LG-7397 - Bugfix: Moved rate_limited events to be called before sign out.

app/controllers/concerns/two_factor_authenticatable_methods.rb

@@ -21,34 +21,34 @@ def handle_second_factor_locked_user(type:, context: nil)
     analytics.multi_factor_auth_max_attempts
     event = PushNotification::MfaLimitAccountLockedEvent.new(user: current_user)
     PushNotification::HttpPush.deliver(event)
-    handle_max_attempts(type + '_login_attempts')
 
-    if context
+    if context && type
       if UserSessionContext.authentication_context?(context)
-        irs_attempts_api_tracker.mfa_login_rate_limited(type: type)
+        irs_attempts_api_tracker.mfa_login_rate_limited(mfa_device_type: type)
       elsif UserSessionContext.confirmation_context?(context)
-        irs_attempts_api_tracker.mfa_enroll_rate_limited(type: type)
+        irs_attempts_api_tracker.mfa_enroll_rate_limited(mfa_device_type: type)
       end
     end
+
+    handle_max_attempts(type + '_login_attempts')
   end
 
   def handle_too_many_otp_sends(phone: nil, context: nil)
     analytics.multi_factor_auth_max_sends
-    handle_max_attempts('otp_requests')
 
     if context && phone
       if UserSessionContext.authentication_context?(context)
         irs_attempts_api_tracker.mfa_login_phone_otp_sent_rate_limited(
           phone_number: phone,
-          success: true,
         )
       elsif UserSessionContext.confirmation_context?(context)
         irs_attempts_api_tracker.mfa_enroll_phone_otp_sent_rate_limited(
           phone_number: phone,
-          success: true,
         )
       end
     end
+
+    handle_max_attempts('otp_requests')
   end
 
   def handle_max_attempts(type)

app/services/irs_attempts_api/tracker_events.rb

@@ -196,13 +196,11 @@ def mfa_enroll_phone_otp_sent(phone_number:, success:)
     end
 
     # @param [String] phone_number - The user's phone number used for multi-factor authentication
-    # @param [Boolean] success - True if the user was locked out
     # The user has exceeded the rate limit for SMS OTP sends.
-    def mfa_enroll_phone_otp_sent_rate_limited(phone_number:, success:)
+    def mfa_enroll_phone_otp_sent_rate_limited(phone_number:)
       track_event(
         :mfa_enroll_phone_otp_sent_rate_limited,
         phone_number: phone_number,
-        success: success,
       )
     end
 
@@ -233,13 +231,13 @@ def mfa_enroll_piv_cac(
       )
     end
 
-    # @param [String] type - the type of multi-factor authentication used
+    # @param [String] mfa_device_type - the type of multi-factor authentication used
     # The user has exceeded the rate limit during enrollment
     # and account has been locked
-    def mfa_enroll_rate_limited(type:)
+    def mfa_enroll_rate_limited(mfa_device_type:)
       track_event(
         :mfa_enroll_rate_limited,
-        type: type,
+        mfa_device_type: mfa_device_type,
       )
     end
 
@@ -293,13 +291,11 @@ def mfa_login_phone_otp_sent(reauthentication:, phone_number:, success:)
     end
 
     # @param [String] phone_number - The user's phone number used for multi-factor authentication
-    # @param [Boolean] success - True if the user was locked out
     # The user has exceeded the rate limit for SMS OTP sends.
-    def mfa_login_phone_otp_sent_rate_limited(phone_number:, success:)
+    def mfa_login_phone_otp_sent_rate_limited(phone_number:)
       track_event(
         :mfa_login_phone_otp_sent_rate_limited,
         phone_number: phone_number,
-        success: success,
       )
     end
 
@@ -331,13 +327,13 @@ def mfa_login_piv_cac(
       )
     end
 
-    # @param [String] type - the type of multi-factor authentication used
+    # @param [String] mfa_device_type - the type of multi-factor authentication used
     # The user has exceeded the rate limit during verification
     # and account has been locked
-    def mfa_login_rate_limited(type:)
+    def mfa_login_rate_limited(mfa_device_type:)
       track_event(
         :mfa_login_rate_limited,
-        type: type,
+        mfa_device_type: mfa_device_type,
       )
     end
 

spec/controllers/two_factor_authentication/backup_code_verification_controller_spec.rb

@@ -143,7 +143,7 @@
           with('Multi-Factor Authentication: max attempts reached')
 
         expect(@irs_attempts_api_tracker).to receive(:mfa_login_rate_limited).
-          with(type: 'backup_code')
+          with(mfa_device_type: 'backup_code')
 
         expect(PushNotification::HttpPush).to receive(:deliver).
           with(PushNotification::MfaLimitAccountLockedEvent.new(user: subject.current_user))

spec/controllers/two_factor_authentication/otp_verification_controller_spec.rb

@@ -180,7 +180,7 @@
           with({ reauthentication: false, success: false })
 
         expect(@irs_attempts_api_tracker).to receive(:mfa_login_rate_limited).
-          with(type: 'otp')
+          with(mfa_device_type: 'otp')
 
         post :create, params:
         { code: '12345',
@@ -486,7 +486,7 @@
 
               stub_attempts_tracker
               expect(@irs_attempts_api_tracker).to receive(:mfa_enroll_rate_limited).
-                with(type: 'otp')
+                with(mfa_device_type: 'otp')
 
               post :create, params: { code: '12345', otp_delivery_preference: 'sms' }
             end

spec/controllers/two_factor_authentication/personal_key_verification_controller_spec.rb

@@ -160,7 +160,7 @@
           with('Multi-Factor Authentication: max attempts reached')
 
         expect(@irs_attempts_api_tracker).to receive(:mfa_login_rate_limited).
-          with(type: 'personal_key')
+          with(mfa_device_type: 'personal_key')
 
         expect(PushNotification::HttpPush).to receive(:deliver).
           with(PushNotification::MfaLimitAccountLockedEvent.new(user: subject.current_user))

spec/controllers/two_factor_authentication/piv_cac_verification_controller_spec.rb

@@ -193,7 +193,7 @@
           with('Multi-Factor Authentication: enter PIV CAC visited', attributes)
 
         expect(@irs_attempts_api_tracker).to receive(:mfa_login_rate_limited).
-          with(type: 'piv_cac')
+          with(mfa_device_type: 'piv_cac')
 
         submit_attributes = {
           success: false,

spec/controllers/two_factor_authentication/totp_verification_controller_spec.rb

@@ -99,7 +99,7 @@
           with(:mfa_login_totp, success: false)
 
         expect(@irs_attempts_api_tracker).to receive(:mfa_login_rate_limited).
-          with(type: 'totp')
+          with(mfa_device_type: 'totp')
 
         expect(PushNotification::HttpPush).to receive(:deliver).
           with(PushNotification::MfaLimitAccountLockedEvent.new(user: subject.current_user))

spec/controllers/users/two_factor_authentication_controller_spec.rb

@@ -365,7 +365,7 @@ def index
 
         stub_attempts_tracker
         expect(@irs_attempts_api_tracker).to receive(:mfa_login_phone_otp_sent_rate_limited).
-          with(phone_number: '+12025551212', success: true)
+          with(phone_number: '+12025551212')
 
         freeze_time do
           (IdentityConfig.store.otp_delivery_blocklist_maxretry + 1).times do
@@ -575,7 +575,7 @@ def index
 
         stub_attempts_tracker
         expect(@irs_attempts_api_tracker).to receive(:mfa_enroll_phone_otp_sent_rate_limited).
-          with(phone_number: '+12025551213', success: true)
+          with(phone_number: '+12025551213')
 
         freeze_time do
           (IdentityConfig.store.otp_delivery_blocklist_maxretry + 1).times do