18F · el-mapache · Jun 14, 2017 · Jun 5, 2017
diff --git a/app/assets/images/alert/notice.svg b/app/assets/images/alert/notice.svg
diff --git a/app/assets/stylesheets/components/_alert.scss b/app/assets/stylesheets/components/_alert.scss
@@ -2,7 +2,7 @@ $ico-size: 1rem;
 $ico-offset: 1rem;
 
 .alert {
-  background-color: $blue-light;
+  background-color: $blue-lighter;
   border-radius: $space-1;
   color: #5b616a;
   font-size: 1rem;
@@ -51,3 +51,8 @@ $ico-offset: 1rem;
 
   &::before { background-image: url(image-path('alert/warning.svg')); }
 }
+
+.alert-notice {
+  padding-left: $space-4;
+  &::before { background-image: url(image-path('alert/notice.svg')); }
+}
diff --git a/app/assets/stylesheets/components/_personal-key.scss b/app/assets/stylesheets/components/_personal-key.scss
@@ -1,3 +1,14 @@
+.key-badge::before {
+  background-image: url(image-path('p-key.svg'));
+  background-repeat: no-repeat;
+  content: '';
+  height: 60px;
+  left: 45%;
+  position: absolute;
+  top: -25px;
+  width: 60px;
+}
+
 .separator-text > div {
   &::after {
     color: $silver;

diff --git a/app/assets/stylesheets/variables/_colors.scss b/app/assets/stylesheets/variables/_colors.scss
@@ -1,6 +1,7 @@
 $aqua: #7fdbff !default;
 $blue: #0071bb !default;
 $blue-light: #ebf3fa !default;
+$blue-lighter: #ecfcff !default;
 $blue-lightest: #f2f9ff !default;
 $navy: #112e51 !default;
 $teal: #00bfe7 !default;

diff --git a/app/controllers/concerns/account_recovery_concern.rb b/app/controllers/concerns/account_recovery_concern.rb
@@ -0,0 +1,8 @@
+module AccountRecoveryConcern
+  extend ActiveSupport::Concern
+
+  def confirm_password_reset_profile
+    return if current_user.decorate.password_reset_profile
+    redirect_to root_url
+  end
+end
diff --git a/app/controllers/concerns/two_factor_authenticatable.rb b/app/controllers/concerns/two_factor_authenticatable.rb
@@ -190,7 +190,7 @@ def after_otp_action_path
     elsif @updating_existing_number
       account_path
     elsif decorated_user.password_reset_profile.present?
-      manage_reactivate_account_path
+      reactivate_account_path
     else
       account_path
     end

diff --git a/app/controllers/reactivate_account_controller.rb b/app/controllers/reactivate_account_controller.rb
@@ -1,4 +1,6 @@
 class ReactivateAccountController < ApplicationController
+  include AccountRecoveryConcern
+
   before_action :confirm_two_factor_authenticated
   before_action :confirm_password_reset_profile
 
@@ -10,11 +12,4 @@ def update
     user_session.delete(:acknowledge_personal_key)
     redirect_to verify_url
   end
-
-  protected
-
-  def confirm_password_reset_profile
-    return if current_user.decorate.password_reset_profile
-    redirect_to root_url
-  end
 end
diff --git a/app/controllers/users/reactivate_account_controller.rb b/app/controllers/users/reactivate_account_controller.rb
diff --git a/app/controllers/users/verify_password_controller.rb b/app/controllers/users/verify_password_controller.rb
@@ -0,0 +1,48 @@
+module Users
+  class VerifyPasswordController < ApplicationController
+    include AccountRecoveryConcern
+
+    before_action :confirm_two_factor_authenticated
+    before_action :confirm_password_reset_profile
+    before_action :confirm_personal_key
+
+    def new
+      @verify_password_form = VerifyPasswordForm.new(
+        user: current_user,
+        password: '',
+        decrypted_pii: decrypted_pii
+      )
+    end
+
+    def update
+      result = verify_password_form.submit
+
+      if result.success?
+        flash[:personal_key] = result.extra[:personal_key]
+        user_session.delete(:account_recovery)
+        redirect_to account_url
+      else
+        render :new
+      end
+    end
+
+    private
+
+    def confirm_personal_key
+      account_recovery = user_session[:account_recovery]
+      redirect_to root_url unless account_recovery[:personal_key]
+    end
+
+    def decrypted_pii
+      @_decrypted_pii ||= Pii::Attributes.new_from_json(user_session[:decrypted_pii])
+    end
+
+    def verify_password_form
+      VerifyPasswordForm.new(
+        user: current_user,
+        password: params.require(:user).permit(:password)[:password],
+        decrypted_pii: decrypted_pii
+      )
+    end
+  end
+end
diff --git a/app/controllers/users/verify_personal_key_controller.rb b/app/controllers/users/verify_personal_key_controller.rb
@@ -0,0 +1,55 @@
+module Users
+  class VerifyPersonalKeyController < ApplicationController
+    include AccountRecoveryConcern
+
+    before_action :confirm_two_factor_authenticated
+    before_action :confirm_password_reset_profile
+    before_action :init_account_recovery, only: [:create]
+
+    def new
+      flash.now[:notice] = t('notices.account_recovery') unless user_session[:account_recovery]
+
+      @personal_key_form = VerifyPersonalKeyForm.new(
+        user: current_user,
+        personal_key: ''
+      )
+    end
+
+    def create
+      result = personal_key_form.submit
+
+      if result.success?
+        handle_success(result)
+      else
+        handle_failure(result)
+      end
+    end
+
+    private
+
+    def init_account_recovery
+      user_session[:account_recovery] ||= {
+        personal_key: false,
+      }
+    end
+
+    def handle_success(result)
+      user_session[:account_recovery][:personal_key] = true
+      user_session[:decrypted_pii] = result.extra[:decrypted_pii]
+
+      redirect_to verify_password_url
+    end
+
+    def handle_failure(result)
+      flash[:error] = result.errors[:personal_key].last
+      render :new
+    end
+
+    def personal_key_form
+      VerifyPersonalKeyForm.new(
+        user: current_user,
+        personal_key: params.permit(:personal_key)[:personal_key]
+      )
+    end
+  end
+end
diff --git a/app/controllers/verify_controller.rb b/app/controllers/verify_controller.rb
@@ -29,7 +29,7 @@ def fail
 
   def profile_needs_reactivation?
     return unless password_reset_profile && user_session[:acknowledge_personal_key] == true
-    redirect_to manage_reactivate_account_url
+    redirect_to reactivate_account_url
   end
 
   def password_reset_profile

diff --git a/app/forms/reactivate_account_form.rb b/app/forms/reactivate_account_form.rb
diff --git a/app/forms/verify_password_form.rb b/app/forms/verify_password_form.rb
@@ -0,0 +1,49 @@
+class VerifyPasswordForm
+  include ActiveModel::Model
+
+  validates :password, presence: true
+  validate :validate_password
+
+  attr_reader :user, :password, :decrypted_pii
+
+  def initialize(user:, password:, decrypted_pii:)
+    @user = user
+    @password = password
+    @decrypted_pii = decrypted_pii
+  end
+
+  def submit
+    success = valid?
+    extra = {}
+
+    extra[:personal_key] = reencrypt_pii if success
+
+    FormResponse.new(success: success, errors: errors, extra: extra)
+  end
+
+  private
+
+  def validate_password
+    return if valid_password?
+    errors.add :password, :password_incorrect
+  end
+
+  def valid_password?
+    user.valid_password?(password)
+  end
+
+  def reencrypt_pii
+    personal_key = profile.encrypt_pii(user_access_key, decrypted_pii)
+    profile.update(deactivation_reason: nil, active: true)
+    profile.save!
+    personal_key
+  end
+
+  def profile
+    @_profile ||= user.decorate.password_reset_profile
+  end
+
+  def user_access_key
+    @_uak ||= user.unlock_user_access_key(password)
+  end
+end