From c222cd44e403ed02f81f153c718075fb58eac351 Mon Sep 17 00:00:00 2001
From: Mitchell Henke <mitchell.henke@gsa.gov>
Date: Fri, 8 Oct 2021 09:30:39 -0500
Subject: [PATCH 1/4] allow "bots" to log events

---
 config/initializers/ahoy.rb | 1 +
 1 file changed, 1 insertion(+)

diff --git a/config/initializers/ahoy.rb b/config/initializers/ahoy.rb
index 6e2f32221d1..f6536015e79 100644
--- a/config/initializers/ahoy.rb
+++ b/config/initializers/ahoy.rb
@@ -6,6 +6,7 @@
 Ahoy.server_side_visits = false
 Ahoy.geocode = false
 Ahoy.user_agent_parser = :device_detector
+Ahoy.track_bots = true
 
 module Ahoy
   class Store < Ahoy::BaseStore

From ccd06d035fc6c206dc2c2ec6986b20be61fcb934 Mon Sep 17 00:00:00 2001
From: Mitchell Henke <mitchell.henke@gsa.gov>
Date: Fri, 8 Oct 2021 09:31:54 -0500
Subject: [PATCH 2/4] Add separate error for token expiration

---
 app/forms/openid_connect_token_form.rb       | 12 +++++++++---
 config/locales/openid_connect/en.yml         |  6 +++---
 spec/forms/openid_connect_token_form_spec.rb |  2 +-
 3 files changed, 13 insertions(+), 7 deletions(-)

diff --git a/app/forms/openid_connect_token_form.rb b/app/forms/openid_connect_token_form.rb
index f7918dcfc62..bfdeab33f71 100644
--- a/app/forms/openid_connect_token_form.rb
+++ b/app/forms/openid_connect_token_form.rb
@@ -22,6 +22,7 @@ class OpenidConnectTokenForm
                          in: [CLIENT_ASSERTION_TYPE],
                          if: :private_key_jwt?
 
+  validate :validate_expired
   validate :validate_code
   validate :validate_pkce_or_private_key_jwt
   validate :validate_code_verifier, if: :pkce?
@@ -61,14 +62,13 @@ def url_options
 
   private
 
-  attr_reader :identity
+  attr_reader :identity, :session_expiration
 
   def find_identity_with_code
     return if code.blank? || code.include?("\x00")
 
-    session_expiration = IdentityConfig.store.session_timeout_in_minutes.minutes.ago
+    @session_expiration = IdentityConfig.store.session_timeout_in_minutes.minutes.ago
     @identity = ServiceProviderIdentity.where(session_uuid: code).
-                where('updated_at >= ?', session_expiration).
                 order(updated_at: :desc).first
   end
 
@@ -94,6 +94,12 @@ def validate_pkce_or_private_key_jwt
     errors.add :code, t('openid_connect.token.errors.invalid_authentication')
   end
 
+  def validate_expired
+    if identity&.updated_at && identity.updated_at < session_expiration
+      errors.add :code, t('openid_connect.token.errors.expired_code')
+    end
+  end
+
   def validate_code
     errors.add :code, t('openid_connect.token.errors.invalid_code') if identity.blank? ||
                                                                        !identity.user
diff --git a/config/locales/openid_connect/en.yml b/config/locales/openid_connect/en.yml
index 80d99d89b74..4b64a5e9439 100644
--- a/config/locales/openid_connect/en.yml
+++ b/config/locales/openid_connect/en.yml
@@ -22,12 +22,12 @@ en:
         id_token_hint: id_token_hint was not recognized
     token:
       errors:
+        expired_code: is expired
         invalid_aud: Invalid audience claim, expected %{url}
         invalid_authentication: Client must authenticate via PKCE or private_key_jwt,
           missing either code_challenge or client_assertion
-        invalid_code: is invalid either because it expired, or it doesn’t match any
-          user. Please see our documentation at
-          https://developers.login.gov/oidc/#token
+        invalid_code: is invalid because doesn’t match any user. Please see our
+          documentation at https://developers.login.gov/oidc/#token
         invalid_code_verifier: code_verifier did not match code_challenge
         invalid_iat: iat must be an integer or floating point Unix timestamp
           representing a time in the past
diff --git a/spec/forms/openid_connect_token_form_spec.rb b/spec/forms/openid_connect_token_form_spec.rb
index a873ff0e15d..3ff40d46b17 100644
--- a/spec/forms/openid_connect_token_form_spec.rb
+++ b/spec/forms/openid_connect_token_form_spec.rb
@@ -102,7 +102,7 @@
 
         it 'is invalid' do
           expect(valid?).to eq(false)
-          expect(form.errors[:code]).to include(t('openid_connect.token.errors.invalid_code'))
+          expect(form.errors[:code]).to eq([t('openid_connect.token.errors.expired_code')])
         end
       end
 

From a7116fac783e4dfe1ae62a20fc48df68a5dd8588 Mon Sep 17 00:00:00 2001
From: Mitchell Henke <mitchell.henke@gsa.gov>
Date: Fri, 8 Oct 2021 10:31:44 -0500
Subject: [PATCH 3/4] set expiration in initialize

---
 app/forms/openid_connect_token_form.rb | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/app/forms/openid_connect_token_form.rb b/app/forms/openid_connect_token_form.rb
index bfdeab33f71..17cc4b92187 100644
--- a/app/forms/openid_connect_token_form.rb
+++ b/app/forms/openid_connect_token_form.rb
@@ -32,6 +32,7 @@ def initialize(params)
     ATTRS.each do |key|
       instance_variable_set(:"@#{key}", params[key])
     end
+    @session_expiration = IdentityConfig.store.session_timeout_in_minutes.minutes.ago
     @identity = find_identity_with_code
   end
 
@@ -67,7 +68,6 @@ def url_options
   def find_identity_with_code
     return if code.blank? || code.include?("\x00")
 
-    @session_expiration = IdentityConfig.store.session_timeout_in_minutes.minutes.ago
     @identity = ServiceProviderIdentity.where(session_uuid: code).
                 order(updated_at: :desc).first
   end

From cdf45248169bd17b02e270770c4d41dbc3308f7e Mon Sep 17 00:00:00 2001
From: Mitchell Henke <mitchell.henke@gsa.gov>
Date: Fri, 8 Oct 2021 11:10:46 -0500
Subject: [PATCH 4/4] translate errors

---
 config/locales/openid_connect/es.yml | 6 +++---
 config/locales/openid_connect/fr.yml | 7 ++++---
 2 files changed, 7 insertions(+), 6 deletions(-)

diff --git a/config/locales/openid_connect/es.yml b/config/locales/openid_connect/es.yml
index 986d0c114ca..caf9b6527d2 100644
--- a/config/locales/openid_connect/es.yml
+++ b/config/locales/openid_connect/es.yml
@@ -22,12 +22,12 @@ es:
         id_token_hint: Id_token_hint no fue reconocido
     token:
       errors:
+        expired_code: ha expirado
         invalid_aud: Solicitud de audiencia no válida, esperada %{url}
         invalid_authentication: El cliente debe autenticarse a través de PKCE o
           private_key_jwt, faltando code_challenge o client_assertion
-        invalid_code: no es válido porque ha caducado o no coincide con ningún usuario.
-          Consulte nuestra documentación en
-          https://developers.login.gov/oidc/#token
+        invalid_code: no es válido porque no coincide con ningún usuario. Consulte
+          nuestra documentación en https://developers.login.gov/oidc/#token
         invalid_code_verifier: code_verifier no coincide con code_challenge
         invalid_iat: iat debe ser una marca de tiempo Unix de punto flotante o entero
           que represente un tiempo en el pasado
diff --git a/config/locales/openid_connect/fr.yml b/config/locales/openid_connect/fr.yml
index 5495dd1bd3b..84b20776555 100644
--- a/config/locales/openid_connect/fr.yml
+++ b/config/locales/openid_connect/fr.yml
@@ -22,12 +22,13 @@ fr:
         id_token_hint: id_token_hint n’a pas été reconnu
     token:
       errors:
+        expired_code: est expiré
         invalid_aud: Affirmation liée à l’auditoire non valide, attendu %{url}
         invalid_authentication: Le client doit s’authentifier par PKCE ou
           private_key_jwt, code_challenge ou client_assertion manquant
-        invalid_code: est non valide soit parce qu’il est périmé, soit parce qu’il ne
-          correspond à aucun utilisateur. Veuillez consulter notre documentation
-          à https://developers.login.gov/oidc/#token
+        invalid_code: n’est pas valide, car il ne correspond à aucun utilisateur.
+          Veuillez consulter notre documentation à
+          https://developers.login.gov/oidc/#token
         invalid_code_verifier: code_verifier ne correspondait pas à code_challenge
         invalid_iat: iat doit être un horodatage Unix entier ou à virgule flottante
           représentant une heure dans le passé