Prohibit authenticated EPP user from logging in again

Fixes #1313
internetee · Sep 13, 2019 · c89e85d · c89e85d
1 parent fdea351
commit c89e85d
Show file tree

Hide file tree

Showing 2 changed files with 41 additions and 3 deletions.
diff --git a/app/controllers/epp/sessions_controller.rb b/app/controllers/epp/sessions_controller.rb
@@ -82,12 +82,24 @@ def login
 
       if success
         new_password = params[:parsed_frame].at_css('newPW')&.text
+        password_change = new_password.present?
 
-        if new_password.present?
+        if password_change
           @api_user.plain_text_password = new_password
           @api_user.save!
         end
 
+        already_authenticated = EppSession.exists?(session_id: epp_session_id)
+
+        if !password_change && already_authenticated
+          epp_errors << {
+            msg: 'Command use error; Already authenticated',
+            code: 2002,
+          }
+          handle_errors
+          return
+        end
+
         epp_session = EppSession.new
         epp_session.session_id = epp_session_id
         epp_session.user = @api_user

diff --git a/test/integration/epp/login_test.rb b/test/integration/epp/login_test.rb
@@ -30,8 +30,34 @@ def test_correct_credentials
     assert_epp_response :completed_successfully
   end
 
-  def test_already_logged_in
-    assert true # Handled by mod_epp
+  def test_user_cannot_login_again
+    session = epp_sessions(:api_bestnames)
+    user = session.user
+
+    request_xml = <<-XML
+      <?xml version="1.0" encoding="UTF-8" standalone="no"?>
+      <epp xmlns="https://epp.tld.ee/schema/epp-ee-1.0.xsd">
+        <command>
+          <login>
+            <clID>#{user.username}</clID>
+            <pw>#{user.plain_text_password}</pw>
+            <options>
+              <version>1.0</version>
+              <lang>en</lang>
+            </options>
+            <svcs>
+              <objURI>https://epp.tld.ee/schema/domain-eis-1.0.xsd</objURI>
+              <objURI>https://epp.tld.ee/schema/contact-ee-1.1.xsd</objURI>
+              <objURI>urn:ietf:params:xml:ns:host-1.0</objURI>
+              <objURI>urn:ietf:params:xml:ns:keyrelay-1.0</objURI>
+            </svcs>
+          </login>
+        </command>
+      </epp>
+    XML
+    post '/epp/session/login', { frame: request_xml }, HTTP_COOKIE: "session=#{session.session_id}"
+
+    assert_epp_response :use_error
   end
 
   def test_wrong_credentials