From 3a5779782a111442b8cf6610e02a0f842106cc5d Mon Sep 17 00:00:00 2001
From: Artur Beljajev <artur.beljajev@internet.ee>
Date: Fri, 13 Sep 2019 17:53:32 +0300
Subject: [PATCH] Prohibit authenticated EPP user from logging in again

Fixes #1313
---
 app/controllers/epp/sessions_controller.rb | 14 +++++++++-
 test/integration/epp/login_test.rb         | 30 ++++++++++++++++++++--
 2 files changed, 41 insertions(+), 3 deletions(-)

diff --git a/app/controllers/epp/sessions_controller.rb b/app/controllers/epp/sessions_controller.rb
index 6c3509786..df706b55d 100644
--- a/app/controllers/epp/sessions_controller.rb
+++ b/app/controllers/epp/sessions_controller.rb
@@ -88,12 +88,24 @@ module Epp
 
       if success
         new_password = params[:parsed_frame].at_css('newPW')&.text
+        password_change = new_password.present?
 
-        if new_password.present?
+        if password_change
           @api_user.plain_text_password = new_password
           @api_user.save!
         end
 
+        already_authenticated = EppSession.exists?(session_id: epp_session_id)
+
+        if already_authenticated
+          epp_errors << {
+            msg: 'Command use error; Already authenticated',
+            code: 2002,
+          }
+          handle_errors
+          return
+        end
+
         epp_session = EppSession.new
         epp_session.session_id = epp_session_id
         epp_session.user = @api_user
diff --git a/test/integration/epp/login_test.rb b/test/integration/epp/login_test.rb
index 2c69dcf49..c44ac1eee 100644
--- a/test/integration/epp/login_test.rb
+++ b/test/integration/epp/login_test.rb
@@ -30,8 +30,34 @@ class EppLoginTest < EppTestCase
     assert_equal users(:api_bestnames), EppSession.find_by(session_id: 'new_session_id').user
   end
 
-  def test_already_logged_in
-    assert true # Handled by mod_epp
+  def test_user_cannot_login_again
+    session = epp_sessions(:api_bestnames)
+    user = session.user
+
+    request_xml = <<-XML
+      <?xml version="1.0" encoding="UTF-8" standalone="no"?>
+      <epp xmlns="https://epp.tld.ee/schema/epp-ee-1.0.xsd">
+        <command>
+          <login>
+            <clID>#{user.username}</clID>
+            <pw>#{user.plain_text_password}</pw>
+            <options>
+              <version>1.0</version>
+              <lang>en</lang>
+            </options>
+            <svcs>
+              <objURI>https://epp.tld.ee/schema/domain-eis-1.0.xsd</objURI>
+              <objURI>https://epp.tld.ee/schema/contact-ee-1.1.xsd</objURI>
+              <objURI>urn:ietf:params:xml:ns:host-1.0</objURI>
+              <objURI>urn:ietf:params:xml:ns:keyrelay-1.0</objURI>
+            </svcs>
+          </login>
+        </command>
+      </epp>
+    XML
+    post '/epp/session/login', { frame: request_xml }, HTTP_COOKIE: "session=#{session.session_id}"
+
+    assert_epp_response :use_error
   end
 
   def test_wrong_credentials