From d59f306edfea79af2fbe4fc63302f8e84f30ddd9 Mon Sep 17 00:00:00 2001
From: Zach Margolis <zachary.margolis@gsa.gov>
Date: Thu, 22 Jul 2021 16:05:00 -0700
Subject: [PATCH 1/2] Allow idv/confirmations_controller #show and #download
 out of order (LG-4847)

---
 .../idv/confirmations_controller.rb           | 15 +++--------
 app/services/idv/session.rb                   |  2 --
 .../idv/confirmations_controller_spec.rb      | 26 ++++++++++++++-----
 3 files changed, 24 insertions(+), 19 deletions(-)

diff --git a/app/controllers/idv/confirmations_controller.rb b/app/controllers/idv/confirmations_controller.rb
index cd6d7f38c5d..1dee23c6797 100644
--- a/app/controllers/idv/confirmations_controller.rb
+++ b/app/controllers/idv/confirmations_controller.rb
@@ -19,16 +19,10 @@ def update
     end
 
     def download
-      personal_key = user_session[:personal_key]
+      code = personal_key
 
-      analytics.track_event(Analytics::IDV_DOWNLOAD_PERSONAL_KEY, success: personal_key.present?)
-
-      if personal_key.present?
-        data = personal_key + "\r\n"
-        send_data data, filename: 'personal_key.txt'
-      else
-        head :bad_request
-      end
+      analytics.track_event(Analytics::IDV_DOWNLOAD_PERSONAL_KEY, success: code.present?)
+      send_data "#{code}\r\n", filename: 'personal_key.txt'
     end
 
     private
@@ -72,7 +66,6 @@ def add_proofing_component
     def finish_idv_session
       @code = personal_key
       user_session[:personal_key] = @code
-      idv_session.personal_key = nil
 
       if idv_session.address_verification_mechanism == 'gpo'
         flash.now[:success] = t('idv.messages.mail_sent')
@@ -83,7 +76,7 @@ def finish_idv_session
     end
 
     def personal_key
-      idv_session.personal_key || generate_personal_key
+      user_session[:personal_key] ||= generate_personal_key
     end
 
     def generate_personal_key
diff --git a/app/services/idv/session.rb b/app/services/idv/session.rb
index 4d27e2710aa..786ba920557 100644
--- a/app/services/idv/session.rb
+++ b/app/services/idv/session.rb
@@ -14,7 +14,6 @@ class Session
       profile_confirmation
       profile_id
       profile_step_params
-      personal_key
       resolution_successful
       step_attempts
     ].freeze
@@ -52,7 +51,6 @@ def create_profile_from_applicant_with_password(user_password)
       profile = profile_maker.save_profile
       self.pii = profile_maker.pii_attributes
       self.profile_id = profile.id
-      self.personal_key = profile.personal_key
     end
 
     def cache_encrypted_pii(password)
diff --git a/spec/controllers/idv/confirmations_controller_spec.rb b/spec/controllers/idv/confirmations_controller_spec.rb
index f7f7f3d131c..319bf2cbe90 100644
--- a/spec/controllers/idv/confirmations_controller_spec.rb
+++ b/spec/controllers/idv/confirmations_controller_spec.rb
@@ -21,7 +21,7 @@ def stub_idv_session
     profile = profile_maker.save_profile
     idv_session.pii = profile_maker.pii_attributes
     idv_session.profile_id = profile.id
-    idv_session.personal_key = profile.personal_key
+    subject.user_session[:personal_key] = profile.personal_key
     allow(subject).to receive(:idv_session).and_return(idv_session)
   end
 
@@ -95,7 +95,7 @@ def index
 
     it 'sets code instance variable' do
       subject.idv_session.create_profile_from_applicant_with_password(password)
-      code = subject.idv_session.personal_key
+      code = subject.user_session[:personal_key]
 
       get :show
 
@@ -226,7 +226,7 @@ def index
 
     it 'allows download of code' do
       subject.idv_session.create_profile_from_applicant_with_password(password)
-      code = subject.idv_session.personal_key
+      code = subject.user_session[:personal_key]
 
       get :show
       get :download
@@ -236,11 +236,25 @@ def index
       expect(@analytics).to have_logged_event(Analytics::IDV_DOWNLOAD_PERSONAL_KEY, success: true)
     end
 
-    it 'is a bad request when there is no personal_key in the session' do
+    it 'can be called separately from #show' do
       get :download
 
-      expect(response).to be_bad_request
-      expect(@analytics).to have_logged_event(Analytics::IDV_DOWNLOAD_PERSONAL_KEY, success: false)
+      expect(response).to be_ok
+
+      code = subject.user_session[:personal_key]
+      expect(response.body).to eq(code + "\r\n")
+    end
+
+    it 'can be called out of order and have the same code as #show' do
+      subject.user_session[:personal_key] = nil
+
+      expect { get :download }.to change { subject.user_session[:personal_key] }.from(nil)
+
+      expect(response).to be_ok
+      code = response.body.chomp
+
+      get :show
+      expect(assigns(:code)).to eq(code)
     end
   end
 end

From 5a0d1d6cd2257af9336fb01b7812075005a0e9c2 Mon Sep 17 00:00:00 2001
From: Zach Margolis <zachary.margolis@gsa.gov>
Date: Thu, 22 Jul 2021 16:07:36 -0700
Subject: [PATCH 2/2] Remove redundant assignment

---
 app/controllers/idv/confirmations_controller.rb | 1 -
 1 file changed, 1 deletion(-)

diff --git a/app/controllers/idv/confirmations_controller.rb b/app/controllers/idv/confirmations_controller.rb
index 1dee23c6797..aa6bdd1abab 100644
--- a/app/controllers/idv/confirmations_controller.rb
+++ b/app/controllers/idv/confirmations_controller.rb
@@ -65,7 +65,6 @@ def add_proofing_component
 
     def finish_idv_session
       @code = personal_key
-      user_session[:personal_key] = @code
 
       if idv_session.address_verification_mechanism == 'gpo'
         flash.now[:success] = t('idv.messages.mail_sent')