From 3d73dac378a7dd397a4fad2d48329b92753f51b8 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Janko=20Marohni=C4=87?= <janko.marohnic@gmail.com>
Date: Tue, 9 Jan 2024 11:44:57 +0100
Subject: [PATCH] Handle deleted account when checking whether MFA is setup

---
 lib/rodauth/features/base.rb |  2 +-
 spec/spec_helper.rb          |  3 +--
 spec/two_factor_spec.rb      | 26 +++++++++++++++++++++++++-
 3 files changed, 27 insertions(+), 4 deletions(-)

diff --git a/lib/rodauth/features/base.rb b/lib/rodauth/features/base.rb
index b9b61a2a..b944e132 100644
--- a/lib/rodauth/features/base.rb
+++ b/lib/rodauth/features/base.rb
@@ -712,7 +712,7 @@ def password_hash_using_salt(password, salt)
     # note that only the salt is returned.
     def get_password_hash
       if account_password_hash_column
-        account![account_password_hash_column]
+        account[account_password_hash_column] if account!
       elsif use_database_authentication_functions?
         db.get(Sequel.function(function_name(:rodauth_get_salt), account ? account_id : session_value))
       else
diff --git a/spec/spec_helper.rb b/spec/spec_helper.rb
index 503347b3..358cdc44 100644
--- a/spec/spec_helper.rb
+++ b/spec/spec_helper.rb
@@ -475,8 +475,7 @@ def logout
       else
         BCrypt::Password.create('0123456789', :cost=>BCrypt::Engine::MIN_COST)
       end
-      table = ENV['RODAUTH_SEPARATE_SCHEMA'] ? Sequel[:rodauth_test_password][:account_password_hashes] : :account_password_hashes
-      DB[table].insert(:id=>DB[:accounts].insert(:email=>'foo@example.com', :status_id=>2, :ph=>hash), :password_hash=>hash)
+      DB[PASSWORD_HASH_TABLE].insert(:id=>DB[:accounts].insert(:email=>'foo@example.com', :status_id=>2, :ph=>hash), :password_hash=>hash)
       super(&block)
     end
   end
diff --git a/spec/two_factor_spec.rb b/spec/two_factor_spec.rb
index af8fd2cf..020fe54e 100644
--- a/spec/two_factor_spec.rb
+++ b/spec/two_factor_spec.rb
@@ -2,7 +2,7 @@
 
 require 'rotp'
 
-describe 'Rodauth OTP feature' do
+describe 'Rodauth two factor feature' do
   secret_length = (ROTP::Base32.respond_to?(:random_base32) ? ROTP::Base32.random_base32 : ROTP::Base32.random).length
 
   def reset_otp_last_use
@@ -714,6 +714,30 @@ def reset_otp_last_use
     page.title.must_equal 'Authenticate Using Additional Factor'
   end
 
+  it "should handle deleted account when checking rodauth.two_factor_authentication_setup?" do
+    rodauth do
+      enable :login, :logout, :two_factor_base
+      account_password_hash_column :ph
+    end
+    roda do |r|
+      r.rodauth
+      r.get('setup'){rodauth.two_factor_authentication_setup?.inspect}
+      ""
+    end
+
+    visit '/setup'
+    page.body.must_equal 'false'
+
+    login
+    visit '/setup'
+    page.body.must_equal 'false'
+
+    DB[PASSWORD_HASH_TABLE].delete
+    DB[:accounts].delete
+    visit '/setup'
+    page.body.must_equal 'false'
+  end
+
   it "should allow two factor authentication setup, login, removal without recovery" do
     rodauth do
       enable :login, :logout, :otp