18F · monfresh · Jul 5, 2018 · Jun 19, 2018 · Jun 20, 2018 · Jun 20, 2018
diff --git a/.reek b/.reek
@@ -5,6 +5,7 @@ ControlParameter:
     - CustomDeviseFailureApp#i18n_message
     - OpenidConnectRedirector#initialize
     - NoRetryJobs#call
+    - PhoneFormatter#self.format
 DuplicateMethodCall:
   exclude:
     - ApplicationController#disable_caching
@@ -13,7 +14,6 @@ DuplicateMethodCall:
     - MfaConfirmationController#handle_invalid_password
     - needs_to_confirm_email_change?
     - WorkerHealthChecker#status
-    - FileEncryptor#encrypt
     - UserFlowExporter#self.massage_assets
     - BasicAuthUrl#build
     - fallback_to_english
@@ -45,6 +45,7 @@ FeatureEnvy:
     - Utf8Sanitizer#event_attributes
     - Utf8Sanitizer#remote_ip
     - Idv::Proofer#validate_vendors
+    - PersonalKeyGenerator#create_legacy_recovery_code
 InstanceVariableAssumption:
   exclude:
     - User
@@ -57,13 +58,13 @@ ManualDispatch:
     - CloudhsmKeyGenerator#initialize_settings
 NestedIterators:
   exclude:
-    - FileEncryptor#encrypt
     - UserFlowExporter#self.massage_html
     - TwilioService#sanitize_phone_number
     - ServiceProviderSeeder#run
 NilCheck:
   enabled: false
 LongParameterList:
+  max_params: 4
   exclude:
     - IdentityLinker#optional_attributes
     - Idv::ProoferJob#perform
@@ -92,7 +93,6 @@ TooManyStatements:
     - OpenidConnect::AuthorizationController#store_request
     - SamlIdpAuthConcern#store_saml_request
     - Users::PhoneConfirmationController
-    - FileEncryptor#encrypt
     - UserFlowExporter#self.massage_assets
     - UserFlowExporter#self.massage_html
     - UserFlowExporter#self.run
@@ -115,6 +115,8 @@ TooManyMethods:
     - Idv::SessionsController
     - ServiceProviderSessionDecorator
     - SessionDecorator
+    - HolidayService
+    - PhoneDeliveryPresenter
 UncommunicativeMethodName:
   exclude:
     - PhoneConfirmationFlow
@@ -127,6 +129,10 @@ UncommunicativeModuleName:
     - X509::Attribute
     - X509::Attributes
     - X509::SessionStore
+UnusedParameters:
+  exclude:
+    - SmsOtpSenderJob#perform
+    - VoiceOtpSenderJob#perform
 UnusedPrivateMethod:
   exclude:
     - ApplicationController

diff --git a/.rubocop.yml b/.rubocop.yml
@@ -67,6 +67,7 @@ Metrics/ClassLength:
   - app/decorators/user_decorator.rb
   - app/services/analytics.rb
   - app/services/idv/session.rb
+  - app/presenters/two_factor_auth_code/phone_delivery_presenter.rb
 
 Metrics/LineLength:
   Description: Limit lines to 100 characters.

diff --git a/Gemfile b/Gemfile
@@ -30,7 +30,6 @@ gem 'net-sftp'
 gem 'newrelic_rpm'
 gem 'pg'
 gem 'phonelib'
-gem 'phony_rails'
 gem 'pkcs11'
 gem 'premailer-rails'
 gem 'proofer', github: '18F/identity-proofer-gem', tag: 'v2.5.0'
@@ -62,7 +61,6 @@ gem 'typhoeus'
 gem 'uglifier', '~> 3.2'
 gem 'valid_email'
 gem 'webpacker', '~> 3.4'
-gem 'whenever', require: false
 gem 'xml-simple'
 gem 'xmlenc', '~> 0.6'
 gem 'zxcvbn-js'

diff --git a/Gemfile.lock b/Gemfile.lock
@@ -195,7 +195,6 @@ GEM
     chromedriver-helper (1.2.0)
       archive-zip (~> 0.10)
       nokogiri (~> 1.8)
-    chronic (0.10.2)
     chunky_png (1.3.8)
     codeclimate-engine-rb (0.4.1)
       virtus (~> 1.0)
@@ -388,10 +387,6 @@ GEM
       ast (~> 2.4.0)
     pg (1.0.0)
     phonelib (0.6.21)
-    phony (2.15.44)
-    phony_rails (0.14.6)
-      activesupport (>= 3.0)
-      phony (> 2.15)
     pkcs11 (0.2.7)
     powerpack (0.1.1)
     premailer (1.11.1)
@@ -582,7 +577,7 @@ GEM
       slim (~> 3.0)
       sysexits (~> 1.1)
     socksify (1.7.1)
-    sprockets (3.7.1)
+    sprockets (3.7.2)
       concurrent-ruby (~> 1.0)
       rack (> 1, < 3)
     sprockets-rails (3.2.1)
@@ -651,8 +646,6 @@ GEM
     websocket-driver (0.6.5)
       websocket-extensions (>= 0.1.0)
     websocket-extensions (0.1.3)
-    whenever (0.10.0)
-      chronic (>= 0.6.3)
     xml-simple (1.1.5)
     xmldsig (0.6.6)
       nokogiri (>= 1.6.8, < 2.0.0)
@@ -723,7 +716,6 @@ DEPENDENCIES
   overcommit
   pg
   phonelib
-  phony_rails
   pkcs11
   premailer-rails
   proofer!
@@ -770,7 +762,6 @@ DEPENDENCIES
   valid_email
   webmock
   webpacker (~> 3.4)
-  whenever
   xml-simple
   xmlenc (~> 0.6)
   zonebie
@@ -780,4 +771,4 @@ RUBY VERSION
    ruby 2.5.1p57
 
 BUNDLED WITH
-   1.16.1
+   1.16.2
diff --git a/app/assets/images/sp-logos/mycbp.png b/app/assets/images/sp-logos/mycbp.png
diff --git a/app/assets/images/sp-logos/usaid.png b/app/assets/images/sp-logos/usaid.png
diff --git a/app/assets/stylesheets/components/_background.scss b/app/assets/stylesheets/components/_background.scss
@@ -1,6 +1,7 @@
 .bg-gray-lighter { background-color: $gray-lighter; }
 .bg-light-blue { background-color: $blue-light; }
 .bg-lightest-blue { background-color: $blue-lightest; }
+.bg-lightest-red { background-color: $red-lightest; }
 
 @media #{$breakpoint-sm} {
   .sm-bg-light-blue { background-color: $blue-light; }

diff --git a/app/assets/stylesheets/email.css.scss b/app/assets/stylesheets/email.css.scss
@@ -38,6 +38,28 @@ h4 {
 
 .button.large.expanded table a { padding: 20px 0; }
 
+.button.expanded.large .btn-warn-bkg {
+  background-color: $white;
+  border: 0;
+
+  &:hover {
+    background-color: $white;
+  }
+}
+
+.btn-warn-bkg .btn-warn {
+  background-color: $red-lightest;
+  border: 2px solid $red;
+  border-radius: 8px;
+  color: $gray;
+  padding: 10px;
+  width: 50%;
+}
+
+.half {
+  width: 50%;
+}
+
 .footer {
   background: $secondary-color;
 

diff --git a/app/assets/stylesheets/variables/_colors.scss b/app/assets/stylesheets/variables/_colors.scss
@@ -22,3 +22,5 @@ $gray-light: #ddd !default;
 $gray-lighter: #fafafa !default;
 $black: #111 !default;
 $pink: #eb4d67 !default;
+$red: #f00 !default;
+$red-lightest: #fff7f8 !default;
diff --git a/app/controllers/account_reset/cancel_controller.rb b/app/controllers/account_reset/cancel_controller.rb
@@ -0,0 +1,25 @@
+module AccountReset
+  class CancelController < ApplicationController
+    def cancel
+      if AccountResetService.cancel_request(params[:token])
+        handle_success
+      else
+        handle_failure
+      end
+      redirect_to root_url
+    end
+
+    private
+
+    def handle_success
+      analytics.track_event(Analytics::ACCOUNT_RESET, event: :cancel, token_valid: true)
+      sign_out if current_user
+      flash[:success] = t('devise.two_factor_authentication.account_reset.successful_cancel')
+    end
+
+    def handle_failure
+      return if params[:token].blank?
+      analytics.track_event(Analytics::ACCOUNT_RESET, event: :cancel, token_valid: false)
+    end
+  end
+end
diff --git a/app/controllers/account_reset/confirm_delete_account_controller.rb b/app/controllers/account_reset/confirm_delete_account_controller.rb
@@ -0,0 +1,12 @@
+module AccountReset
+  class ConfirmDeleteAccountController < ApplicationController
+    def show
+      email = flash[:email]
+      if email.blank?
+        redirect_to root_url
+      else
+        render :show, locals: { email: email }
+      end
+    end
+  end
+end
diff --git a/app/controllers/account_reset/confirm_request_controller.rb b/app/controllers/account_reset/confirm_request_controller.rb
@@ -0,0 +1,12 @@
+module AccountReset
+  class ConfirmRequestController < ApplicationController
+    def show
+      email = flash[:email]
+      if email.blank?
+        redirect_to root_url
+      else
+        render :show, locals: { email: email }
+      end
+    end
+  end
+end
diff --git a/app/controllers/account_reset/delete_account_controller.rb b/app/controllers/account_reset/delete_account_controller.rb
@@ -0,0 +1,48 @@
+module AccountReset
+  class DeleteAccountController < ApplicationController
+    before_action :check_feature_enabled
+    before_action :prevent_parameter_leak, only: :show
+    before_action :check_granted_token
+
+    def show; end
+
+    def delete
+      analytics.track_event(Analytics::ACCOUNT_RESET, event: :delete, token_valid: true)
+      email = reset_session_and_set_email
+      UserMailer.account_reset_complete(email).deliver_later
+      redirect_to account_reset_confirm_delete_account_url
+    end
+
+    private
+
+    def check_feature_enabled
+      redirect_to root_url unless FeatureManagement.account_reset_enabled?
+    end
+
+    def reset_session_and_set_email
+      user = @account_reset_request.user
+      email = user.email
+      user.destroy!
+      sign_out
+      flash[:email] = email
+    end
+
+    def check_granted_token
+      @account_reset_request = AccountResetRequest.from_valid_granted_token(session[:granted_token])
+      return if @account_reset_request
+      analytics.track_event(Analytics::ACCOUNT_RESET, event: :delete, token_valid: false)
+      redirect_to root_url
+    end
+
+    def prevent_parameter_leak
+      token = params[:token]
+      return if token.blank?
+      if AccountResetRequest.find_by(granted_token: token)&.granted_token_valid?
+        session[:granted_token] = token
+        redirect_to url_for
+      else
+        redirect_to root_url
+      end
+    end
+  end
+end
diff --git a/app/controllers/account_reset/report_fraud_controller.rb b/app/controllers/account_reset/report_fraud_controller.rb
@@ -0,0 +1,25 @@
+module AccountReset
+  class ReportFraudController < ApplicationController
+    def update
+      if AccountResetService.report_fraud(params[:token])
+        handle_success
+      else
+        handle_failure
+      end
+      redirect_to root_url
+    end
+
+    private
+
+    def handle_success
+      analytics.track_event(Analytics::ACCOUNT_RESET, event: :fraud, token_valid: true)
+      sign_out if current_user
+      flash[:success] = t('devise.two_factor_authentication.account_reset.successful_cancel')
+    end
+
+    def handle_failure
+      return if params[:token].blank?
+      analytics.track_event(Analytics::ACCOUNT_RESET, event: :fraud, token_valid: false)
+    end
+  end
+end
diff --git a/app/controllers/account_reset/request_controller.rb b/app/controllers/account_reset/request_controller.rb
@@ -0,0 +1,48 @@
+module AccountReset
+  class RequestController < ApplicationController
+    include TwoFactorAuthenticatable
+
+    before_action :check_account_reset_enabled
+    before_action :confirm_two_factor_enabled
+
+    def show; end
+
+    def create
+      analytics.track_event(Analytics::ACCOUNT_RESET, event: :request)
+      create_request
+      send_notifications
+      reset_session_with_email
+      redirect_to account_reset_confirm_request_url
+    end
+
+    private
+
+    def check_account_reset_enabled
+      redirect_to root_url unless FeatureManagement.account_reset_enabled?
+    end
+
+    def reset_session_with_email
+      email = current_user.email
+      sign_out
+      flash[:email] = email
+    end
+
+    def send_notifications
+      SmsAccountResetNotifierJob.perform_now(
+        phone: current_user.phone,
+        cancel_token: current_user.account_reset_request.request_token
+      )
+      UserMailer.account_reset_request(current_user).deliver_later
+    end
+
+    def create_request
+      AccountResetService.new(current_user).create_request
+    end
+
+    def confirm_two_factor_enabled
+      return if current_user.two_factor_enabled?
+
+      redirect_to phone_setup_url
+    end
+  end
+end
diff --git a/app/controllers/account_reset/send_notifications_controller.rb b/app/controllers/account_reset/send_notifications_controller.rb
@@ -0,0 +1,23 @@
+module AccountReset
+  class SendNotificationsController < ApplicationController
+    skip_before_action :verify_authenticity_token
+    before_action :authorize
+
+    def update
+      count = AccountResetService.grant_tokens_and_send_notifications
+      analytics.track_event(Analytics::ACCOUNT_RESET, event: :notifications, count: count)
+      render plain: 'ok'
+    end
+
+    private
+
+    def authorize
+      return if auth_token == Figaro.env.account_reset_auth_token
+      head :unauthorized
+    end
+
+    def auth_token
+      request.headers['X-API-AUTH-TOKEN']
+    end
+  end
+end