From e2d608c2e92863743a63334ded420874f85353b2 Mon Sep 17 00:00:00 2001
From: Mitchell Henke <mitchell.henke@gsa.gov>
Date: Fri, 21 Apr 2023 14:23:31 -0500
Subject: [PATCH 1/6] add failing spec

---
 spec/features/users/sign_up_spec.rb     | 10 ++++++++++
 spec/support/features/session_helper.rb |  8 ++++++++
 2 files changed, 18 insertions(+)

diff --git a/spec/features/users/sign_up_spec.rb b/spec/features/users/sign_up_spec.rb
index fdb1ad2bf32..e8e0aa1d808 100644
--- a/spec/features/users/sign_up_spec.rb
+++ b/spec/features/users/sign_up_spec.rb
@@ -363,4 +363,14 @@ def clipboard_text
     select_2fa_option('piv_cac')
     expect(page).to_not have_content(t('two_factor_authentication.piv_cac_fallback.question'))
   end
+
+  it 'allows a user to sign up with backup codes and add methods after without reauthentication' do
+    sign_in_user
+    set_up_2fa_with_backup_codes
+    skip_second_mfa_prompt
+
+    expect(page).to have_current_path account_path
+    visit add_phone_path
+    expect(page).to have_current_path add_phone_path
+  end
 end
diff --git a/spec/support/features/session_helper.rb b/spec/support/features/session_helper.rb
index b59b9cceae5..23fd8b0f3a9 100644
--- a/spec/support/features/session_helper.rb
+++ b/spec/support/features/session_helper.rb
@@ -567,6 +567,14 @@ def set_up_2fa_with_authenticator_app
       click_button 'Submit'
     end
 
+    def set_up_2fa_with_backup_codes
+      select_2fa_option('backup_code')
+
+      expect(page).to have_current_path backup_code_setup_path
+
+      click_button 'Continue'
+    end
+
     def register_user_with_piv_cac(email = 'test@test.com')
       confirm_email_and_password(email)
       expect(page).to have_current_path authentication_methods_setup_path

From 2347f24f4fc4db91a4c2305f32a3a32dc0c85a34 Mon Sep 17 00:00:00 2001
From: Mitchell Henke <mitchell.henke@gsa.gov>
Date: Fri, 21 Apr 2023 13:35:24 -0500
Subject: [PATCH 2/6] set auth_method in backup code setup

---
 app/controllers/users/backup_code_setup_controller.rb | 1 +
 1 file changed, 1 insertion(+)

diff --git a/app/controllers/users/backup_code_setup_controller.rb b/app/controllers/users/backup_code_setup_controller.rb
index d23288b7cb4..67c2f4d2391 100644
--- a/app/controllers/users/backup_code_setup_controller.rb
+++ b/app/controllers/users/backup_code_setup_controller.rb
@@ -112,6 +112,7 @@ def user_opted_remember_device_cookie
     end
 
     def mark_user_as_fully_authenticated
+      user_session[:auth_method] = TwoFactorAuthenticatable::AuthMethod::BACKUP_CODE
       user_session[TwoFactorAuthenticatable::NEED_AUTHENTICATION] = false
       user_session[:authn_at] = Time.zone.now
     end

From 257c64a52a47e8309908a3b52598cd69a6eff484 Mon Sep 17 00:00:00 2001
From: Mitchell Henke <mitchell.henke@gsa.gov>
Date: Mon, 24 Apr 2023 16:04:45 -0500
Subject: [PATCH 3/6] failing spec

---
 spec/features/users/sign_up_spec.rb | 12 ++++++++++++
 1 file changed, 12 insertions(+)

diff --git a/spec/features/users/sign_up_spec.rb b/spec/features/users/sign_up_spec.rb
index e8e0aa1d808..f6a55c43fe6 100644
--- a/spec/features/users/sign_up_spec.rb
+++ b/spec/features/users/sign_up_spec.rb
@@ -245,6 +245,18 @@ def clipboard_text
     expect(page).to have_current_path account_path
   end
 
+  it 'allows a user to sign up with PIV/CAC and only verifying once when HSPD12 is requested' do
+    visit_idp_from_oidc_sp_with_hspd12_and_require_piv_cac
+    sign_up_and_set_password
+    set_up_2fa_with_piv_cac
+    skip_second_mfa_prompt
+    click_agree_and_continue
+
+    redirect_uri = URI(current_url)
+
+    expect(redirect_uri.to_s).to start_with('http://localhost:7654/auth/result')
+  end
+
   it 'does not allow PIV/CAC during setup on mobile' do
     allow(BrowserCache).to receive(:parse).and_return(mobile_device)
 

From 014cec1389aacdbd3145ebe35f84f67e9d2fa036 Mon Sep 17 00:00:00 2001
From: Mitchell Henke <mitchell.henke@gsa.gov>
Date: Mon, 24 Apr 2023 16:06:50 -0500
Subject: [PATCH 4/6] mark user as authenticated after setting up PIV/CAC

---
 .../users/piv_cac_authentication_setup_controller.rb      | 8 ++++++++
 1 file changed, 8 insertions(+)

diff --git a/app/controllers/users/piv_cac_authentication_setup_controller.rb b/app/controllers/users/piv_cac_authentication_setup_controller.rb
index 46097f97fe2..be6e8bc5263 100644
--- a/app/controllers/users/piv_cac_authentication_setup_controller.rb
+++ b/app/controllers/users/piv_cac_authentication_setup_controller.rb
@@ -118,6 +118,7 @@ def user_piv_cac_form
     end
 
     def process_valid_submission
+      mark_user_as_fully_authenticated
       flash[:success] = t('notices.piv_cac_configured')
       save_piv_cac_information(
         subject: user_piv_cac_form.x509_dn,
@@ -131,6 +132,13 @@ def process_valid_submission
       redirect_to next_setup_path || final_path
     end
 
+    def mark_user_as_fully_authenticated
+      user_session[:auth_method] = TwoFactorAuthenticatable::AuthMethod::PIV_CAC
+
+      user_session[TwoFactorAuthenticatable::NEED_AUTHENTICATION] = false
+      user_session[:authn_at] = Time.zone.now
+    end
+
     def track_mfa_method_added
       mfa_user = MfaContext.new(current_user)
       analytics.multi_factor_auth_added_piv_cac(

From 25d7a6da9c8b953660e92ebbcfd756b951772f54 Mon Sep 17 00:00:00 2001
From: Mitchell Henke <mitchell.henke@gsa.gov>
Date: Mon, 1 May 2023 11:06:03 -0500
Subject: [PATCH 5/6] Ensure authentication method is stored when setting up
 backup codes or PIV/CAC

changelog: Bug Fixes, Authentication, Ensure authentication method is stored when setting up backup codes or PIV/CAC

From 73fbb652afa1dce1913155e8bab9e92c2f7e39d4 Mon Sep 17 00:00:00 2001
From: Mitchell Henke <mitchell.henke@gsa.gov>
Date: Mon, 1 May 2023 16:16:31 -0500
Subject: [PATCH 6/6] differentiate between webauthn and webauthn platform when
 assigning auth_method in webautn setup controller

---
 app/controllers/users/webauthn_setup_controller.rb | 11 ++++++++---
 1 file changed, 8 insertions(+), 3 deletions(-)

diff --git a/app/controllers/users/webauthn_setup_controller.rb b/app/controllers/users/webauthn_setup_controller.rb
index ff6b34e64f0..dba77f9450f 100644
--- a/app/controllers/users/webauthn_setup_controller.rb
+++ b/app/controllers/users/webauthn_setup_controller.rb
@@ -162,7 +162,7 @@ def process_valid_webauthn(form)
         platform_authenticator: form.platform_authenticator?,
         enabled_mfa_methods_count: mfa_user.enabled_mfa_methods_count,
       )
-      mark_user_as_fully_authenticated
+      mark_user_as_fully_authenticated(form)
       handle_remember_device
       if form.platform_authenticator?
         Funnel::Registration::AddMfa.call(current_user.id, 'webauthn_platform', analytics)
@@ -171,7 +171,6 @@ def process_valid_webauthn(form)
         Funnel::Registration::AddMfa.call(current_user.id, 'webauthn', analytics)
         flash[:success] = t('notices.webauthn_configured')
       end
-      user_session[:auth_method] = 'webauthn'
       redirect_to next_setup_path || after_mfa_setup_path
     end
 
@@ -202,7 +201,13 @@ def process_invalid_webauthn(form)
       render :new
     end
 
-    def mark_user_as_fully_authenticated
+    def mark_user_as_fully_authenticated(form)
+      if form.platform_authenticator?
+        user_session[:auth_method] = TwoFactorAuthenticatable::AuthMethod::WEBAUTHN_PLATFORM
+      else
+        user_session[:auth_method] = TwoFactorAuthenticatable::AuthMethod::WEBAUTHN
+      end
+
       user_session[TwoFactorAuthenticatable::NEED_AUTHENTICATION] = false
       user_session[:authn_at] = Time.zone.now
     end