LG-4099: Don't allow any /verify/* path in prod without SP context

app/controllers/concerns/idv_session.rb

@@ -1,6 +1,10 @@
 module IdvSession
   extend ActiveSupport::Concern
 
+  included do
+    before_action :redirect_if_sp_context_needed
+  end
+
   def confirm_idv_session_started
     redirect_to idv_doc_auth_url if idv_session.applicant.blank?
   end
@@ -41,10 +45,11 @@ def idv_attempter_throttled?
     Throttler::IsThrottled.call(current_user.id, :idv_resolution)
   end
 
-  def sp_context_needed?
+  def redirect_if_sp_context_needed
     return if sp_from_sp_session.present?
     return unless LoginGov::Hostdata.in_datacenter?
     return if LoginGov::Hostdata.env != AppConfig.env.sp_context_needed_environment
+    return if current_user.profiles.any?
 
     redirect_to account_url
   end

app/controllers/idv_controller.rb

@@ -5,7 +5,6 @@ class IdvController < ApplicationController
   before_action :confirm_two_factor_authenticated
   before_action :confirm_idv_needed, only: [:fail]
   before_action :profile_needs_reactivation?, only: [:index]
-  before_action :sp_context_needed?, only: [:index]
 
   def index
     if decorated_session.requested_more_recent_verification?

spec/controllers/idv/cancellations_controller_spec.rb

@@ -1,6 +1,12 @@
 require 'rails_helper'
 
 describe Idv::CancellationsController do
+  describe 'before_actions' do
+    it 'includes before_actions from IdvSession' do
+      expect(subject).to have_actions(:before, :redirect_if_sp_context_needed)
+    end
+  end
+
   describe '#new' do
     it 'tracks the event in analytics when referer is nil' do
       stub_sign_in

spec/controllers/idv/confirmations_controller_spec.rb

@@ -48,6 +48,10 @@ def stub_idv_session
       )
     end
 
+    it 'includes before_actions from IdvSession' do
+      expect(subject).to have_actions(:before, :redirect_if_sp_context_needed)
+    end
+
     describe '#confirm_profile_has_been_created' do
       before do
         stub_idv_session

spec/controllers/idv/doc_auth_controller_spec.rb

@@ -10,6 +10,10 @@
                                       :fsm_initialize,
                                       :ensure_correct_step)
     end
+
+    it 'includes before_actions from IdvSession' do
+      expect(subject).to have_actions(:before, :redirect_if_sp_context_needed)
+    end
   end
 
   before do |example|

spec/controllers/idv/forgot_password_controller_spec.rb

@@ -1,6 +1,12 @@
 require 'rails_helper'
 
 describe Idv::ForgotPasswordController do
+  describe 'before_actions' do
+    it 'includes before_actions from IdvSession' do
+      expect(subject).to have_actions(:before, :redirect_if_sp_context_needed)
+    end
+  end
+
   describe '#new' do
     it 'tracks the event in analytics when referer is nil' do
       stub_sign_in

spec/controllers/idv/otp_delivery_method_controller_spec.rb

@@ -15,6 +15,12 @@
     subject.idv_session.user_phone_confirmation_session = user_phone_confirmation_session
   end
 
+  describe 'before_actions' do
+    it 'includes before_actions from IdvSession' do
+      expect(subject).to have_actions(:before, :redirect_if_sp_context_needed)
+    end
+  end
+
   describe '#new' do
     context 'user has not selected phone verification method' do
       before do

spec/controllers/idv/otp_verification_controller_spec.rb

@@ -29,6 +29,12 @@
     subject.idv_session.user_phone_confirmation_session = user_phone_confirmation_session
   end
 
+  describe 'before_actions' do
+    it 'includes before_actions from IdvSession' do
+      expect(subject).to have_actions(:before, :redirect_if_sp_context_needed)
+    end
+  end
+
   describe '#show' do
     context 'the user has not been sent an otp' do
       let(:user_phone_confirmation_session) { nil }

spec/controllers/idv/phone_controller_spec.rb

@@ -21,6 +21,12 @@
     end
   end
 
+  describe 'before_actions' do
+    it 'includes before_actions from IdvSession' do
+      expect(subject).to have_actions(:before, :redirect_if_sp_context_needed)
+    end
+  end
+
   describe '#new' do
     let(:user) do
       build(:user, :with_phone,

spec/controllers/idv/phone_errors_controller_spec.rb

@@ -1,6 +1,12 @@
 require 'rails_helper'
 
 shared_examples_for 'an idv phone errors controller action' do
+  describe 'before_actions' do
+    it 'includes before_actions from IdvSession' do
+      expect(subject).to have_actions(:before, :redirect_if_sp_context_needed)
+    end
+  end
+
   context 'the user is authenticated and has not confirmed their phone' do
     it 'renders the error' do
       stub_sign_in

spec/controllers/idv/recovery_controller_spec.rb

@@ -18,6 +18,12 @@
     allow(@analytics).to receive(:track_event)
   end
 
+  describe 'before_actions' do
+    it 'includes before_actions from IdvSession' do
+      expect(subject).to have_actions(:before, :redirect_if_sp_context_needed)
+    end
+  end
+
   describe 'unauthenticated', :skip_sign_in do
     it 'redirects to the root url' do
       get :index

spec/controllers/idv/resend_otp_controller_spec.rb

@@ -24,6 +24,12 @@
     subject.idv_session.user_phone_confirmation_session = user_phone_confirmation_session
   end
 
+  describe 'before_actions' do
+    it 'includes before_actions from IdvSession' do
+      expect(subject).to have_actions(:before, :redirect_if_sp_context_needed)
+    end
+  end
+
   describe '#create' do
     context 'the user has not selected a delivery method' do
       let(:user_phone_confirmation_session) { nil }

spec/controllers/idv/review_controller_spec.rb

@@ -45,6 +45,10 @@
         :confirm_idv_steps_complete,
       )
     end
+
+    it 'includes before_actions from IdvSession' do
+      expect(subject).to have_actions(:before, :redirect_if_sp_context_needed)
+    end
   end
 
   describe '#confirm_idv_steps_complete' do

spec/controllers/idv/session_errors_controller_spec.rb

@@ -64,6 +64,12 @@
     allow(controller).to receive(:idv_session).and_return(idv_session)
   end
 
+  describe 'before_actions' do
+    it 'includes before_actions from IdvSession' do
+      expect(subject).to have_actions(:before, :redirect_if_sp_context_needed)
+    end
+  end
+
   describe '#warning' do
     let(:action) { :warning }
     let(:template) { 'idv/session_errors/warning' }

spec/controllers/idv/usps_controller_spec.rb

@@ -12,6 +12,10 @@
         :confirm_mail_not_spammed,
       )
     end
+
+    it 'includes before_actions from IdvSession' do
+      expect(subject).to have_actions(:before, :redirect_if_sp_context_needed)
+    end
   end
 
   describe '#index' do

spec/controllers/idv_controller_spec.rb

@@ -71,28 +71,43 @@
     end
 
     context 'no SP context' do
+      let(:user) { user = build(:user, password: ControllerHelper::VALID_PASSWORD) }
+
       before do
-        stub_sign_in
+        stub_sign_in(user)
         session[:sp] = {}
+        allow(LoginGov::Hostdata).to receive(:in_datacenter?).and_return(true)
+        allow(AppConfig.env).to receive(:sp_context_needed_environment).and_return('prod')
       end
 
       context 'prod environment' do
         before do
           allow(LoginGov::Hostdata).to receive(:env).and_return('prod')
-          allow(LoginGov::Hostdata).to receive(:in_datacenter?).and_return(true)
         end
 
         it 'redirects back to the account page' do
           get :index
 
           expect(response).to redirect_to account_url
         end
+
+        context 'user has an existing profile' do
+          let(:user) do
+            profile = create(:profile)
+            profile.user
+          end
+
+          it 'begins the identity proofing process' do
+            get :index
+
+            expect(response).to redirect_to idv_doc_auth_url
+          end
+        end
       end
 
       context 'non-prod environment' do
         before do
           allow(LoginGov::Hostdata).to receive(:env).and_return('staging')
-          allow(LoginGov::Hostdata).to receive(:in_datacenter?).and_return(true)
         end
 
         it 'begins the identity proofing process' do

spec/controllers/reactivate_account_controller_spec.rb

@@ -8,9 +8,7 @@
 
   describe 'before_actions' do
     it 'requires the user to be logged in' do
-      expect(subject).to have_actions(
-        :confirm_two_factor_authenticated,
-      )
+      expect(subject).to have_actions(:before, :confirm_two_factor_authenticated)
     end
   end
 

spec/controllers/users/verify_personal_key_controller_spec.rb

@@ -9,7 +9,7 @@
 
   describe 'before actions' do
     it 'only allows 2fa users through' do
-      expect(subject).to have_actions(:confirm_two_factor_authenticated)
+      expect(subject).to have_actions(:before, :confirm_two_factor_authenticated)
     end
   end
 

spec/support/matchers/have_actions.rb

@@ -29,6 +29,12 @@
 
 RSpec::Matchers.define :have_actions do |kind, *names|
   match do |controller|
+    if kind.blank? || names.blank?
+      message = "Must provide kind and an array of names to check for\n"
+      message += 'See spec/matchers/have_actions.rb for details'
+      raise ArgumentError.new(message)
+    end
+
     callbacks = controller._process_action_callbacks.select { |callback| callback.kind == kind }
 
     actions = callbacks.each_with_object([]) do |f, result|