Skip to content

Don't allow identity proofing in prod without SP context (LG-3942)#4538

Merged
solipet merged 2 commits intomasterfrom
dprice-lg-3942-disable-verify-in-prod-without-sp
Dec 28, 2020
Merged

Don't allow identity proofing in prod without SP context (LG-3942)#4538
solipet merged 2 commits intomasterfrom
dprice-lg-3942-disable-verify-in-prod-without-sp

Conversation

@solipet
Copy link
Contributor

@solipet solipet commented Dec 28, 2020

If a user signs in directly to secure.login.gov, then attempts to go to the /verify path, they will be redirected back to the account page. This only applies to the production environments. Being redirected to the verify path via request from an SP is not affected.

zachmargolis
zachmargolis approved these changes Dec 28, 2020
View reviewed changes
Copy link
Contributor

@zachmargolis zachmargolis left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@solipet solipet merged commit 0911601 into master Dec 28, 2020
@solipet solipet deleted the dprice-lg-3942-disable-verify-in-prod-without-sp branch December 28, 2020 20:12
aduth
aduth reviewed Dec 29, 2020
View reviewed changes
app/controllers/idv_controller.rb
before_action :confirm_two_factor_authenticated
before_action :confirm_idv_needed, only: [:fail]
before_action :profile_needs_reactivation?, only: [:index]
before_action :sp_context_needed?, only: [:index]
Copy link
Contributor

@aduth aduth Dec 29, 2020

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Since this only applies to :index, and only the root IdvController, what would happen if I navigate to /verify/doc_auth or /verify/doc_auth/welcome ? Or are we primarily concerned with the base /verify path?

Copy link
Contributor Author

@solipet solipet Jan 27, 2021

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Opened #4543 to block all {{/verify/*}} paths (which proved to be a bad idea...)

This was referenced Dec 29, 2020
Closed
Merged
@solipet solipet mentioned this pull request Feb 2, 2021
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@stevegsa stevegsa Awaiting requested review from stevegsa

@mitchellhenke mitchellhenke Awaiting requested review from mitchellhenke

2 more reviewers

@aduth aduth aduth left review comments

@zachmargolis zachmargolis zachmargolis approved these changes

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@solipet @zachmargolis @aduth