18F · mitchellhenke · May 6, 2022 · May 6, 2022 · May 6, 2022
diff --git a/app/controllers/two_factor_authentication/otp_verification_controller.rb b/app/controllers/two_factor_authentication/otp_verification_controller.rb
@@ -5,6 +5,7 @@ class OtpVerificationController < ApplicationController
 
     before_action :check_sp_required_mfa_bypass
     before_action :confirm_multiple_factors_enabled
+    before_action :redirect_if_blank_phone, only: [:show]
     before_action :confirm_voice_capability, only: [:show]
 
     def show
@@ -35,6 +36,13 @@ def create
 
     private
 
+    def redirect_if_blank_phone
+      return if phone.present?
+
+      flash[:error] = t('errors.messages.phone_required')
+      redirect_to new_user_session_path
+    end
+
     def confirm_multiple_factors_enabled
       return if UserSessionContext.confirmation_context?(context) || phone_enabled?
 

diff --git a/app/controllers/users/two_factor_authentication_controller.rb b/app/controllers/users/two_factor_authentication_controller.rb
@@ -5,6 +5,7 @@ class TwoFactorAuthenticationController < ApplicationController
 
     before_action :check_remember_device_preference
     before_action :redirect_to_vendor_outage_if_phone_only, only: [:show]
+    before_action :redirect_if_blank_phone, only: [:send_code]
 
     def show
       service_provider_mfa_requirement_redirect || non_phone_redirect || phone_redirect ||
@@ -127,6 +128,13 @@ def redirect_to_otp_verification_with_error
       )
     end
 
+    def redirect_if_blank_phone
+      return if phone_to_deliver_to.present?
+
+      flash[:error] = t('errors.messages.phone_required')
+      redirect_to login_two_factor_options_path
+    end
+
     def redirect_to_vendor_outage_if_phone_only
       return unless VendorStatus.new.all_phone_vendor_outage? &&
                     phone_enabled? &&

diff --git a/spec/controllers/two_factor_authentication/options_controller_spec.rb b/spec/controllers/two_factor_authentication/options_controller_spec.rb
@@ -64,6 +64,12 @@
       expect(response).to redirect_to login_two_factor_webauthn_url(platform: true)
     end
 
+    it 'sets phone_id in session when selecting a phone option' do
+      post :create, params: { two_factor_options_form: { selection: 'sms_0' } }
+
+      expect(controller.user_session[:phone_id]).to eq('0')
+    end
+
     it 'rerenders the page with errors on failure' do
       post :create, params: { two_factor_options_form: { selection: 'foo' } }
 

diff --git a/spec/controllers/two_factor_authentication/otp_verification_controller_spec.rb b/spec/controllers/two_factor_authentication/otp_verification_controller_spec.rb
@@ -31,6 +31,15 @@
           expect(assigns(:code_value)).to be_nil
         end
       end
+
+      context 'when the user has an invalid phone number in the session' do
+        it 'redirects to homepage' do
+          controller.user_session[:phone_id] = 0
+
+          get :show, params: { otp_delivery_preference: 'sms' }
+          expect(response).to redirect_to new_user_session_path
+        end
+      end
     end
 
     it 'tracks the page visit and context' do

diff --git a/spec/controllers/users/two_factor_authentication_controller_spec.rb b/spec/controllers/users/two_factor_authentication_controller_spec.rb
@@ -440,6 +440,23 @@ def index
                                          otp_make_default_number: nil },
         }
       end
+
+      context 'when selecting specific phone configuration' do
+        before do
+          user = create(:user, :signed_up)
+          sign_in_before_2fa(user)
+        end
+      end
+
+      it 'redirects to two factor options path with invalid id' do
+        controller.user_session[:phone_id] = 0
+
+        get :send_code, params: {
+          otp_delivery_selection_form: { otp_delivery_preference: 'voice' },
+        }
+
+        expect(response).to redirect_to(login_two_factor_options_path)
+      end
     end
 
     context 'phone is not confirmed' do