testing.T) {
+	suite.Run(t, new(HandlerSignU2FStep2Suite))
+}