From aa3f4f373a7bea209793c1b6b5a3fb5ed6e18297 Mon Sep 17 00:00:00 2001
From: Andrew Duthie <andrew.duthie@gsa.gov>
Date: Fri, 6 Dec 2024 12:43:09 -0500
Subject: [PATCH 1/2] Fall back to after_mfa_setup_path for nil next_setup_path

changelog: Bug Fixes, Face/Touch Recommendation, Fix edge case for duplicate submission in recommendation
---
 ...ebauthn_platform_recommended_controller.rb |  2 +-
 ...hn_platform_recommended_controller_spec.rb | 23 +++++++++++++++++--
 2 files changed, 22 insertions(+), 3 deletions(-)

diff --git a/app/controllers/users/webauthn_platform_recommended_controller.rb b/app/controllers/users/webauthn_platform_recommended_controller.rb
index 7c8395dfdcc..aa18b9b6eeb 100644
--- a/app/controllers/users/webauthn_platform_recommended_controller.rb
+++ b/app/controllers/users/webauthn_platform_recommended_controller.rb
@@ -39,7 +39,7 @@ def dismiss_redirect_path
       if opted_to_add?
         webauthn_setup_path(platform: true)
       elsif in_account_creation_flow?
-        next_setup_path
+        next_setup_path || after_mfa_setup_path
       else
         after_sign_in_path_for(current_user)
       end
diff --git a/spec/controllers/users/webauthn_platform_recommended_controller_spec.rb b/spec/controllers/users/webauthn_platform_recommended_controller_spec.rb
index 853b2b9fe18..13d2c027caf 100644
--- a/spec/controllers/users/webauthn_platform_recommended_controller_spec.rb
+++ b/spec/controllers/users/webauthn_platform_recommended_controller_spec.rb
@@ -2,8 +2,14 @@
 
 RSpec.describe Users::WebauthnPlatformRecommendedController do
   let(:user) { create(:user) }
+  let(:current_sp) { create(:service_provider) }
 
   before do
+    controller.session[:sp] = {
+      issuer: current_sp.issuer,
+      acr_values: Saml::Idp::Constants::IAL1_AUTHN_CONTEXT_CLASSREF,
+      request_url: 'http://example.com',
+    }
     stub_sign_in(user) if user
   end
 
@@ -72,12 +78,25 @@
     context 'user is creating account' do
       before do
         allow(controller).to receive(:in_account_creation_flow?).and_return(true)
-        allow(controller).to receive(:next_setup_path).and_return(sign_up_completed_path)
+        controller.user_session[:mfa_selections] = []
       end
 
-      it 'redirects user to set up next authenticator' do
+      it 'redirects user to consent screen' do
         expect(response).to redirect_to(sign_up_completed_path)
       end
+
+      context 'mfa selections already completed' do
+        # Regression: If duplicate submission occurs (e.g. pressing back button), selections is
+        # already cleared from session, but the user is still in the account creation flow.
+
+        before do
+          controller.user_session[:mfa_selections] = nil
+        end
+
+        it 'redirects user to consent screen' do
+          expect(response).to redirect_to(sign_up_completed_path)
+        end
+      end
     end
 
     context 'user opted to add' do

From 7c9aa5cc5e6d803bfa241e6619abfbac2e3e5952 Mon Sep 17 00:00:00 2001
From: Andrew Duthie <andrew.duthie@gsa.gov>
Date: Fri, 6 Dec 2024 12:50:15 -0500
Subject: [PATCH 2/2] Use SubmitButtonComponent for Face/Touch recommendation

---
 app/views/users/webauthn_platform_recommended/new.html.erb | 7 ++++---
 .../webauthn_platform_recommended/new.html.erb_spec.rb     | 5 +++++
 2 files changed, 9 insertions(+), 3 deletions(-)

diff --git a/app/views/users/webauthn_platform_recommended/new.html.erb b/app/views/users/webauthn_platform_recommended/new.html.erb
index a0e357ff886..534df7a338e 100644
--- a/app/views/users/webauthn_platform_recommended/new.html.erb
+++ b/app/views/users/webauthn_platform_recommended/new.html.erb
@@ -23,18 +23,19 @@
 
   <div class="grid-row margin-top-5">
     <div class="tablet:grid-col-9">
-      <%= render ButtonComponent.new(
+      <%= render SubmitButtonComponent.new(
             url: webauthn_platform_recommended_url,
             method: :post,
             params: { add_method: true },
-            big: true,
             full_width: true,
             class: 'margin-bottom-2',
           ).with_content(t('webauthn_platform_recommended.cta')) %>
-      <%= render ButtonComponent.new(
+      <%= render SubmitButtonComponent.new(
             url: webauthn_platform_recommended_url,
             method: :post,
             unstyled: true,
+            big: false,
+            wide: false,
           ).with_content(t('webauthn_platform_recommended.skip')) %>
     </div>
   </div>
diff --git a/spec/views/users/webauthn_platform_recommended/new.html.erb_spec.rb b/spec/views/users/webauthn_platform_recommended/new.html.erb_spec.rb
index 951ef168c63..fb217054a22 100644
--- a/spec/views/users/webauthn_platform_recommended/new.html.erb_spec.rb
+++ b/spec/views/users/webauthn_platform_recommended/new.html.erb_spec.rb
@@ -3,6 +3,11 @@
 RSpec.describe 'users/webauthn_platform_recommended/new.html.erb' do
   subject(:rendered) { render }
 
+  it 'renders separate forms with submission for options to add' do
+    expect(rendered).to have_css('form:has(input[name=add_method]):has([type=submit])')
+    expect(rendered).to have_css('form:not(:has(input[name=add_method])):has([type=submit])')
+  end
+
   it 'renders a help link for phishing-resistant including flow path' do
     @sign_in_flow = :example