18F · jgsmith-usds · Jul 18, 2018 · Jun 27, 2018 · Jul 2, 2018 · Jul 2, 2018
diff --git a/.codeclimate.yml b/.codeclimate.yml
@@ -67,7 +67,7 @@ plugins:
     - '.codeclimate.yml'
     config:
       strings:
-      # Removed TODO from this list, as we want to allow TODOs in the codebase
+      - TODO
       - FIXME
       - HACK
       - BUG
@@ -94,6 +94,5 @@ exclude_patterns:
   - 'lib/tasks/create_test_accounts.rb'
   - 'lib/user_flow_exporter.rb'
   - 'scripts/load_testing/'
-  - 'spec/'
   - 'tmp/'
   - 'config/initializers/jwt.rb'
diff --git a/.reek b/.reek
@@ -6,6 +6,7 @@ ControlParameter:
     - OpenidConnectRedirector#initialize
     - NoRetryJobs#call
     - PhoneFormatter#self.format
+    - Users::TwoFactorAuthenticationController#invalid_phone_number
 DuplicateMethodCall:
   exclude:
     - ApplicationController#disable_caching
@@ -19,6 +20,7 @@ DuplicateMethodCall:
     - fallback_to_english
     - Idv::Proofer#load_vendors!
     - Upaya::RandomTools#self.random_weighted_sample
+    - SmsController#authenticate
 FeatureEnvy:
   exclude:
     - ActiveJob::Logging::LogSubscriber#json_for
@@ -46,6 +48,8 @@ FeatureEnvy:
     - Utf8Sanitizer#remote_ip
     - Idv::Proofer#validate_vendors
     - PersonalKeyGenerator#create_legacy_recovery_code
+    - TwoFactorAuthenticationController#capture_analytics_for_exception
+    - Users::SessionsController#configure_permitted_parameters
 InstanceVariableAssumption:
   exclude:
     - User
@@ -56,10 +60,11 @@ ManualDispatch:
   exclude:
     - EncryptedSidekiqRedis#respond_to_missing?
     - CloudhsmKeyGenerator#initialize_settings
+    - Users::SessionsController#configure_permitted_parameters
 NestedIterators:
   exclude:
     - UserFlowExporter#self.massage_html
-    - TwilioService#sanitize_phone_number
+    - TwilioService::Utils#sanitize_phone_number
     - ServiceProviderSeeder#run
 NilCheck:
   enabled: false
@@ -104,6 +109,7 @@ TooManyStatements:
     - Upaya::RandomTools#self.random_weighted_sample
     - UserFlowFormatter#stop
     - Upaya::QueueConfig#self.choose_queue_adapter
+    - Users::TwoFactorAuthenticationController#send_code
 TooManyMethods:
   exclude:
     - Users::ConfirmationsController
@@ -157,6 +163,7 @@ UtilityFunction:
     - LocaleHelper#locale_url_param
     - IdvSession#timed_out_vendor_error
     - JWT::Signature#sign
+    - SmsAccountResetCancellationNotifierJob#perform
 'app/controllers':
   InstanceVariableAssumption:
     enabled: false

diff --git a/.rubocop.yml b/.rubocop.yml
@@ -62,7 +62,7 @@ Metrics/ClassLength:
   - app/controllers/openid_connect/authorization_controller.rb
   - app/controllers/users/confirmations_controller.rb
   - app/controllers/users/sessions_controller.rb
-  - app/controllers/devise/two_factor_authentication_controller.rb
+  - app/controllers/users/two_factor_authentication_controller.rb
   - app/decorators/service_provider_session_decorator.rb
   - app/decorators/user_decorator.rb
   - app/services/analytics.rb

diff --git a/Gemfile b/Gemfile
@@ -32,7 +32,7 @@ gem 'pg'
 gem 'phonelib'
 gem 'pkcs11'
 gem 'premailer-rails'
-gem 'proofer', github: '18F/identity-proofer-gem', tag: 'v2.5.0'
+gem 'proofer', github: '18F/identity-proofer-gem', tag: 'v2.6.1'
 gem 'rack-attack'
 gem 'rack-cors', require: 'rack/cors'
 gem 'rack-headers_filter'
@@ -112,7 +112,7 @@ group :test do
 end
 
 group :production do
-  gem 'aamva', git: 'git@github.com:18F/identity-aamva-api-client-gem', tag: 'v3.0.1'
+  gem 'aamva', git: 'git@github.com:18F/identity-aamva-api-client-gem', tag: 'v3.1.0'
   gem 'equifax', git: 'git@github.com:18F/identity-equifax-api-client-gem.git', tag: 'v1.1.0'
-  gem 'lexisnexis', git: 'git@github.com:18F/identity-lexisnexis-api-client-gem', tag: 'v1.0.0'
+  gem 'lexisnexis', git: 'git@github.com:18F/identity-lexisnexis-api-client-gem', tag: 'v1.1.0'
 end
diff --git a/Gemfile.lock b/Gemfile.lock
@@ -1,9 +1,9 @@
 GIT
   remote: git@github.com:18F/identity-aamva-api-client-gem
-  revision: 015186dd86691294404229ee051cfcf9e87fb6c7
-  tag: v3.0.1
+  revision: f69b0295933809057292736ed173a5a5e11b668c
+  tag: v3.1.0
   specs:
-    aamva (3.0.1)
+    aamva (3.1.0)
       dotenv
       hashie
       httpi
@@ -24,10 +24,10 @@ GIT
 
 GIT
   remote: git@github.com:18F/identity-lexisnexis-api-client-gem
-  revision: 2cf954c312a7e66cd24c48ccc7af8bdc72339525
-  tag: v1.0.0
+  revision: d17049ab1a03d50c0cc8a272d86cf2144192fab5
+  tag: v1.1.0
   specs:
-    lexisnexis (1.0.0)
+    lexisnexis (1.1.0)
       dotenv
       typhoeus
 
@@ -41,10 +41,10 @@ GIT
 
 GIT
   remote: https://github.com/18F/identity-proofer-gem.git
-  revision: 55191ec2124fb2b36111adf15d626d483436b74d
-  tag: v2.5.0
+  revision: 875246d603bbd9b29cbc82493513f948d4e8689b
+  tag: v2.6.1
   specs:
-    proofer (2.5.0)
+    proofer (2.6.1)
 
 GIT
   remote: https://github.com/18F/redis-session-store.git

diff --git a/app/assets/stylesheets/components/_intl-tel-input.scss b/app/assets/stylesheets/components/_intl-tel-input.scss
@@ -2,6 +2,10 @@
   display: none;
 }
 
+.intl-tel-input {
+  width: 100%;
+}
+
 .no-js {
   .js-intl-tel-code-select {
     display: block;

diff --git a/app/controllers/account_reset/cancel_controller.rb b/app/controllers/account_reset/cancel_controller.rb
@@ -1,8 +1,9 @@
 module AccountReset
   class CancelController < ApplicationController
     def cancel
-      if AccountResetService.cancel_request(params[:token])
-        handle_success
+      account_reset = AccountResetService.cancel_request(params[:token])
+      if account_reset
+        handle_success(account_reset.user)
       else
         handle_failure
       end
@@ -11,9 +12,13 @@ def cancel
 
     private
 
-    def handle_success
-      analytics.track_event(Analytics::ACCOUNT_RESET, event: :cancel, token_valid: true)
+    def handle_success(user)
+      analytics.track_event(Analytics::ACCOUNT_RESET,
+                            event: :cancel, token_valid: true, user_id: user.uuid)
       sign_out if current_user
+      UserMailer.account_reset_cancel(user.email).deliver_later
+      phone = user.phone
+      SmsAccountResetCancellationNotifierJob.perform_now(phone: phone) if phone.present?
       flash[:success] = t('devise.two_factor_authentication.account_reset.successful_cancel')
     end
 

diff --git a/app/controllers/account_reset/delete_account_controller.rb b/app/controllers/account_reset/delete_account_controller.rb
@@ -7,8 +7,10 @@ class DeleteAccountController < ApplicationController
     def show; end
 
     def delete
-      analytics.track_event(Analytics::ACCOUNT_RESET, event: :delete, token_valid: true)
-      email = reset_session_and_set_email
+      user = @account_reset_request.user
+      analytics.track_event(Analytics::ACCOUNT_RESET,
+                            event: :delete, token_valid: true, user_id: user.uuid)
+      email = reset_session_and_set_email(user)
       UserMailer.account_reset_complete(email).deliver_later
       redirect_to account_reset_confirm_delete_account_url
     end
@@ -19,8 +21,7 @@ def check_feature_enabled
       redirect_to root_url unless FeatureManagement.account_reset_enabled?
     end
 
-    def reset_session_and_set_email
-      user = @account_reset_request.user
+    def reset_session_and_set_email(user)
       email = user.email
       user.destroy!
       sign_out

diff --git a/app/controllers/account_reset/request_controller.rb b/app/controllers/account_reset/request_controller.rb
@@ -28,10 +28,13 @@ def reset_session_with_email
     end
 
     def send_notifications
-      SmsAccountResetNotifierJob.perform_now(
-        phone: current_user.phone,
-        cancel_token: current_user.account_reset_request.request_token
-      )
+      phone = current_user.phone
+      if phone
+        SmsAccountResetNotifierJob.perform_now(
+          phone: phone,
+          cancel_token: current_user.account_reset_request.request_token
+        )
+      end
       UserMailer.account_reset_request(current_user).deliver_later
     end
 

diff --git a/app/controllers/concerns/user_session_context.rb b/app/controllers/concerns/user_session_context.rb
@@ -5,7 +5,6 @@ def context
     user_session[:context] || DEFAULT_CONTEXT
   end
 
-  # TODO: Figure out better names for this and the method below
   def initial_authentication_context?
     context == DEFAULT_CONTEXT
   end

diff --git a/app/controllers/sms_controller.rb b/app/controllers/sms_controller.rb
@@ -0,0 +1,74 @@
+class SmsController < ApplicationController
+  include ActionController::HttpAuthentication::Basic::ControllerMethods
+  include SecureHeadersConcern
+
+  # Twilio supports HTTP Basic Auth for request URL
+  # https://www.twilio.com/docs/usage/security
+  before_action :authenticate
+
+  # Disable CSRF check
+  skip_before_action :verify_authenticity_token, only: [:receive]
+
+  def receive
+    signature = request.headers[TwilioService::Sms::Request::SIGNATURE_HEADER]
+    message = TwilioService::Sms::Request.new(request.url, params, signature)
+
+    handle_result(message, SmsForm.new(message).submit)
+  end
+
+  private
+
+  def handle_result(message, result)
+    if result.success?
+      process_success(message, result)
+    else
+      process_failure(result)
+    end
+  end
+
+  def process_success(message, result)
+    response = TwilioService::Sms::Response.new(message)
+    SmsReplySenderJob.perform_later(response.reply)
+
+    analytics.track_event(
+      Analytics::TWILIO_SMS_INBOUND_MESSAGE_RECEIVED,
+      result.to_h
+    )
+
+    head :accepted
+  end
+
+  def process_failure(result)
+    analytics.track_event(
+      Analytics::TWILIO_SMS_INBOUND_MESSAGE_VALIDATION_FAILED,
+      result.to_h
+    )
+
+    head :forbidden
+  end
+
+  # `http_basic_authenticate_with name` had issues related to testing, so using
+  # this method with a before action instead. (The former is a shortcut for the
+  # following, which is called internally by Rails.)
+  def authenticate
+    env = Figaro.env
+
+    head :unauthorized unless auth_configured?(env)
+
+    authenticate_or_request_with_http_basic do |username, password|
+      # This comparison uses & so that it doesn't short circuit and
+      # uses `secure_compare` so that length information
+      # isn't leaked.
+      ActiveSupport::SecurityUtils.secure_compare(
+        username, env.twilio_http_basic_auth_username
+      ) & ActiveSupport::SecurityUtils.secure_compare(
+        password, env.twilio_http_basic_auth_password
+      )
+    end
+  end
+
+  def auth_configured?(env)
+    env.twilio_http_basic_auth_username.present? &&
+      env.twilio_http_basic_auth_password.present?
+  end
+end
diff --git a/app/controllers/two_factor_authentication/options_controller.rb b/app/controllers/two_factor_authentication/options_controller.rb
@@ -0,0 +1,46 @@
+module TwoFactorAuthentication
+  class OptionsController < ApplicationController
+    include TwoFactorAuthenticatable
+
+    def index
+      @two_factor_options_form = TwoFactorLoginOptionsForm.new(current_user)
+      @presenter = two_factor_options_presenter
+      analytics.track_event(Analytics::MULTI_FACTOR_AUTH_OPTION_LIST_VISIT)
+    end
+
+    def create
+      @two_factor_options_form = TwoFactorLoginOptionsForm.new(current_user)
+      result = @two_factor_options_form.submit(two_factor_options_form_params)
+      analytics.track_event(Analytics::MULTI_FACTOR_AUTH_OPTION_LIST, result.to_h)
+
+      if result.success?
+        process_valid_form
+      else
+        @presenter = two_factor_options_presenter
+        render :index
+      end
+    end
+
+    private
+
+    def two_factor_options_presenter
+      TwoFactorLoginOptionsPresenter.new(current_user, view_context, current_sp)
+    end
+
+    def process_valid_form
+      factor_to_url = {
+        'voice' =>  otp_send_url(otp_delivery_selection_form: { otp_delivery_preference: 'voice' }),
+        'personal_key' => login_two_factor_personal_key_url,
+        'sms' => otp_send_url(otp_delivery_selection_form: { otp_delivery_preference: 'sms' }),
+        'auth_app' => login_two_factor_authenticator_url,
+        'piv_cac' => login_two_factor_piv_cac_url,
+      }
+      url = factor_to_url[@two_factor_options_form.selection]
+      redirect_to url if url
+    end
+
+    def two_factor_options_form_params
+      params.require(:two_factor_options_form).permit(:selection)
+    end
+  end
+end
diff --git a/app/controllers/two_factor_authentication/personal_key_verification_controller.rb b/app/controllers/two_factor_authentication/personal_key_verification_controller.rb
@@ -8,7 +8,7 @@ def show
       analytics.track_event(
         Analytics::MULTI_FACTOR_AUTH_ENTER_PERSONAL_KEY_VISIT, context: context
       )
-
+      @presenter = TwoFactorAuthCode::PersonalKeyPresenter.new
       @personal_key_form = PersonalKeyForm.new(current_user)
     end
 

diff --git a/app/controllers/users/sessions_controller.rb b/app/controllers/users/sessions_controller.rb
@@ -9,6 +9,7 @@ class SessionsController < Devise::SessionsController
     skip_before_action :require_no_authentication, only: [:new]
     before_action :check_user_needs_redirect, only: [:new]
     before_action :apply_secure_headers_override, only: [:new]
+    before_action :configure_permitted_parameters, only: [:new]
 
     def new
       analytics.track_event(
@@ -48,6 +49,12 @@ def timeout
 
     private
 
+    def configure_permitted_parameters
+      devise_parameter_sanitizer.permit(:sign_in) do |user_params|
+        user_params.permit(:email) if user_params.respond_to?(:permit)
+      end
+    end
+
     def redirect_to_signin
       controller_info = 'users/sessions#create'
       analytics.track_event(Analytics::INVALID_AUTHENTICITY_TOKEN, controller: controller_info)