Redirect to sign in from authentication controllers#8173
Merged
Conversation
mitchellhenke
approved these changes
Apr 11, 2023
Contributor
mitchellhenke
left a comment
mitchellhenke
left a comment
There was a problem hiding this comment.
This rules 👏🏼 👏🏼 👏🏼 👏🏼 👏🏼
aduth
commented
Apr 11, 2023
Comment on lines
56
to
59
Contributor
Author
There was a problem hiding this comment.
Couple thoughts:
- Maybe the device expired should take priority here (at least if checking second-factor), if it was running as the last thing in the method previously?
- Is
user_fully_authenticated?still accurate with the new redirect and removal of the MFA policy method? Or should the user only be redirected to sign in if there's no sign-in at all (i.e. haven't entered username/password)
Suggested change
| if !user_fully_authenticated? | |
| redirect_to new_user_session_url | |
| elsif remember_device_expired_for_sp? | |
| redirect_to user_two_factor_authentication_url | |
| if !user_signed_in? | |
| redirect_to new_user_session_url | |
| elsif remember_device_expired_for_sp? | |
| redirect_to user_two_factor_authentication_url |
Contributor
There was a problem hiding this comment.
The case where user_fully_authenticated? is false and user_signed_in? would happen if there was an email/password auth, but not 2FA? I think it would be fine to be stricter and switch to user_signed_in?
I think the elsif would have to change though:
- elsif remember_device_expired_for_sp?
+ elsif user_fully_authenticated? && remember_device_expired_for_sp?
Contributor
Author
There was a problem hiding this comment.
Hmm, yeah, you might be right about that. I pushed the first half in f86ff64, but curious to see if any existing tests fail, and will dig into overlap between remember device + fully authenticated.
Contributor
Author
Avoid unnecessary request_id query parameter and associated logic changelog: Internal, Authentication, Remove request_id query parameter when redirecting to Sign In
See: https://github.com/18F/identity-idp/pull/8173/files#r1162986549 This is also more similar to how it behaved previously in ApplicationController#user_needs_new_session_with_request_id?
aduth
force-pushed
the
aduth-request-id-init-redirect
branch
from
101fbdd to
17e0755
Compare
See: #8173 (comment) Maintain consistency with prior implementation
Allows better control over how confirm_two_factor_authenticated is called in sequence with other relevant checks
aduth
commented
Apr 12, 2023
mitchellhenke
approved these changes
Apr 14, 2023
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
🛠 Summary of changes
Updates the logic for redirecting during a partner-initiated authentication in order to remove the
request_idquery parameter, since the request ID will have already been saved to the session at this point.This is a follow-up to #8137 (comment) :
📜 Testing Plan