18F · aduth · Jul 8, 2022 · Jul 8, 2022 · Jul 8, 2022 · Jul 8, 2022
diff --git a/app/controllers/api/verify/password_confirm_controller.rb b/app/controllers/api/verify/password_confirm_controller.rb
@@ -4,16 +4,12 @@ class PasswordConfirmController < BaseController
       self.required_step = 'password_confirm'
 
       def create
-        result, personal_key = Api::ProfileCreationForm.new(
-          password: verify_params[:password],
-          jwt: verify_params[:user_bundle_token],
-          user_session: user_session,
-          service_provider: current_sp,
-        ).submit
+        result, personal_key = form.submit
 
         if result.success?
           user = User.find_by(uuid: result.extra[:user_uuid])
           add_proofing_component(user)
+          store_session_last_gpo_code(form.gpo_code)
           render json: {
             personal_key: personal_key,
             completion_url: completion_url(result),
@@ -25,6 +21,19 @@ def create
 
       private
 
+      def form
+        @form ||= Api::ProfileCreationForm.new(
+          password: verify_params[:password],
+          jwt: verify_params[:user_bundle_token],
+          user_session: user_session,
+          service_provider: current_sp,
+        )
+      end
+
+      def store_session_last_gpo_code(code)
+        session[:last_gpo_confirmation_code] = code if code && FeatureManagement.reveal_gpo_code?
+      end
+
       def verify_params
         params.permit(:password, :user_bundle_token)
       end

diff --git a/app/forms/api/profile_creation_form.rb b/app/forms/api/profile_creation_form.rb
@@ -6,9 +6,7 @@ class ProfileCreationForm
     validate :valid_user
     validate :valid_password
 
-    attr_reader :password, :user_bundle
-    attr_reader :user_session, :service_provider
-    attr_reader :profile
+    attr_reader :password, :user_bundle, :user_session, :service_provider, :profile, :gpo_code
 
     def initialize(password:, jwt:, user_session:, service_provider: nil)
       @password = password
@@ -80,6 +78,7 @@ def create_gpo_entry
         profile: profile,
       )
       confirmation_maker.perform
+      @gpo_code = confirmation_maker.otp if FeatureManagement.reveal_gpo_code?
     end
 
     def build_profile_maker

diff --git a/spec/controllers/api/verify/password_confirm_controller_spec.rb b/spec/controllers/api/verify/password_confirm_controller_spec.rb
@@ -42,7 +42,7 @@ def stub_idv_session
       end
 
       it 'creates a profile and returns a key and completion url' do
-        post :create, params: { password: 'iambatman', user_bundle_token: jwt }
+        post :create, params: { password: password, user_bundle_token: jwt }
         parsed_body = JSON.parse(response.body)
         expect(parsed_body).to include(
           'personal_key' => kind_of(String),
@@ -65,7 +65,7 @@ def stub_idv_session
         end
 
         it 'creates a profile and returns completion url' do
-          post :create, params: { password: 'iambatman', user_bundle_token: jwt }
+          post :create, params: { password: password, user_bundle_token: jwt }
 
           expect(JSON.parse(response.body)['completion_url']).to eq(sign_up_completed_url)
         end
@@ -75,11 +75,36 @@ def stub_idv_session
         let(:jwt_metadata) { { vendor_phone_confirmation: false, user_phone_confirmation: false } }
 
         it 'creates a profile and returns completion url' do
-          post :create, params: { password: 'iambatman', user_bundle_token: jwt }
+          post :create, params: { password: password, user_bundle_token: jwt }
 
           expect(JSON.parse(response.body)['completion_url']).to eq(idv_come_back_later_url)
         end
       end
+
+      context 'with gpo_code returned from form submission and reveal gpo feature enabled' do
+        let(:gpo_code) { SecureRandom.hex }
+
+        let(:form) do
+          Api::ProfileCreationForm.new(
+            password: password,
+            jwt: jwt,
+            user_session: {},
+            service_provider: {},
+          )
+        end
+
+        before do
+          allow(FeatureManagement).to receive(:reveal_gpo_code?).and_return(true)
+          allow(subject).to receive(:form).and_return(form)
+          allow(form).to receive(:gpo_code).and_return(gpo_code)
+        end
+
+        it 'sets code into the session' do
+          post :create, params: { password: password, user_bundle_token: jwt }
+
+          expect(session[:last_gpo_confirmation_code]).to eq(gpo_code)
+        end
+      end
     end
 
     context 'when the idv api is not enabled' do
@@ -88,7 +113,7 @@ def stub_idv_session
       end
 
       it 'responds with not found' do
-        post :create, params: { password: 'iambatman', user_bundle_token: jwt }, as: :json
+        post :create, params: { password: password, user_bundle_token: jwt }, as: :json
         expect(response.status).to eq 404
         expect(JSON.parse(response.body)['error']).
           to eq "The page you were looking for doesn't exist"

diff --git a/spec/forms/api/profile_creation_form_spec.rb b/spec/forms/api/profile_creation_form_spec.rb
@@ -108,6 +108,19 @@
 
           expect(profile.gpo_confirmation_codes.first_with_otp(gpo_otp)).not_to be_nil
         end
+
+        context 'with reveal_gpo_code? feature enabled' do
+          before do
+            allow(FeatureManagement).to receive(:reveal_gpo_code?).and_return(true)
+          end
+
+          it 'assigns gpo code' do
+            subject.submit
+            gpo_code = GpoConfirmation.last.entry[:otp]
+
+            expect(subject.gpo_code).to eq(gpo_code)
+          end
+        end
       end
     end