fix(Authentication): Local Dev fixed_otp (#5710)

igbanam · web-flow · commit a11cfde045d9 · 2025-10-22T10:19:09.000+01:00
**Story card:** [sc-16869](https://app.shortcut.com/simpledotorg/story/16869/ensure-fixed-otp-works-locally) ## Because `:fixed_otp` is used in generating the OTP but disregarded during authentication ## This addresses - Ensuring the flag is respected during authentication - Ensuring this only works in non-prod environments. ## Test instructions - suite tests - for manual testing, see `prepare_security_environment`
diff --git a/app/models/phone_number_authentication/authenticate.rb b/app/models/phone_number_authentication/authenticate.rb
@@ -52,10 +52,10 @@ def verify_auth
           authentication.unlock
           verify_auth
         end
-      elsif authentication.otp != otp
+      elsif !otp_valid?
         track_failed_attempt
         failure("login.error_messages.invalid_otp")
-      elsif !authentication.otp_valid?
+      elsif !otp_not_expired?
         track_failed_attempt
         failure("login.error_messages.expired_otp")
       elsif !authentication.authenticate(password)
@@ -66,6 +66,20 @@ def verify_auth
       end
     end
 
+    def otp_valid?
+      return true if using_fixed_otp?
+      authentication.otp == otp
+    end
+
+    def otp_not_expired?
+      return true if using_fixed_otp?
+      authentication.otp_valid?
+    end
+
+    def using_fixed_otp?
+      !Rails.env.production? && Flipper.enabled?(:fixed_otp) && otp == "000000"
+    end
+
     def failure(message_key, opts = {})
       error_string = I18n.t(message_key, opts)
       Result.new(authentication, false, error_string)
diff --git a/spec/models/phone_number_authentication/authenticate_spec.rb b/spec/models/phone_number_authentication/authenticate_spec.rb
@@ -29,6 +29,81 @@
       expect(user.phone_number_authentication.otp_expires_at).to eq(Time.at(0))
       expect(user.otp_valid?).to be false
     end
+
+    context "with fixed_otp feature flag enabled" do
+      before { Flipper.enable(:fixed_otp) }
+      after { Flipper.disable(:fixed_otp) }
+
+      it "returns success when logging in with 000000" do
+        user = FactoryBot.create(:user, password: "5489")
+        result = PhoneNumberAuthentication::Authenticate.call(otp: "000000",
+          password: "5489",
+          phone_number: user.phone_number)
+        expect(result).to be_success
+        expect(result.error_message).to be_nil
+      end
+
+      it "returns success with 000000 even when user has different OTP in database" do
+        user = FactoryBot.create(:user, password: "5489")
+        # Simulate a user already created locally with some random OTP
+        user.phone_number_authentication.update!(otp: "123456", otp_expires_at: 1.hour.from_now)
+
+        result = PhoneNumberAuthentication::Authenticate.call(otp: "000000",
+          password: "5489",
+          phone_number: user.phone_number)
+        expect(result).to be_success
+        expect(result.error_message).to be_nil
+      end
+
+      it "returns success with 000000 even when stored OTP is expired" do
+        user = FactoryBot.create(:user, password: "5489")
+        # Simulate an expired OTP in the database
+        user.phone_number_authentication.update!(otp: "123456", otp_expires_at: 1.hour.ago)
+        expect(user.otp_valid?).to be false
+
+        result = PhoneNumberAuthentication::Authenticate.call(otp: "000000",
+          password: "5489",
+          phone_number: user.phone_number)
+        expect(result).to be_success
+        expect(result.error_message).to be_nil
+      end
+
+      it "generates access token when using 000000" do
+        user = FactoryBot.create(:user, password: "5489")
+        user.phone_number_authentication.update!(otp: "987654", otp_expires_at: 1.hour.from_now)
+
+        expect {
+          PhoneNumberAuthentication::Authenticate.call(otp: "000000",
+            password: "5489",
+            phone_number: user.phone_number)
+        }.to change { user.phone_number_authentication.reload.access_token }
+      end
+
+      it "invalidates OTP after successful login with 000000" do
+        user = FactoryBot.create(:user, password: "5489")
+        user.phone_number_authentication.update!(otp: "456789", otp_expires_at: 1.hour.from_now)
+
+        expect(user.otp_valid?).to be true
+        PhoneNumberAuthentication::Authenticate.call(otp: "000000",
+          password: "5489",
+          phone_number: user.phone_number)
+        expect(user.phone_number_authentication.reload.otp_expires_at).to eq(Time.at(0))
+        expect(user.otp_valid?).to be false
+      end
+
+      it "does NOT work in non-development environments" do
+        user = FactoryBot.create(:user, password: "5489")
+        user.phone_number_authentication.update!(otp: "123456", otp_expires_at: 1.hour.from_now)
+
+        allow(Rails).to receive(:env).and_return(ActiveSupport::StringInquirer.new("production"))
+
+        result = PhoneNumberAuthentication::Authenticate.call(otp: "000000",
+          password: "5489",
+          phone_number: user.phone_number)
+        expect(result).to_not be_success
+        expect(result.error_message).to eq("Your OTP does not match. Try again?")
+      end
+    end
   end
 
   context "fails when" do
