Skip to content

Don't set session[:sp] if no issuer is present#1913

Merged
monfresh merged 1 commit intomasterfrom
mb-completions-page-fix
Jan 16, 2018
Merged

Don't set session[:sp] if no issuer is present#1913
monfresh merged 1 commit intomasterfrom
mb-completions-page-fix

Conversation

@monfresh
Copy link
Contributor

@monfresh monfresh commented Jan 12, 2018

Why: For some yet unknown reason, some people are getting in a
state where they have an sp key in the session, but with nil values
for issuer and other attributes. The only place we set session[:sp]
is in StoreSpMetadataInSession, which means that somehow, the
service is being called either with a nil request_id, or a
request_id that no longer matches one in the DB.

This was causing an exception when the user viewed the agency handoff
page because the view was determining whether or not the user is allowed
to view the page based only on the presence of session[:sp], which is
true in this case, which then calls
@view_model.service_provider_partial, which has this logic:

def service_provider_partial
  if @decorated_session.is_a?(ServiceProviderSessionDecorator)
    'sign_up/completions/show_sp'
  else
    'sign_up/completions/show_identities'
  end
end

Because there is no issuer in the sp hash, the decorated session is a
regular SessionDecorator, and so the app tries to render
sign_up/completions/show_identities, which has a bug because it's
trying to call a method on the user's identities even if the user does
not have any identities:

- if identities.length > 1
  = t('idv.messages.agencies_login')
- else
  = t('idv.messages.agency_login_html', sp: identities.first.display_name)

How:

  • Don't set session[:sp] if a ServiceProviderRequest cannot be found
  • Check for the presence of the issuer in the agency handoff page
  • Add logging to help determine where and if the request_id is being
    dropped or changed.

Hi! Before submitting your PR for review, and/or before merging it, please
go through the following checklist:

  • For DB changes, check for missing indexes, check to see if the changes
    affect other apps (such as the dashboard), make sure the DB columns in the
    various environments are properly populated, coordinate with devops, plan
    migrations in separate steps.

  • For route changes, make sure GET requests don't change state or result in
    destructive behavior. GET requests should only result in information being
    read, not written.

  • For encryption changes, make sure it is compatible with data that was
    encrypted with the old code.

  • Do not disable Rubocop or Reek offenses unless you are absolutely sure
    they are false positives. If you're not sure how to fix the offense, please
    ask a teammate.

  • When reading data, write tests for nil values, empty strings,
    and invalid formats.

  • When calling redirect_to in a controller, use _url, not _path.

  • When adding user data to the session, use the user_session helper
    instead of the session helper so the data does not persist beyond the user's
    session.

  • When adding a new controller that requires the user to be fully
    authenticated, make sure to add before_action :confirm_two_factor_authenticated.

@monfresh
Don't set session[:sp] if no issuer is present
5243f54 
**Why**: For some yet unknown reason, some people are getting in a
state where they have an `sp` key in the session, but with nil values
for issuer and other attributes. The only place we set `session[:sp]`
is in `StoreSpMetadataInSession`, which means that somehow, the
service is being called either with a nil `request_id`, or a
`request_id` that no longer matches one in the DB.

This was causing an exception when the user viewed the agency handoff
page because the view was determining whether or not the user is allowed
to view the page based only on the presence of `session[:sp]`, which is
true in this case, which then calls
`@view_model.service_provider_partial`, which has this logic:

```ruby
def service_provider_partial
  if @decorated_session.is_a?(ServiceProviderSessionDecorator)
    'sign_up/completions/show_sp'
  else
    'sign_up/completions/show_identities'
  end
end
```

Because there is no issuer in the `sp` hash, the decorated session is a
regular `SessionDecorator`, and so the app tries to render
`sign_up/completions/show_identities`, which has a bug because it's
trying to call a method on the user's `identities` even if the user does
not have any identities:

```slim
- if identities.length > 1
  = t('idv.messages.agencies_login')
- else
  = t('idv.messages.agency_login_html', sp: identities.first.display_name)
```

**How**:
- Don't set `session[:sp]` if a ServiceProviderRequest cannot be found
- Check for the presence of the issuer in the agency handoff page
- Add logging to help determine where and if the `request_id` is being
dropped or changed.
@monfresh monfresh requested a review from nickbristow January 12, 2018 18:26
@monfresh monfresh mentioned this pull request Jan 12, 2018
Closed
8 tasks
@monfresh monfresh requested review from jmhooper and mugizico January 12, 2018 18:50
@monfresh monfresh merged commit 1337298 into master Jan 16, 2018
@monfresh monfresh deleted the mb-completions-page-fix branch January 16, 2018 16:23
@aduth aduth mentioned this pull request Apr 5, 2023
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@nickbristow nickbristow Awaiting requested review from nickbristow

@mugizico mugizico Awaiting requested review from mugizico

1 more reviewer

@jmhooper jmhooper jmhooper approved these changes

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

status - ready for review

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@monfresh @jmhooper