Catch error when recovery code cannot decrypt PII#1000
Conversation
pkarman
force-pushed
the
pek-catch-recovery-code-error
branch
2 times, most recently
from
99b395b to
6222d28
Compare
|
@pkarman I think the plan is to put the "no I don't have my recovery code" link on the reactivation page? |
There was a problem hiding this comment.
Since this class isn't used for styling, maybe we could prefix it with something like spec- so it's clear what it's being used for? We currently do something similar for js- when using classes as javascript selectors. This class could probably also just be added to the p element instead of adding a new span.
There was a problem hiding this comment.
I was a bit reluctant to add to the p because the selection logic seemed to insist on matching all the class attributes, and I was only interested in the one that had semantic meaning.
Happy to prefix with spec- -- though I wonder how @el-mapache is accessing these words in his modal work? Maybe there's a need to be able to pull out words live as well as in tests?
There was a problem hiding this comment.
@pkarman In the modal, I'm passing the code into a js.erb file. If I was using selectors I would probably make a data attribute, data-key-word or something along those lines.
There was a problem hiding this comment.
can/should we make a helper method for this?
Also would you prefer .all(:css, '.recovery-code-word')? (I find CSS selectors much more readable than xpath)
There was a problem hiding this comment.
oh I like :css better -- I'll try that. thanks.
app/forms/reactivate_profile_form.rb
Outdated
There was a problem hiding this comment.
Why not just add the rescue to valid_recovery_code??
There was a problem hiding this comment.
I wanted to keep the rescue as close to where the exception would be thrown as possible, so it was clear to whomever read it 6 mos from now why there's a rescue at all.
The code can be valid and still not be able to decrypt the PII. In fact, that's exactly the use case here. The code supplied is valid as a recovery code, but not as a decryption key.
There was a problem hiding this comment.
Ok, for some reason I thought that RecoveryCodeGenerator#verify actually tried decrypting, but it just compares the recovery code to its hash on the profile. This makes more sense now
pkarman
force-pushed
the
pek-catch-recovery-code-error
branch
from
6222d28 to
ee6830e
Compare
|
now using CSS and data-recovery attribute. PTAL |
**Why**: Generating a new recovery code will render the de-activated profile useless. **How**: Catch the exception thrown when a valid recovery code cannot be used to decrypt the PII, and prevent users from unintentionally creating a new recovery code when they have a de-activated profile.
pkarman
force-pushed
the
pek-catch-recovery-code-error
branch
from
ee6830e to
ebd3ebf
Compare
**Why**: Generating a new recovery code will render the de-activated profile useless. **How**: Catch the exception thrown when a valid recovery code cannot be used to decrypt the PII, and prevent users from unintentionally creating a new recovery code when they have a de-activated profile.
**Why**: Generating a new recovery code will render the de-activated profile useless. **How**: Catch the exception thrown when a valid recovery code cannot be used to decrypt the PII, and prevent users from unintentionally creating a new recovery code when they have a de-activated profile.
4 participants
Why: Generating a new recovery code will render the de-activated
profile useless.
How: Catch the exception thrown when a valid recovery
code cannot be used to decrypt the PII, and prevent users from
unintentionally creating a new recovery code when they have a
de-activated profile.
TODO: Some messaging needed to allow the user to definitively say "No, I don't have my recovery code and I'm sorry but I'll need to re-verify my account."