Fix Face/Touch recommendation duplicate submission

app/controllers/users/webauthn_platform_recommended_controller.rb

@@ -39,7 +39,7 @@ def dismiss_redirect_path
       if opted_to_add?
         webauthn_setup_path(platform: true)
       elsif in_account_creation_flow?
-        next_setup_path
+        next_setup_path || after_mfa_setup_path
       else
         after_sign_in_path_for(current_user)
       end

app/views/users/webauthn_platform_recommended/new.html.erb

@@ -23,18 +23,19 @@
 
   <div class="grid-row margin-top-5">
     <div class="tablet:grid-col-9">
-      <%= render ButtonComponent.new(
+      <%= render SubmitButtonComponent.new(
             url: webauthn_platform_recommended_url,
             method: :post,
             params: { add_method: true },
-            big: true,
             full_width: true,
             class: 'margin-bottom-2',
           ).with_content(t('webauthn_platform_recommended.cta')) %>
-      <%= render ButtonComponent.new(
+      <%= render SubmitButtonComponent.new(
             url: webauthn_platform_recommended_url,
             method: :post,
             unstyled: true,
+            big: false,
+            wide: false,
           ).with_content(t('webauthn_platform_recommended.skip')) %>
     </div>
   </div>

spec/controllers/users/webauthn_platform_recommended_controller_spec.rb

@@ -2,8 +2,14 @@
 
 RSpec.describe Users::WebauthnPlatformRecommendedController do
   let(:user) { create(:user) }
+  let(:current_sp) { create(:service_provider) }
 
   before do
+    controller.session[:sp] = {
+      issuer: current_sp.issuer,
+      acr_values: Saml::Idp::Constants::IAL1_AUTHN_CONTEXT_CLASSREF,
+      request_url: 'http://example.com',
+    }
     stub_sign_in(user) if user
   end
 
@@ -72,12 +78,25 @@
     context 'user is creating account' do
       before do
         allow(controller).to receive(:in_account_creation_flow?).and_return(true)
-        allow(controller).to receive(:next_setup_path).and_return(sign_up_completed_path)
+        controller.user_session[:mfa_selections] = []
       end
 
-      it 'redirects user to set up next authenticator' do
+      it 'redirects user to consent screen' do
         expect(response).to redirect_to(sign_up_completed_path)
       end
+
+      context 'mfa selections already completed' do
+        # Regression: If duplicate submission occurs (e.g. pressing back button), selections is
+        # already cleared from session, but the user is still in the account creation flow.
+
+        before do
+          controller.user_session[:mfa_selections] = nil
+        end
+
+        it 'redirects user to consent screen' do
+          expect(response).to redirect_to(sign_up_completed_path)
+        end
+      end
     end
 
     context 'user opted to add' do

spec/views/users/webauthn_platform_recommended/new.html.erb_spec.rb

@@ -3,6 +3,11 @@
 RSpec.describe 'users/webauthn_platform_recommended/new.html.erb' do
   subject(:rendered) { render }
 
+  it 'renders separate forms with submission for options to add' do
+    expect(rendered).to have_css('form:has(input[name=add_method]):has([type=submit])')
+    expect(rendered).to have_css('form:not(:has(input[name=add_method])):has([type=submit])')
+  end
+
   it 'renders a help link for phishing-resistant including flow path' do
     @sign_in_flow = :example