18F · mitchellhenke · Jul 27, 2022 · Jul 25, 2022 · Jul 26, 2022 · Jul 26, 2022
diff --git a/app/controllers/concerns/mfa_setup_concern.rb b/app/controllers/concerns/mfa_setup_concern.rb
@@ -58,6 +58,7 @@ def mfa_context
   end
 
   def suggest_second_mfa?
+    return false unless user_session[:mfa_selections]
     mfa_selection_count < 2 && mfa_context.enabled_mfa_methods_count < 2
   end
 

diff --git a/app/controllers/users/additional_mfa_required_controller.rb b/app/controllers/users/additional_mfa_required_controller.rb
@@ -1,7 +1,10 @@
 module Users
   class AdditionalMfaRequiredController < ApplicationController
+    include SecureHeadersConcern
     extend ActiveSupport::Concern
 
+    before_action :confirm_user_fully_authenticated
+
     def show
       @content = AdditionalMfaRequiredPresenter.new(current_user: current_user)
       analytics.non_restricted_mfa_required_prompt_visited
@@ -24,5 +27,11 @@ def skip
     def enforcement_date
       @enforcement_date ||= IdentityConfig.store.kantara_restriction_enforcement_date
     end
+
+    def confirm_user_fully_authenticated
+      unless user_fully_authenticated?
+        return confirm_two_factor_authenticated(sp_session[:request_id])
+      end
+    end
   end
 end
diff --git a/app/controllers/users/mfa_selection_controller.rb b/app/controllers/users/mfa_selection_controller.rb
@@ -1,6 +1,7 @@
 module Users
   class MfaSelectionController < ApplicationController
     include UserAuthenticator
+    include SecureHeadersConcern
     include MfaSetupConcern
 
     before_action :authenticate_user

diff --git a/spec/controllers/users/additional_mfa_required_controller_spec.rb b/spec/controllers/users/additional_mfa_required_controller_spec.rb
@@ -7,15 +7,21 @@
     allow(IdentityConfig.store).
       to receive(:kantara_2fa_phone_existing_user_restriction).
       and_return(true)
-    stub_sign_in(user)
   end
 
   describe '#show' do
     it 'presents the additional mfa required prompt page.' do
+      stub_sign_in(user)
       get :show
 
       expect(response.status).to eq 200
     end
+
+    it 'does not allow unauthenticated users' do
+      get :show
+
+      expect(response).to redirect_to(new_user_session_path)
+    end
   end
 
   describe '#skip' do
@@ -24,8 +30,10 @@
       allow(IdentityConfig.store).to receive(:kantara_restriction_enforcement_date).
       and_return(enforcement_date)
     end
+
     context 'before enforcement date' do
       it 'should redirect to user signin' do
+        stub_sign_in(user)
         post :skip
         expect(response).to redirect_to account_url
       end
@@ -35,18 +43,26 @@
       let(:enforcement_date) { Time.zone.today - 6.days }
 
       it 'should redirect user to sign in' do
+        stub_sign_in(user)
         post :skip
 
         expect(response).to redirect_to account_url
       end
 
       it 'should add sign in attribute to users' do
+        stub_sign_in(user)
         post :skip
 
         user.reload
         expect(user.non_restricted_mfa_required_prompt_skip_date).
         to eq Time.zone.today
       end
+
+      it 'does not allow unauthenticated users' do
+        post :skip
+
+        expect(response).to redirect_to(new_user_session_path)
+      end
     end
   end
 end
-Original file line number
+Diff line change
@@ Expand Up / @@ -58,6 +58,7 @@ def mfa_context @@
       end
       def suggest_second_mfa?
+        return false unless user_session[:mfa_selections]
         mfa_selection_count < 2 && mfa_context.enabled_mfa_methods_count < 2
       end
@@ Expand Down @@