Skip to content

Don't allow any /verify/* path in prod without SP context (LG-3942) #4543

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Closed
solipet wants to merge 3 commits into from
Closed

Don't allow any /verify/* path in prod without SP context (LG-3942) #4543

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
3 commits
Select commit Hold shift + click to select a range
6264d78
Don't allow any /verify/* path in prod without SP context (LG-3942)
solipet Dec 29, 2020
2e3fae7
nevermind, the `have_actions` matcher doesn't appear to actually work?
solipet Dec 29, 2020
a1542b7
Revert "nevermind, the `have_actions` matcher doesn't appear to actua…
solipet Dec 29, 2020
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
18 changes: 11 additions & 7 deletions app/controllers/concerns/idv_session.rb
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,6 +1,17 @@
module IdvSession
extend ActiveSupport::Concern

included do
before_action :sp_context_needed?
Copy link
Copy Markdown
Contributor

@aduth aduth Dec 29, 2020

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Because this is pretty broad, I just want to double-check we want to verify in all cases.

One example: When we send user an email including a link to reverify, will there be an SP associated?

identity-idp/app/views/user_mailer/confirm_email_and_reverify.html.erb

Lines 31 to 34 in b7298bc

<%= link_to idv_recovery_step_url(step: :recover, token: @token, locale: @locale),
idv_recovery_step_url(step: :recover, token: @token, locale: @locale),
target: '_blank',
class: 'float-center', align: 'center' %>

end

def sp_context_needed?
return if sp_from_sp_session.present?
return if LoginGov::Hostdata.env != 'prod'
Copy link
Copy Markdown
Contributor

@zachmargolis zachmargolis Dec 29, 2020

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

should this use the config from #4545 ?

Copy link
Copy Markdown
Contributor Author

@solipet solipet Jan 27, 2021

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

yes, this is out of date and superceded by #4545


redirect_to account_url
end

def confirm_idv_session_started
redirect_to idv_doc_auth_url if idv_session.applicant.blank?
end
Expand Down Expand Up @@ -40,11 +51,4 @@ def idv_session
def idv_attempter_throttled?
Throttler::IsThrottled.call(current_user.id, :idv_resolution)
end

def sp_context_needed?
return if sp_from_sp_session.present?
return if LoginGov::Hostdata.env != 'prod'

redirect_to account_url
end
end
1 change: 0 additions & 1 deletion app/controllers/idv_controller.rb
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -5,7 +5,6 @@ class IdvController < ApplicationController
before_action :confirm_two_factor_authenticated
before_action :confirm_idv_needed, only: [:fail]
before_action :profile_needs_reactivation?, only: [:index]
before_action :sp_context_needed?, only: [:index]

def index
if decorated_session.requested_more_recent_verification?
Expand Down
6 changes: 6 additions & 0 deletions spec/controllers/idv/cac_controller_spec.rb
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -28,6 +28,12 @@
stub_sign_in(user)
end

describe 'before_actions' do
it 'includes before_actions from IdvSession' do
expect(subject).to have_actions(:sp_context_needed?)
Copy link
Copy Markdown
Contributor

@zachmargolis zachmargolis Dec 29, 2020

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

WDYT of using controller instead of subject?

Suggested change
expect(subject).to have_actions(:sp_context_needed?)
expect(controller).to have_actions(:sp_context_needed?)

end
end

describe '#update' do
it 'sets the uuid in session for the enter info step' do
controller.user_session['idv/cac'] = flow_session
Expand Down
6 changes: 6 additions & 0 deletions spec/controllers/idv/cancellations_controller_spec.rb
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,6 +1,12 @@
require 'rails_helper'

describe Idv::CancellationsController do
describe 'before_actions' do
it 'includes before_actions from IdvSession' do
expect(subject).to have_actions(:before, :sp_context_needed?)
end
end

describe '#new' do
it 'tracks the event in analytics when referer is nil' do
stub_sign_in
Expand Down
4 changes: 4 additions & 0 deletions spec/controllers/idv/confirmations_controller_spec.rb
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -48,6 +48,10 @@ def stub_idv_session
)
end

it 'includes before_actions from IdvSession' do
expect(subject).to have_actions(:before, :sp_context_needed?)
end

describe '#confirm_profile_has_been_created' do
before do
stub_idv_session
Expand Down
4 changes: 4 additions & 0 deletions spec/controllers/idv/doc_auth_controller_spec.rb
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -10,6 +10,10 @@
:fsm_initialize,
:ensure_correct_step)
end

it 'includes before_actions from IdvSession' do
expect(subject).to have_actions(:before, :sp_context_needed?)
end
end

before do |example|
Expand Down
6 changes: 6 additions & 0 deletions spec/controllers/idv/forgot_password_controller_spec.rb
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,6 +1,12 @@
require 'rails_helper'

describe Idv::ForgotPasswordController do
describe 'before_actions' do
it 'includes before_actions from IdvSession' do
expect(subject).to have_actions(:before, :sp_context_needed?)
end
end

describe '#new' do
it 'tracks the event in analytics when referer is nil' do
stub_sign_in
Expand Down
6 changes: 6 additions & 0 deletions spec/controllers/idv/otp_delivery_method_controller_spec.rb
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -15,6 +15,12 @@
subject.idv_session.user_phone_confirmation_session = user_phone_confirmation_session
end

describe 'before_actions' do
it 'includes before_actions from IdvSession' do
expect(subject).to have_actions(:before, :sp_context_needed?)
end
end

describe '#new' do
context 'user has not selected phone verification method' do
before do
Expand Down
6 changes: 6 additions & 0 deletions spec/controllers/idv/otp_verification_controller_spec.rb
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -29,6 +29,12 @@
subject.idv_session.user_phone_confirmation_session = user_phone_confirmation_session
end

describe 'before_actions' do
it 'includes before_actions from IdvSession' do
expect(subject).to have_actions(:before, :sp_context_needed?)
end
end

describe '#show' do
context 'the user has not been sent an otp' do
let(:user_phone_confirmation_session) { nil }
Expand Down
6 changes: 6 additions & 0 deletions spec/controllers/idv/phone_controller_spec.rb
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -21,6 +21,12 @@
end
end

describe 'before_actions' do
it 'includes before_actions from IdvSession' do
expect(subject).to have_actions(:before, :sp_context_needed?)
end
end

describe '#new' do
let(:user) do
build(:user, :with_phone,
Expand Down
6 changes: 6 additions & 0 deletions spec/controllers/idv/phone_errors_controller_spec.rb
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,6 +1,12 @@
require 'rails_helper'

shared_examples_for 'an idv phone errors controller action' do
describe 'before_actions' do
it 'includes before_actions from IdvSession' do
expect(subject).to have_actions(:before, :sp_context_needed?)
end
end

context 'the user is authenticated and has not confirmed their phone' do
it 'renders the error' do
stub_sign_in
Expand Down
6 changes: 6 additions & 0 deletions spec/controllers/idv/recovery_controller_spec.rb
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -18,6 +18,12 @@
allow(@analytics).to receive(:track_event)
end

describe 'before_actions' do
it 'includes before_actions from IdvSession' do
expect(subject).to have_actions(:before, :sp_context_needed?)
end
end

describe 'unauthenticated', :skip_sign_in do
it 'redirects to the root url' do
get :index
Expand Down
6 changes: 6 additions & 0 deletions spec/controllers/idv/resend_otp_controller_spec.rb
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -24,6 +24,12 @@
subject.idv_session.user_phone_confirmation_session = user_phone_confirmation_session
end

describe 'before_actions' do
it 'includes before_actions from IdvSession' do
expect(subject).to have_actions(:before, :sp_context_needed?)
end
end

describe '#create' do
context 'the user has not selected a delivery method' do
let(:user_phone_confirmation_session) { nil }
Expand Down
4 changes: 4 additions & 0 deletions spec/controllers/idv/review_controller_spec.rb
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -45,6 +45,10 @@
:confirm_idv_steps_complete,
)
end

it 'includes before_actions from IdvSession' do
expect(subject).to have_actions(:before, :sp_context_needed?)
end
end

describe '#confirm_idv_steps_complete' do
Expand Down
6 changes: 6 additions & 0 deletions spec/controllers/idv/session_errors_controller_spec.rb
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -64,6 +64,12 @@
allow(controller).to receive(:idv_session).and_return(idv_session)
end

describe 'before_actions' do
it 'includes before_actions from IdvSession' do
expect(subject).to have_actions(:before, :sp_context_needed?)
end
end

describe '#warning' do
let(:action) { :warning }
let(:template) { 'idv/session_errors/warning' }
Expand Down
4 changes: 4 additions & 0 deletions spec/controllers/idv/usps_controller_spec.rb
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -12,6 +12,10 @@
:confirm_mail_not_spammed,
)
end

it 'includes before_actions from IdvSession' do
expect(subject).to have_actions(:before, :sp_context_needed?)
end
end

describe '#index' do
Expand Down