LG-162 - Offer multiple 2FA options during account creation#2099
LG-162 - Offer multiple 2FA options during account creation#2099
Conversation
|
would love some help evaluating and fixing these tests. |
| analytics.track_event(Analytics::USER_REGISTRATION_PHONE_SETUP_VISIT) | ||
| end | ||
|
|
||
| def tfa |
There was a problem hiding this comment.
It's not obvious from looking at this controller, but our convention is to use the standard create, index, show actions for controllers as opposed to custom names. If you find yourself needing a custom name, that's an indication that a new controller is needed.
Since we're making modifications to this controller, what do you think about cleaning it up at the same time? Since we are now introducing a new page where the user can choose from various types of 2FA options, I propose that we keep this controller to represent that options page, and then add a new controller for the phone setup option. So, we would rename the tfa method in this controller to show, and tfa_set to create. Then, in the new phone_setup_controller, we would have a show method for displaying the phone setup form, and a create action for processing the form submission.
That way, we keep things consistent across all our controllers.
line47
changed the title
|
Hey @jmhooper @monfresh @davemcorwin - I have one more codeclimate issue I'm unsure how to fix. I also need to send the user to the the two factor options page in the case where they verify email, setup a password, then logout - when they sign back in it's currently going to the After that I think this PR is ready for review 😬 🎉 |
app/forms/user_phone_form.rb
Outdated
| ) | ||
| self.otp_delivery_preference = params[:otp_delivery_preference] | ||
| self.otp_delivery_preference = params[:otp_delivery_preference] if | ||
| params[:otp_delivery_preference] |
There was a problem hiding this comment.
What Reek wants you to do here is to assign params[:otp_delivery_preference] to a variable and call the variable instead of calling params[:otp_delivery_preference] twice.
It's not obvious from Code Climate's website, but there is a help section that explains what the offense is and how to fix it. From the GitHub PR, if you click on "Details" next to the Code Climate check, it will take you to the Code Climate website with a list of all the issues. If you hover your cursor over the issue, a set of 3 icons will appear on the right. The one in the far left looks like a book, and if you hover over it it will say "Read up". If you click on it, it will display a modal explaining what the issue is and how to fix it. Here's a screenshot:
There was a problem hiding this comment.
Something like this @monfresh ?
tfa_prefs = 'params[:otp_delivery_preference]'
self.otp_delivery_preference = tfa_prefs if
params[:otp_delivery_preference]
There was a problem hiding this comment.
Almost:
tfa_prefs = params[:otp_delivery_preference]
self.otp_delivery_preference = tfa_prefs if tfa_prefsThe point is to parse the params only once.
|
Looks like there are some slim-lint offenses: |
| user_phone_form: { | ||
| phone: '703-555-010', | ||
| otp_delivery_preference: :sms, | ||
| # otp_delivery_preference: :sms, |
There was a problem hiding this comment.
We should remove this line instead of commenting it out. Same for the other places this is commented out.
|
|
||
| def create | ||
| @user_phone_form = UserPhoneForm.new(current_user) | ||
| result = @user_phone_form.submit(params[:user_phone_form]) |
There was a problem hiding this comment.
Any chance we could pull in strong parameters here to make sure we are only permitting the params we want?
| analytics.track_event(Analytics::MULTI_FACTOR_AUTH_PHONE_SETUP, result.to_h) | ||
| def create | ||
| @two_factor_options_form = TwoFactorOptionsForm.new(current_user) | ||
| result = @two_factor_options_form.submit(params[:two_factor_options_form]) |
There was a problem hiding this comment.
Same note here about permitting params.
| def create | ||
| @two_factor_options_form = TwoFactorOptionsForm.new(current_user) | ||
| result = @two_factor_options_form.submit(params[:two_factor_options_form]) | ||
| # analytics.track_event(Analytics::USER_REGISTRATION_PHONE_SETUP_VISIT) |
There was a problem hiding this comment.
We have some dead code here we may want to revisit. We're going to need to make sure we are tracking the analytics event here.
There was a problem hiding this comment.
Related, we'll probably want to add a controller spec to make sure this is getting tracked appropriately.
| @@ -0,0 +1,40 @@ | |||
| class TwoFactorOptionsForm | |||
There was a problem hiding this comment.
I don't see any specs covering this class
line47
changed the title
|
I'm getting 2 fails in CicrcleCI I'm unsure how to fix. @monfresh @jmhooper @davemcorwin can you help here? https://circleci.com/gh/18F/identity-idp/2638?utm_campaign=vcs-integration-link&utm_medium=referral&utm_source=github-build-link After that would be good for some review passes 👍 |
|
@line47 If you look at the test failure reason, you will see that it is expecting to land on the phone setup page but is landing on the new 2FA setup page. I would go through each spec and see what the expected page should be and then either change the spec to match the new behavior, or change the code to make the spec pass if the spec is still valid with the new behavior. |
|
Thanks @monfresh - I've updated those tests and still have some |
|
The middle one is due to the app referencing some localized text that isn't present in the |
| @@ -1,3 +1,6 @@ | |||
| .mb-half { margin-bottom: 4px; } | |||
There was a problem hiding this comment.
are these the same as .mt-tiny and .mb-tiny?
There was a problem hiding this comment.
yeah, mb-tiny and mt-tiny are .25rem which equates to 4px, so these can be removed.
There was a problem hiding this comment.
I took care of this (along with other things) here: f92628b
More fixes will be coming later. The cancellation links, for example, aren't set up properly.
**Why**: To give users more choice during account creation. The current options are: SMS, Voice, Authentication app. PIV/CAC will be added later in the menu, although it is already available if you know the URL.
|
@jmhooper @davemcorwin This is rebased and ready to go. One last look please? |
4 participants
Why: So that users can use phone(voice), text/SMS or an authenticator app to 2FA.
Hi! Before submitting your PR for review, and/or before merging it, please
go through the following checklist:
For DB changes, check for missing indexes, check to see if the changes
affect other apps (such as the dashboard), make sure the DB columns in the
various environments are properly populated, coordinate with devops, plan
migrations in separate steps.
For route changes, make sure GET requests don't change state or result in
destructive behavior. GET requests should only result in information being
read, not written.
For encryption changes, make sure it is compatible with data that was
encrypted with the old code.
For secrets changes, make sure to update the S3 secrets bucket with the
new configs in all environments.
Do not disable Rubocop or Reek offenses unless you are absolutely sure
they are false positives. If you're not sure how to fix the offense, please
ask a teammate.
When reading data, write tests for nil values, empty strings,
and invalid formats.
When calling
redirect_toin a controller, use_url, not_path.When adding user data to the session, use the
user_sessionhelperinstead of the
sessionhelper so the data does not persist beyond the user'ssession.
When adding a new controller that requires the user to be fully
authenticated, make sure to add
before_action :confirm_two_factor_authenticated.