Reorder phone confirmation and review page

[jmhooper]

Why: It is confusing for users to verify their phone number after
entering confirming their profile by entering their password. This
commit changes the order so the user verifies their phone immediately
after entering it

[jmhooper]

I've re-ordered the steps, but there's some follow on things I still need to do:

• Verify that I didn't do something that would allow users to short-circuit the phone verification process and get a verified account without verifying their phone
• There's a failing spec where it expects users signing out / back in in the middle of confirming a phone number on record to be redirected to the OTP entry screen

[zachmargolis]

Does this preserve the "verify by phone or by mail" choice screen?

[jmhooper]

Yes, it should. I can to be sure though.

[jmhooper]

Just ran through the mail flow. It is still there and appears to work 👍

[jmhooper]

Some updates:

• I added a spec to make sure the Idv::Session service won't activate users profile unless their phone is confirmed
• I modified the failing IdV flow test to test that the cancel link redirects to /verify/cancel like the rest of the cancel links through the IdV process

[jmhooper]

I still need to modify the confirmations controller so it redirects to the otp verification if the phone number is unconfirmed. Also, there's some dead code on the account page that tells the user to verify their account by phone which will need to be removed.

[jmhooper]

I changed up the review controller so it redirects to phone confirmation if the user needs to confirm their phone. The confirmations controller checks that an active profile has been created before allowing any actions. The profile is created in the review controller so no further work should need to be done to the confirmations controller.

There is still a wrinkle where a user can bail out of the process during the confirmations step and end up with a profile that is not activated. Because of that I'm leaving some of the code to allow a user to return to confirmation from the account page. I'd prefer to break that work off into another PR.

[monfresh]

The code looks good overall, but I found the following bug:

1. Make LOA3 request from SP
2. Sign in or create an account
3. Go through IdV flow and choose to activate by phone and enter a different phone than the one you setup 2FA with
4. Once you are prompted for the OTP, click on "Use another phone number"
   Expected: You are able to enter a new number
   Actual: You get redirected to the OTP prompt

Could we make sure to add a test for this? The test should perform the flow in 3 different scenarios: via SAML, via OIDC, and when visiting the site directly.

[jmhooper]

Hmm, I don't think this bug is specific to my branch. I'm seeing something similar on master. There the difference is instead of redirecting to the OTP entry screen, it is redirecting me to the password screen.

It looks like the problem is that once you've entered your phone of record, we make the assumption that you wouldn't want to go back and change it. So, we redirect to the next step if you have entered your phone. On master, that is the password entry, here it is phone confirmation.

Corollary: The same is true for finance and profile info. It is impossible to back and change anything. We may want to think that through.

This behavior appears to occur regardless of whether you use OIDC or SAML.

I'm happy to fix, but I think it is out of scope here. This probably needs it's own issue and PR.

[jmhooper]

@monfresh: I have opened an issue for the above bug here: https://github.com/18F/identity-private/issues/2268

[monfresh]

LGTM

[monfresh]

Fair enough. We can address the bug in a separate PR.