LG-15203: move threatmetrix call to mfa selection

app/controllers/concerns/mfa_setup_concern.rb

@@ -95,7 +95,7 @@ def threatmetrix_attrs
     {
       user_id: current_user.id,
       request_ip: request&.remote_ip,
-      threatmetrix_session_id: session[:threatmetrix_session_id],
+      threatmetrix_session_id: user_session[:sign_up_threatmetrix_session_id],
       email: EmailContext.new(current_user).last_sign_in_email_address.email,
       uuid_prefix: current_sp&.app_id,
     }

app/controllers/sign_up/registrations_controller.rb

@@ -3,20 +3,16 @@
 module SignUp
   class RegistrationsController < ApplicationController
     include ApplicationHelper # for ial2_requested?
-    include ThreatMetrixHelper
-    include ThreatMetrixConcern
 
     before_action :confirm_two_factor_authenticated, only: [:destroy_confirm]
     before_action :require_no_authentication
     before_action :redirect_if_ial2_and_idv_unavailable
-    before_action :override_csp_for_threat_metrix
 
     CREATE_ACCOUNT = 'create_account'
 
     def new
       @register_user_email_form = RegisterUserEmailForm.new(analytics:)
       analytics.user_registration_enter_email_visit
-      render :new, formats: :html, locals: threatmetrix_variables
     end
 
     def create
@@ -29,7 +25,7 @@ def create
       if result.success?
         process_successful_creation
       else
-        render :new, locals: threatmetrix_variables
+        render :new
       end
     end
 
@@ -66,20 +62,5 @@ def redirect_if_ial2_and_idv_unavailable
         redirect_to idv_unavailable_path(from: CREATE_ACCOUNT)
       end
     end
-
-    def threatmetrix_variables
-      return {} unless FeatureManagement.account_creation_device_profiling_collecting_enabled?
-      session_id = generate_threatmetrix_session_id
-
-      {
-        threatmetrix_session_id: session_id,
-        threatmetrix_javascript_urls: threatmetrix_javascript_urls(session_id),
-        threatmetrix_iframe_url: threatmetrix_iframe_url(session_id),
-      }
-    end
-
-    def generate_threatmetrix_session_id
-      session[:threatmetrix_session_id] ||= SecureRandom.uuid
-    end
   end
 end

app/controllers/users/two_factor_authentication_setup_controller.rb

@@ -6,10 +6,13 @@ class TwoFactorAuthenticationSetupController < ApplicationController
     include MfaSetupConcern
     include AbTestingConcern
     include ApplicationHelper
+    include ThreatMetrixHelper
+    include ThreatMetrixConcern
 
     before_action :authenticate_user
     before_action :confirm_user_authenticated_for_2fa_setup
     before_action :check_if_possible_piv_user
+    before_action :override_csp_for_threat_metrix
 
     delegate :enabled_mfa_methods_count, to: :mfa_context
 
@@ -20,6 +23,7 @@ def index
         enabled_mfa_methods_count:,
         gov_or_mil_email: fed_or_mil_email?,
       )
+      render :index, locals: threatmetrix_variables
     end
 
     def create
@@ -33,7 +37,7 @@ def create
       else
         flash.now[:error] = result.first_error_message
         @presenter = two_factor_options_presenter
-        render :index
+        render :index, locals: threatmetrix_variables
       end
     end
 
@@ -87,5 +91,20 @@ def two_factor_options_form_params
     def in_ab_test_bucket?
       ab_test_bucket(:DESKTOP_FT_UNLOCK_SETUP) == (:desktop_ft_unlock_option_shown)
     end
+
+    def threatmetrix_variables
+      return {} unless FeatureManagement.account_creation_device_profiling_collecting_enabled?
+      session_id = generate_threatmetrix_session_id
+
+      {
+        threatmetrix_session_id: session_id,
+        threatmetrix_javascript_urls: threatmetrix_javascript_urls(session_id),
+        threatmetrix_iframe_url: threatmetrix_iframe_url(session_id),
+      }
+    end
+
+    def generate_threatmetrix_session_id
+      user_session[:sign_up_threatmetrix_session_id] ||= SecureRandom.uuid
+    end
   end
 end

app/views/sign_up/registrations/new.html.erb

@@ -42,15 +42,6 @@
         required: true,
       ) %>
 
-  <% if FeatureManagement.account_creation_device_profiling_collecting_enabled? %>
-    <%= render partial: 'shared/threat_metrix_profiling',
-               locals: {
-                 threatmetrix_session_id:,
-                 threatmetrix_javascript_urls:,
-                 threatmetrix_iframe_url:,
-               } %>
-  <% end %>
-
   <%= f.submit t('forms.buttons.submit.default'), class: 'display-block margin-y-5' %>
 <% end %>
 

app/views/users/two_factor_authentication_setup/index.html.erb

@@ -51,6 +51,16 @@
 
   <%= hidden_field_tag :platform_authenticator_available, id: 'platform_authenticator_available' %>
   <% javascript_packs_tag_once('platform-authenticator-available') %>
+  <% if FeatureManagement.account_creation_device_profiling_collecting_enabled? %>
+    <div class="margin-bottom-2">
+      <%= render partial: 'shared/threat_metrix_profiling',
+                 locals: {
+                   threatmetrix_session_id:,
+                   threatmetrix_javascript_urls:,
+                   threatmetrix_iframe_url:,
+                 } %>
+    </div>
+  <% end %>
 
   <%= f.submit t('forms.buttons.continue'), class: 'margin-bottom-1' %>
 <% end %>

spec/controllers/sign_up/registrations_controller_spec.rb

@@ -56,36 +56,6 @@
         )
       end
     end
-
-    context 'with threatmetrix enabled' do
-      let(:tmx_session_id) { '1234' }
-
-      before do
-        allow(FeatureManagement).to receive(:account_creation_device_profiling_collecting_enabled?)
-          .and_return(true)
-        allow(IdentityConfig.store).to receive(:lexisnexis_threatmetrix_org_id).and_return('org1')
-        allow(IdentityConfig.store).to receive(:lexisnexis_threatmetrix_mock_enabled)
-          .and_return(false)
-        subject.session[:threatmetrix_session_id] = tmx_session_id
-      end
-
-      it 'renders new valid request' do
-        tmx_url = 'https://h.online-metrix.net/fp'
-        expect(subject).to receive(:render).with(
-          :new,
-          formats: :html,
-          locals: { threatmetrix_session_id: tmx_session_id,
-                    threatmetrix_javascript_urls:
-                      ["#{tmx_url}/tags.js?org_id=org1&session_id=#{tmx_session_id}"],
-                    threatmetrix_iframe_url:
-                      "#{tmx_url}/tags?org_id=org1&session_id=#{tmx_session_id}" },
-        ).and_call_original
-
-        get :new
-
-        expect(response).to render_template(:new)
-      end
-    end
   end
 
   describe '#create' do
@@ -202,34 +172,5 @@
 
       expect(response).to render_template(:new)
     end
-
-    context 'with threatmetrix enabled' do
-      let(:tmx_session_id) { '1234' }
-
-      before do
-        allow(FeatureManagement).to receive(:account_creation_device_profiling_collecting_enabled?)
-          .and_return(true)
-        allow(IdentityConfig.store).to receive(:lexisnexis_threatmetrix_org_id).and_return('org1')
-        allow(IdentityConfig.store).to receive(:lexisnexis_threatmetrix_mock_enabled)
-          .and_return(false)
-        subject.session[:threatmetrix_session_id] = tmx_session_id
-      end
-
-      it 'renders new with invalid request' do
-        tmx_url = 'https://h.online-metrix.net/fp'
-        expect(subject).to receive(:render).with(
-          :new,
-          locals: { threatmetrix_session_id: tmx_session_id,
-                    threatmetrix_javascript_urls:
-                      ["#{tmx_url}/tags.js?org_id=org1&session_id=#{tmx_session_id}"],
-                    threatmetrix_iframe_url:
-                      "#{tmx_url}/tags?org_id=org1&session_id=#{tmx_session_id}" },
-        ).and_call_original
-
-        post :create, params: params.deep_merge(user: { email: 'invalid@' })
-
-        expect(response).to render_template(:new)
-      end
-    end
   end
 end

spec/controllers/users/two_factor_authentication_setup_controller_spec.rb

@@ -27,6 +27,33 @@
       expect(assigns(:presenter).desktop_ft_ab_test).to be false
     end
 
+    context 'with threatmetrix enabled' do
+      let(:tmx_session_id) { '1234' }
+
+      before do
+        allow(FeatureManagement).to receive(:account_creation_device_profiling_collecting_enabled?)
+          .and_return(true)
+        allow(IdentityConfig.store).to receive(:lexisnexis_threatmetrix_org_id).and_return('org1')
+        allow(IdentityConfig.store).to receive(:lexisnexis_threatmetrix_mock_enabled)
+          .and_return(false)
+        controller.user_session[:sign_up_threatmetrix_session_id] = tmx_session_id
+      end
+
+      it 'renders new valid request' do
+        tmx_url = 'https://h.online-metrix.net/fp'
+        expect(controller).to receive(:render).with(
+          :index,
+          locals: { threatmetrix_session_id: tmx_session_id,
+                    threatmetrix_javascript_urls:
+                      ["#{tmx_url}/tags.js?org_id=org1&session_id=#{tmx_session_id}"],
+                    threatmetrix_iframe_url:
+                      "#{tmx_url}/tags?org_id=org1&session_id=#{tmx_session_id}" },
+        ).and_call_original
+
+        expect(response).to render_template(:index)
+      end
+    end
+
     context 'with user having gov or mil email' do
       let!(:federal_domain) { create(:federal_email_domain, name: 'gsa.gov') }
       let(:user) do
@@ -198,6 +225,34 @@
         expect(response).to render_template(:index)
         expect(flash[:error]).to eq(t('errors.messages.inclusion'))
       end
+
+      context 'with threatmetrix enabled' do
+        let(:tmx_session_id) { '1234' }
+
+        before do
+          allow(FeatureManagement)
+            .to receive(:account_creation_device_profiling_collecting_enabled?)
+            .and_return(true)
+          allow(IdentityConfig.store).to receive(:lexisnexis_threatmetrix_org_id).and_return('org1')
+          allow(IdentityConfig.store).to receive(:lexisnexis_threatmetrix_mock_enabled)
+            .and_return(false)
+          controller.user_session[:sign_up_threatmetrix_session_id] = tmx_session_id
+        end
+
+        it 'renders new with invalid request' do
+          tmx_url = 'https://h.online-metrix.net/fp'
+          expect(controller).to receive(:render).with(
+            :index,
+            locals: { threatmetrix_session_id: tmx_session_id,
+                      threatmetrix_javascript_urls:
+                        ["#{tmx_url}/tags.js?org_id=org1&session_id=#{tmx_session_id}"],
+                      threatmetrix_iframe_url:
+                        "#{tmx_url}/tags?org_id=org1&session_id=#{tmx_session_id}" },
+          ).and_call_original
+
+          expect(response).to render_template(:index)
+        end
+      end
     end
 
     context 'with form value indicating platform authenticator support' do

spec/features/account_creation/threat_metrix_spec.rb

@@ -11,13 +11,13 @@
     click_on t('links.create_account')
     fill_in t('forms.registration.labels.email'), with: Faker::Internet.email
     check t('sign_up.terms', app_name: APP_NAME)
-    select 'Reject', from: :mock_profiling_result
     click_button t('forms.buttons.submit.default')
     user = confirm_last_user
     set_password(user)
     fake_analytics = FakeAnalytics.new
     expect_any_instance_of(AccountCreationThreatMetrixJob).to receive(:analytics).with(user)
       .and_return(fake_analytics)
+    select 'Reject', from: :mock_profiling_result
     select_2fa_option('backup_code')
     click_continue