LG-12294: Send single aggregated email notification for new device sign-in#10370
LG-12294: Send single aggregated email notification for new device sign-in#10370
Conversation
…gn-in changelog: Upcoming Features, Sign In, Send single aggregated email notification for new device sign-in
Avoid race conditions between Time.zone.now occurring after the creation of the event and therefore later querying would not include the event
Avoid unoptimized query error, since email template events table groups by device location
Causes lots of unrelated spec failures
Shouldn't happen in the real-world, but not all tests correctly stub the session value
aduth
force-pushed
the
aduth-lg-12294-aggregated-sign-in-email
branch
from
54b62f4 to
b9ff0a8
Compare
| create_out_of_band_user_event_with_disavowal(:sign_in_notification_timeframe_expired) | ||
|
|
||
| true | ||
| UserAlerts::AlertUserAboutNewDevice.send_alert(user:, disavowal_event:, disavowal_token:) |
There was a problem hiding this comment.
I see this method returns true and satisfies the emails_sent increment 👍
| event.user.sign_in_new_device_at ||= event.created_at | ||
| event.user.save |
There was a problem hiding this comment.
is the workflow different here than in
https://github.com/18F/identity-idp/pull/10370/files#diff-e3f99660c095fef2341988d158c40d0a47ab706abf98070b32cb4a7ce4b02b71R19-R21
There was a problem hiding this comment.
Yeah, the other code path accounts for a user signing in using their PIV ("Sign in with your government employee ID" on the Sign In page). In that flow, they never submit their email and password, so we don't get that sign_in_new_device_at assigned.
Avoid "failed to authenticate 0 times"
|
I did a final round of testing here before merge, and pushed a minor content change and additional test case. Specifically, I tested an edge case where someone submits their username and password, is delayed in finishing the MFA step long enough to trigger the email notification, but eventually finishes MFA. This works as expected insofar as it sends two emails, one for the initial delay, and another for the final authentication. This benefits from the same alternative codepath discussed in #10370 (comment) . 0aa2d49 adds feature test coverage for this scenario. 6259d16 improves content to avoid a weird "failed to authenticate 0 times" if the user never MFAs. I also noticed a period was missing, fixed in 27e8f72.
|
2 participants
🎫 Ticket
LG-12294
🛠 Summary of changes
Implements the dispatching of a new aggregated email notification for sign-in, which happens 5 minutes after successful email and password submission, or immediately upon successful MFA, whichever occurs first.
This builds upon ("wires up") previous work in #10314 (email template) and #10317 (worker for delayed notification).
📜 Testing Plan
Verify that you are sent an email immediately upon full authentication:
'::1'as the IP address in local developmentVerify that you are sent an email after delay upon partial authentication:
new_device_alert_delay_in_minutes: 1inconfig/application.yml(changes notification to send after 1 minute instead of after 5 minutes)cron_5minjob_configurations.rbto'0/1 * * * *'(changes jobs to run every 1 minute instead of every 5 minutes)'::1'as the IP address in local development👀 Screenshots