LG-16185 Turn on ft unlock upsell sms

app/controllers/two_factor_authentication/otp_verification_controller.rb

@@ -45,6 +45,8 @@ def create
 
         if UserSessionContext.confirmation_context?(context)
           handle_valid_confirmation_otp
+        elsif confirm_eligible_for_platform_upsell?
+          redirect_to webauthn_platform_recommended_path
         else
           redirect_to after_sign_in_path_for(current_user)
         end
@@ -99,6 +101,14 @@ def track_mfa_added
       Funnel::Registration::AddMfa.call(current_user.id, 'phone', analytics, threatmetrix_attrs)
     end
 
+    def confirm_eligible_for_platform_upsell?
+      user_session[:platform_authenticator_available] &&
+        !current_user.webauthn_platform_recommended_dismissed_at? &&
+        phone_configuration.delivery_preference == 'sms' &&
+        mobile? &&
+        current_user.webauthn_configurations.where(platform_authenticator: [false, nil])
+    end
+
     def confirm_multiple_factors_enabled
       return if UserSessionContext.confirmation_context?(context)
       phone_enabled = phone_enabled?

spec/controllers/two_factor_authentication/otp_verification_controller_spec.rb

@@ -338,6 +338,36 @@
           )
         end
       end
+
+      context 'when recommending if user is eligible for webauthn platform setup' do
+        context 'when user is recommended for webauthn platform setup' do
+          it 'redirects to the webauthn platform recommendation' do
+            allow(subject).to receive(:mobile?).and_return(true)
+            subject.current_user.update(webauthn_platform_recommended_dismissed_at: nil)
+            controller.user_session[:platform_authenticator_available] = true
+            post :create, params: {
+              code: subject.current_user.reload.direct_otp,
+              otp_delivery_preference: 'sms',
+            }
+
+            expect(response).to redirect_to webauthn_platform_recommended_path
+          end
+        end
+
+        context 'when a user is not recommended for webauthn platform setup' do
+          it 'redirects to the user account' do
+            allow(subject).to receive(:mobile?).and_return(false)
+            subject.current_user.update(webauthn_platform_recommended_dismissed_at: Time.zone.now)
+            controller.user_session[:platform_authenticator_available] = true
+            post :create, params: {
+              code: subject.current_user.reload.direct_otp,
+              otp_delivery_preference: 'sms',
+            }
+
+            expect(response).to redirect_to account_path
+          end
+        end
+      end
     end
 
     context 'when the user enters a valid OTP' do

spec/features/openid_connect/openid_connect_spec.rb

@@ -549,6 +549,7 @@
       user: user,
       scope: 'openid email profile:verified_at',
       handoff_page_steps: proc do
+        click_button t('webauthn_platform_recommended.skip')
         expect(page).to have_content(t('help_text.requested_attributes.verified_at'))
 
         click_agree_and_continue
@@ -571,6 +572,7 @@
     token_response = sign_in_get_token_response(
       scope: 'openid email profile:verified_at',
       handoff_page_steps: proc do
+        click_button t('webauthn_platform_recommended.skip')
         expect(page).not_to have_content(t('help_text.requested_attributes.verified_at'))
 
         click_agree_and_continue
@@ -716,6 +718,7 @@
       user: user,
       client_id: client_id,
       handoff_page_steps: proc do
+        click_button t('webauthn_platform_recommended.skip')
         expect(page).to have_content(t('titles.sign_up.completion_consent_expired_ial1'))
         expect(page).to_not have_content(t('titles.sign_up.completion_new_sp'))
 
@@ -739,6 +742,7 @@
       user: user,
       client_id: client_id,
       handoff_page_steps: proc do
+        click_button t('webauthn_platform_recommended.skip')
         expect(page).to have_content(t('titles.sign_up.completion_new_sp'))
         expect(page).to_not have_content(t('titles.sign_up.completion_consent_expired_ial1'))
 
@@ -775,6 +779,8 @@
       _user = sign_in_live_with_2fa(user)
       expect(page.html).to_not include(code_challenge)
 
+      click_button t('webauthn_platform_recommended.skip')
+
       redirect_uri = URI(oidc_redirect_url)
       redirect_params = Rack::Utils.parse_query(redirect_uri.query).with_indifferent_access
 
@@ -799,6 +805,7 @@
     it 'returns the most recent nonce when there are multiple authorize calls' do
       client_id = 'urn:gov:gsa:openidconnect:test'
       user = user_with_2fa
+
       link_identity(user, build(:service_provider, issuer: client_id))
       user.identities.last.update!(verified_attributes: ['email'])
 
@@ -841,6 +848,8 @@
       sign_in_live_with_2fa(user)
       continue_as(user.email)
 
+      click_button t('webauthn_platform_recommended.skip')
+
       redirect_uri2 = URI(oidc_redirect_url)
       expect(redirect_uri2.to_s).to start_with('gov.gsa.openidconnect.test://result')
 
@@ -1163,7 +1172,6 @@ def sign_in_get_token_response(
 
     link_identity(user, build(:service_provider, issuer: client_id))
     user.identities.last.update!(verified_attributes: ['email'])
-
     visit openid_connect_authorize_path(
       client_id: client_id,
       response_type: 'code',