From c0e2e8abe532fcddb0c8426faa81072e3d3e54d6 Mon Sep 17 00:00:00 2001 From: Douglas Price Date: Mon, 28 Dec 2020 13:46:30 -0500 Subject: [PATCH 1/2] Don't allow identity proofing in prod without SP context (LG-3942) --- app/controllers/concerns/idv_session.rb | 7 ++++++ app/controllers/idv_controller.rb | 1 + spec/controllers/idv_controller_spec.rb | 31 +++++++++++++++++++++++++ 3 files changed, 39 insertions(+) diff --git a/app/controllers/concerns/idv_session.rb b/app/controllers/concerns/idv_session.rb index 071f48e2789..ed078831a5f 100644 --- a/app/controllers/concerns/idv_session.rb +++ b/app/controllers/concerns/idv_session.rb @@ -40,4 +40,11 @@ def idv_session def idv_attempter_throttled? Throttler::IsThrottled.call(current_user.id, :idv_resolution) end + + def sp_context_needed? + return if sp_session.present? + return unless LoginGov::Hostdata.env == 'prod' + + redirect_to account_url + end end diff --git a/app/controllers/idv_controller.rb b/app/controllers/idv_controller.rb index 421e3f325f6..2c5d62f5386 100644 --- a/app/controllers/idv_controller.rb +++ b/app/controllers/idv_controller.rb @@ -5,6 +5,7 @@ class IdvController < ApplicationController before_action :confirm_two_factor_authenticated before_action :confirm_idv_needed, only: [:fail] before_action :profile_needs_reactivation?, only: [:index] + before_action :sp_context_needed?, only: [:index] def index if decorated_session.requested_more_recent_verification? diff --git a/spec/controllers/idv_controller_spec.rb b/spec/controllers/idv_controller_spec.rb index fb2408fcb79..b880fc98d6e 100644 --- a/spec/controllers/idv_controller_spec.rb +++ b/spec/controllers/idv_controller_spec.rb @@ -69,6 +69,37 @@ expect(response).to redirect_to account_url end end + + context 'no SP context' do + before do + stub_sign_in + session[:sp] = {} + end + + context 'prod environment' do + before do + allow(LoginGov::Hostdata).to receive(:env).and_return('prod') + end + + it 'redirects back to the account page' do + get :index + + expect(response).to redirect_to account_url + end + end + + context 'non-prod environment' do + before do + allow(LoginGov::Hostdata).to receive(:env).and_return('staging') + end + + it 'begins the identity proofing process' do + get :index + + expect(response).to redirect_to idv_doc_auth_url + end + end + end end describe '#activated' do From 836c89ebf6fbfb35bd91777626f29db216a39aa1 Mon Sep 17 00:00:00 2001 From: Douglas Price Date: Mon, 28 Dec 2020 14:47:40 -0500 Subject: [PATCH 2/2] review suggestions --- app/controllers/concerns/idv_session.rb | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/app/controllers/concerns/idv_session.rb b/app/controllers/concerns/idv_session.rb index ed078831a5f..96e7159138f 100644 --- a/app/controllers/concerns/idv_session.rb +++ b/app/controllers/concerns/idv_session.rb @@ -42,8 +42,8 @@ def idv_attempter_throttled? end def sp_context_needed? - return if sp_session.present? - return unless LoginGov::Hostdata.env == 'prod' + return if sp_from_sp_session.present? + return if LoginGov::Hostdata.env != 'prod' redirect_to account_url end