diff --git a/app/controllers/concerns/mfa_setup_concern.rb b/app/controllers/concerns/mfa_setup_concern.rb index e3c1e07ad51..0a70912524e 100644 --- a/app/controllers/concerns/mfa_setup_concern.rb +++ b/app/controllers/concerns/mfa_setup_concern.rb @@ -95,7 +95,7 @@ def threatmetrix_attrs { user_id: current_user.id, request_ip: request&.remote_ip, - threatmetrix_session_id: session[:threatmetrix_session_id], + threatmetrix_session_id: user_session[:sign_up_threatmetrix_session_id], email: EmailContext.new(current_user).last_sign_in_email_address.email, uuid_prefix: current_sp&.app_id, } diff --git a/app/controllers/sign_up/registrations_controller.rb b/app/controllers/sign_up/registrations_controller.rb index a0dd702f040..2636b54e9b4 100644 --- a/app/controllers/sign_up/registrations_controller.rb +++ b/app/controllers/sign_up/registrations_controller.rb @@ -3,20 +3,16 @@ module SignUp class RegistrationsController < ApplicationController include ApplicationHelper # for ial2_requested? - include ThreatMetrixHelper - include ThreatMetrixConcern before_action :confirm_two_factor_authenticated, only: [:destroy_confirm] before_action :require_no_authentication before_action :redirect_if_ial2_and_idv_unavailable - before_action :override_csp_for_threat_metrix CREATE_ACCOUNT = 'create_account' def new @register_user_email_form = RegisterUserEmailForm.new(analytics:) analytics.user_registration_enter_email_visit - render :new, formats: :html, locals: threatmetrix_variables end def create @@ -29,7 +25,7 @@ def create if result.success? process_successful_creation else - render :new, locals: threatmetrix_variables + render :new end end @@ -66,20 +62,5 @@ def redirect_if_ial2_and_idv_unavailable redirect_to idv_unavailable_path(from: CREATE_ACCOUNT) end end - - def threatmetrix_variables - return {} unless FeatureManagement.account_creation_device_profiling_collecting_enabled? - session_id = generate_threatmetrix_session_id - - { - threatmetrix_session_id: session_id, - threatmetrix_javascript_urls: threatmetrix_javascript_urls(session_id), - threatmetrix_iframe_url: threatmetrix_iframe_url(session_id), - } - end - - def generate_threatmetrix_session_id - session[:threatmetrix_session_id] ||= SecureRandom.uuid - end end end diff --git a/app/controllers/users/two_factor_authentication_setup_controller.rb b/app/controllers/users/two_factor_authentication_setup_controller.rb index 3bfe5e83455..e60a2057a67 100644 --- a/app/controllers/users/two_factor_authentication_setup_controller.rb +++ b/app/controllers/users/two_factor_authentication_setup_controller.rb @@ -6,10 +6,13 @@ class TwoFactorAuthenticationSetupController < ApplicationController include MfaSetupConcern include AbTestingConcern include ApplicationHelper + include ThreatMetrixHelper + include ThreatMetrixConcern before_action :authenticate_user before_action :confirm_user_authenticated_for_2fa_setup before_action :check_if_possible_piv_user + before_action :override_csp_for_threat_metrix delegate :enabled_mfa_methods_count, to: :mfa_context @@ -20,6 +23,7 @@ def index enabled_mfa_methods_count:, gov_or_mil_email: fed_or_mil_email?, ) + render :index, locals: threatmetrix_variables end def create @@ -33,7 +37,7 @@ def create else flash.now[:error] = result.first_error_message @presenter = two_factor_options_presenter - render :index + render :index, locals: threatmetrix_variables end end @@ -87,5 +91,20 @@ def two_factor_options_form_params def in_ab_test_bucket? ab_test_bucket(:DESKTOP_FT_UNLOCK_SETUP) == (:desktop_ft_unlock_option_shown) end + + def threatmetrix_variables + return {} unless FeatureManagement.account_creation_device_profiling_collecting_enabled? + session_id = generate_threatmetrix_session_id + + { + threatmetrix_session_id: session_id, + threatmetrix_javascript_urls: threatmetrix_javascript_urls(session_id), + threatmetrix_iframe_url: threatmetrix_iframe_url(session_id), + } + end + + def generate_threatmetrix_session_id + user_session[:sign_up_threatmetrix_session_id] ||= SecureRandom.uuid + end end end diff --git a/app/views/sign_up/registrations/new.html.erb b/app/views/sign_up/registrations/new.html.erb index 6699b21dac1..2e24d495d62 100644 --- a/app/views/sign_up/registrations/new.html.erb +++ b/app/views/sign_up/registrations/new.html.erb @@ -42,15 +42,6 @@ required: true, ) %> - <% if FeatureManagement.account_creation_device_profiling_collecting_enabled? %> - <%= render partial: 'shared/threat_metrix_profiling', - locals: { - threatmetrix_session_id:, - threatmetrix_javascript_urls:, - threatmetrix_iframe_url:, - } %> - <% end %> - <%= f.submit t('forms.buttons.submit.default'), class: 'display-block margin-y-5' %> <% end %> diff --git a/app/views/users/two_factor_authentication_setup/index.html.erb b/app/views/users/two_factor_authentication_setup/index.html.erb index 76faa30c308..5ecf97d3cec 100644 --- a/app/views/users/two_factor_authentication_setup/index.html.erb +++ b/app/views/users/two_factor_authentication_setup/index.html.erb @@ -51,6 +51,16 @@ <%= hidden_field_tag :platform_authenticator_available, id: 'platform_authenticator_available' %> <% javascript_packs_tag_once('platform-authenticator-available') %> + <% if FeatureManagement.account_creation_device_profiling_collecting_enabled? %> +
+ <%= render partial: 'shared/threat_metrix_profiling', + locals: { + threatmetrix_session_id:, + threatmetrix_javascript_urls:, + threatmetrix_iframe_url:, + } %> +
+ <% end %> <%= f.submit t('forms.buttons.continue'), class: 'margin-bottom-1' %> <% end %> diff --git a/spec/controllers/sign_up/registrations_controller_spec.rb b/spec/controllers/sign_up/registrations_controller_spec.rb index 63c476aa2b8..ee483e0e8d7 100644 --- a/spec/controllers/sign_up/registrations_controller_spec.rb +++ b/spec/controllers/sign_up/registrations_controller_spec.rb @@ -56,36 +56,6 @@ ) end end - - context 'with threatmetrix enabled' do - let(:tmx_session_id) { '1234' } - - before do - allow(FeatureManagement).to receive(:account_creation_device_profiling_collecting_enabled?) - .and_return(true) - allow(IdentityConfig.store).to receive(:lexisnexis_threatmetrix_org_id).and_return('org1') - allow(IdentityConfig.store).to receive(:lexisnexis_threatmetrix_mock_enabled) - .and_return(false) - subject.session[:threatmetrix_session_id] = tmx_session_id - end - - it 'renders new valid request' do - tmx_url = 'https://h.online-metrix.net/fp' - expect(subject).to receive(:render).with( - :new, - formats: :html, - locals: { threatmetrix_session_id: tmx_session_id, - threatmetrix_javascript_urls: - ["#{tmx_url}/tags.js?org_id=org1&session_id=#{tmx_session_id}"], - threatmetrix_iframe_url: - "#{tmx_url}/tags?org_id=org1&session_id=#{tmx_session_id}" }, - ).and_call_original - - get :new - - expect(response).to render_template(:new) - end - end end describe '#create' do @@ -202,34 +172,5 @@ expect(response).to render_template(:new) end - - context 'with threatmetrix enabled' do - let(:tmx_session_id) { '1234' } - - before do - allow(FeatureManagement).to receive(:account_creation_device_profiling_collecting_enabled?) - .and_return(true) - allow(IdentityConfig.store).to receive(:lexisnexis_threatmetrix_org_id).and_return('org1') - allow(IdentityConfig.store).to receive(:lexisnexis_threatmetrix_mock_enabled) - .and_return(false) - subject.session[:threatmetrix_session_id] = tmx_session_id - end - - it 'renders new with invalid request' do - tmx_url = 'https://h.online-metrix.net/fp' - expect(subject).to receive(:render).with( - :new, - locals: { threatmetrix_session_id: tmx_session_id, - threatmetrix_javascript_urls: - ["#{tmx_url}/tags.js?org_id=org1&session_id=#{tmx_session_id}"], - threatmetrix_iframe_url: - "#{tmx_url}/tags?org_id=org1&session_id=#{tmx_session_id}" }, - ).and_call_original - - post :create, params: params.deep_merge(user: { email: 'invalid@' }) - - expect(response).to render_template(:new) - end - end end end diff --git a/spec/controllers/users/two_factor_authentication_setup_controller_spec.rb b/spec/controllers/users/two_factor_authentication_setup_controller_spec.rb index 0c9c90e3eee..3c378b69ec9 100644 --- a/spec/controllers/users/two_factor_authentication_setup_controller_spec.rb +++ b/spec/controllers/users/two_factor_authentication_setup_controller_spec.rb @@ -27,6 +27,33 @@ expect(assigns(:presenter).desktop_ft_ab_test).to be false end + context 'with threatmetrix enabled' do + let(:tmx_session_id) { '1234' } + + before do + allow(FeatureManagement).to receive(:account_creation_device_profiling_collecting_enabled?) + .and_return(true) + allow(IdentityConfig.store).to receive(:lexisnexis_threatmetrix_org_id).and_return('org1') + allow(IdentityConfig.store).to receive(:lexisnexis_threatmetrix_mock_enabled) + .and_return(false) + controller.user_session[:sign_up_threatmetrix_session_id] = tmx_session_id + end + + it 'renders new valid request' do + tmx_url = 'https://h.online-metrix.net/fp' + expect(controller).to receive(:render).with( + :index, + locals: { threatmetrix_session_id: tmx_session_id, + threatmetrix_javascript_urls: + ["#{tmx_url}/tags.js?org_id=org1&session_id=#{tmx_session_id}"], + threatmetrix_iframe_url: + "#{tmx_url}/tags?org_id=org1&session_id=#{tmx_session_id}" }, + ).and_call_original + + expect(response).to render_template(:index) + end + end + context 'with user having gov or mil email' do let!(:federal_domain) { create(:federal_email_domain, name: 'gsa.gov') } let(:user) do @@ -198,6 +225,34 @@ expect(response).to render_template(:index) expect(flash[:error]).to eq(t('errors.messages.inclusion')) end + + context 'with threatmetrix enabled' do + let(:tmx_session_id) { '1234' } + + before do + allow(FeatureManagement) + .to receive(:account_creation_device_profiling_collecting_enabled?) + .and_return(true) + allow(IdentityConfig.store).to receive(:lexisnexis_threatmetrix_org_id).and_return('org1') + allow(IdentityConfig.store).to receive(:lexisnexis_threatmetrix_mock_enabled) + .and_return(false) + controller.user_session[:sign_up_threatmetrix_session_id] = tmx_session_id + end + + it 'renders new with invalid request' do + tmx_url = 'https://h.online-metrix.net/fp' + expect(controller).to receive(:render).with( + :index, + locals: { threatmetrix_session_id: tmx_session_id, + threatmetrix_javascript_urls: + ["#{tmx_url}/tags.js?org_id=org1&session_id=#{tmx_session_id}"], + threatmetrix_iframe_url: + "#{tmx_url}/tags?org_id=org1&session_id=#{tmx_session_id}" }, + ).and_call_original + + expect(response).to render_template(:index) + end + end end context 'with form value indicating platform authenticator support' do diff --git a/spec/features/account_creation/threat_metrix_spec.rb b/spec/features/account_creation/threat_metrix_spec.rb index 50a00208e1e..38a53336f4d 100644 --- a/spec/features/account_creation/threat_metrix_spec.rb +++ b/spec/features/account_creation/threat_metrix_spec.rb @@ -11,13 +11,13 @@ click_on t('links.create_account') fill_in t('forms.registration.labels.email'), with: Faker::Internet.email check t('sign_up.terms', app_name: APP_NAME) - select 'Reject', from: :mock_profiling_result click_button t('forms.buttons.submit.default') user = confirm_last_user set_password(user) fake_analytics = FakeAnalytics.new expect_any_instance_of(AccountCreationThreatMetrixJob).to receive(:analytics).with(user) .and_return(fake_analytics) + select 'Reject', from: :mock_profiling_result select_2fa_option('backup_code') click_continue