LG-9429: Avoid sending new device notification before fully registered#8270
LG-9429: Avoid sending new device notification before fully registered#8270
Conversation
spec/factories/users.rb
Outdated
There was a problem hiding this comment.
what if we renamed this for clarity/consistency?
| trait :signed_up do | |
| trait :fully_registered do |
There was a problem hiding this comment.
what if we renamed this for clarity/consistency?
Yeah, that seems like a good idea, though I suspect it might touch a ton of files. I'd probably create a quick follow-on pull request for that.
aduth
force-pushed
the
aduth-lg-9429-new-sign-in-separate-device
branch
from
c6f00f8 to
93989ef
Compare
|
Sending a video of a possible issue over Slack. |
For posterity, the issue is that the notification is still being sent when using backup codes as the selected MFA method. I'll take a look at this (and other MFA methods) to see what's going on. |
|
The issue seems to stem from when the I think we'll need to either...
|
Digging into this, @zachmargolis shared that the original concern that the data not exist for accounts created before the table was created is not actually an issue, since the data has been backfilled. I reverted to this approach in c813c8b, which also addresses the bug where an email would still be sent when selecting certain MFAs. I manually tested this across all MFA types, but am also open to some suggestions as far as test coverage. I'd like to have some regression coverage for this, though also there's not much precedent for this level of feature testing of all aspects of all features across all potential MFA methods. It would be nice if the behavior contained in |
changelog: Bug Fixes, Account Creation, Avoid sending "New Sign-In" email when finishing registration on a second device
Previously moved away as suspected it may be unreliable for historical accounts, but it has been backfilled
aduth
force-pushed
the
aduth-lg-9429-new-sign-in-separate-device
branch
from
c813c8b to
42db4d7
Compare
3 participants
🎫 Ticket
LG-9429
🛠 Summary of changes
Updates device notification logic to avoid sending new device notifications prior to the user being fully registered, so that a user doesn't receive a "New Sign-In" notification if they complete account registration on a second device, which is common if they were to start the process on a computer and complete it on their phone.
DRAFT: Leaving this as draft for now because, while I think "fully registered" aligning to the RegistrationLog record makes a lot of sense, it's unclear if this is reliable enough to exist for users who have existed since prior to the introduction of that table in #3121. Instead, it may make more sense to have it reflect the presence of any MFAs, essentially aliasingUpdated as of b7661d0.fully_registered?totwo_factor_enabled?or using the method directly (though I think "fully registered" adds some clarity of intent).📜 Testing Plan
Before: An email notification is sent about "New sign-in" to your account
After: No email is sent about "New sign-in" to your account when the user is in the middle of account creation