From dfb2a347dbb2c22349d7497de0e91a54075438fb Mon Sep 17 00:00:00 2001 From: Malick Diarra Date: Wed, 31 May 2023 15:46:01 -0400 Subject: [PATCH 01/24] changelog: Bug Fixes, Account information, Show non obfuscated view when u reauthenticate --- app/controllers/concerns/remember_device_concern.rb | 2 +- app/controllers/concerns/two_factor_authenticatable.rb | 2 +- .../concerns/two_factor_authenticatable_methods.rb | 4 ++++ app/controllers/mfa_confirmation_controller.rb | 1 + .../two_factor_authentication/otp_verification_controller.rb | 1 + 5 files changed, 8 insertions(+), 2 deletions(-) diff --git a/app/controllers/concerns/remember_device_concern.rb b/app/controllers/concerns/remember_device_concern.rb index efc1b6bf5e3..7f23c182dbd 100644 --- a/app/controllers/concerns/remember_device_concern.rb +++ b/app/controllers/concerns/remember_device_concern.rb @@ -62,7 +62,7 @@ def expired_for_interval?(user, interval) end remember_cookie = remember_device_cookie return true if remember_cookie.nil? - + !remember_cookie.valid_for_user?( user: user, expiration_interval: interval, diff --git a/app/controllers/concerns/two_factor_authenticatable.rb b/app/controllers/concerns/two_factor_authenticatable.rb index 250f2221c53..657df2d7db4 100644 --- a/app/controllers/concerns/two_factor_authenticatable.rb +++ b/app/controllers/concerns/two_factor_authenticatable.rb @@ -37,7 +37,7 @@ def self.phishing_resistant?(auth_method) # rubocop:disable Rails/LexicallyScopedActionFilter before_action :authenticate_user before_action :require_current_password, if: :current_password_required? - before_action :check_already_authenticated + before_action :check_already_authenticated, unless: :in_reauthn_flow? before_action :reset_attempt_count_if_user_no_longer_locked_out, only: :create before_action :apply_secure_headers_override, only: %i[show create] # rubocop:enable Rails/LexicallyScopedActionFilter diff --git a/app/controllers/concerns/two_factor_authenticatable_methods.rb b/app/controllers/concerns/two_factor_authenticatable_methods.rb index 7f41a55e785..f7ae6a60e53 100644 --- a/app/controllers/concerns/two_factor_authenticatable_methods.rb +++ b/app/controllers/concerns/two_factor_authenticatable_methods.rb @@ -158,6 +158,10 @@ def handle_valid_verification_for_confirmation_context(auth_method:) reset_second_factor_attempts_count end + def in_reauthn_flow? + user_session[:reauthn] + end + def handle_valid_verification_for_authentication_context(auth_method:) user_session[:auth_method] = auth_method mark_user_session_authenticated(:valid_2fa) diff --git a/app/controllers/mfa_confirmation_controller.rb b/app/controllers/mfa_confirmation_controller.rb index a5f21c3ccef..6557bc950b4 100644 --- a/app/controllers/mfa_confirmation_controller.rb +++ b/app/controllers/mfa_confirmation_controller.rb @@ -22,6 +22,7 @@ def skip def new session[:password_attempts] ||= 0 + user_session[:reauthn] = true end def create diff --git a/app/controllers/two_factor_authentication/otp_verification_controller.rb b/app/controllers/two_factor_authentication/otp_verification_controller.rb index 0f9eb65d4e4..08183b86fd3 100644 --- a/app/controllers/two_factor_authentication/otp_verification_controller.rb +++ b/app/controllers/two_factor_authentication/otp_verification_controller.rb @@ -46,6 +46,7 @@ def handle_valid_confirmation_otp handle_valid_verification_for_confirmation_context( auth_method: params[:otp_delivery_preference], ) + user_session[:reauthn] = false flash[:success] = t('notices.phone_confirmed') redirect_to next_setup_path || after_mfa_setup_path end From 8c666734f61bf3bd139a3875e48e799143a2dbe6 Mon Sep 17 00:00:00 2001 From: Malick Diarra Date: Mon, 5 Jun 2023 12:25:35 -0400 Subject: [PATCH 02/24] LG-9869: allow authenticate to view work --- app/controllers/concerns/remember_device_concern.rb | 2 +- app/controllers/mfa_confirmation_controller.rb | 3 ++- app/presenters/account_show_presenter.rb | 1 + 3 files changed, 4 insertions(+), 2 deletions(-) diff --git a/app/controllers/concerns/remember_device_concern.rb b/app/controllers/concerns/remember_device_concern.rb index 7f23c182dbd..efc1b6bf5e3 100644 --- a/app/controllers/concerns/remember_device_concern.rb +++ b/app/controllers/concerns/remember_device_concern.rb @@ -62,7 +62,7 @@ def expired_for_interval?(user, interval) end remember_cookie = remember_device_cookie return true if remember_cookie.nil? - + !remember_cookie.valid_for_user?( user: user, expiration_interval: interval, diff --git a/app/controllers/mfa_confirmation_controller.rb b/app/controllers/mfa_confirmation_controller.rb index 6557bc950b4..d3abb90568d 100644 --- a/app/controllers/mfa_confirmation_controller.rb +++ b/app/controllers/mfa_confirmation_controller.rb @@ -22,7 +22,8 @@ def skip def new session[:password_attempts] ||= 0 - user_session[:reauthn] = true + user_session[:context] = 'reauthentication' + user_session[:current_password_required] = true end def create diff --git a/app/presenters/account_show_presenter.rb b/app/presenters/account_show_presenter.rb index 17ac0ccbd5c..a71a14215ff 100644 --- a/app/presenters/account_show_presenter.rb +++ b/app/presenters/account_show_presenter.rb @@ -1,4 +1,5 @@ class AccountShowPresenter + include ReauthenticationRequiredConcern attr_reader :user, :decrypted_pii, :personal_key, :locked_for_session, :pii, :sp_session_request_url, :sp_name From 1d603479213a11dbb9569c2b298c40863c4b6838 Mon Sep 17 00:00:00 2001 From: Malick Diarra Date: Mon, 5 Jun 2023 13:36:01 -0400 Subject: [PATCH 03/24] remove unneeded methods --- app/controllers/concerns/two_factor_authenticatable.rb | 2 +- .../concerns/two_factor_authenticatable_methods.rb | 4 ---- 2 files changed, 1 insertion(+), 5 deletions(-) diff --git a/app/controllers/concerns/two_factor_authenticatable.rb b/app/controllers/concerns/two_factor_authenticatable.rb index 657df2d7db4..250f2221c53 100644 --- a/app/controllers/concerns/two_factor_authenticatable.rb +++ b/app/controllers/concerns/two_factor_authenticatable.rb @@ -37,7 +37,7 @@ def self.phishing_resistant?(auth_method) # rubocop:disable Rails/LexicallyScopedActionFilter before_action :authenticate_user before_action :require_current_password, if: :current_password_required? - before_action :check_already_authenticated, unless: :in_reauthn_flow? + before_action :check_already_authenticated before_action :reset_attempt_count_if_user_no_longer_locked_out, only: :create before_action :apply_secure_headers_override, only: %i[show create] # rubocop:enable Rails/LexicallyScopedActionFilter diff --git a/app/controllers/concerns/two_factor_authenticatable_methods.rb b/app/controllers/concerns/two_factor_authenticatable_methods.rb index f7ae6a60e53..7f41a55e785 100644 --- a/app/controllers/concerns/two_factor_authenticatable_methods.rb +++ b/app/controllers/concerns/two_factor_authenticatable_methods.rb @@ -158,10 +158,6 @@ def handle_valid_verification_for_confirmation_context(auth_method:) reset_second_factor_attempts_count end - def in_reauthn_flow? - user_session[:reauthn] - end - def handle_valid_verification_for_authentication_context(auth_method:) user_session[:auth_method] = auth_method mark_user_session_authenticated(:valid_2fa) From 5334f57ba546c2deef41bc3705a4dd2fca17690f Mon Sep 17 00:00:00 2001 From: Malick Diarra Date: Mon, 5 Jun 2023 13:36:45 -0400 Subject: [PATCH 04/24] reauthn fix --- .../two_factor_authentication/otp_verification_controller.rb | 1 - app/presenters/account_show_presenter.rb | 1 - 2 files changed, 2 deletions(-) diff --git a/app/controllers/two_factor_authentication/otp_verification_controller.rb b/app/controllers/two_factor_authentication/otp_verification_controller.rb index 08183b86fd3..0f9eb65d4e4 100644 --- a/app/controllers/two_factor_authentication/otp_verification_controller.rb +++ b/app/controllers/two_factor_authentication/otp_verification_controller.rb @@ -46,7 +46,6 @@ def handle_valid_confirmation_otp handle_valid_verification_for_confirmation_context( auth_method: params[:otp_delivery_preference], ) - user_session[:reauthn] = false flash[:success] = t('notices.phone_confirmed') redirect_to next_setup_path || after_mfa_setup_path end diff --git a/app/presenters/account_show_presenter.rb b/app/presenters/account_show_presenter.rb index a71a14215ff..17ac0ccbd5c 100644 --- a/app/presenters/account_show_presenter.rb +++ b/app/presenters/account_show_presenter.rb @@ -1,5 +1,4 @@ class AccountShowPresenter - include ReauthenticationRequiredConcern attr_reader :user, :decrypted_pii, :personal_key, :locked_for_session, :pii, :sp_session_request_url, :sp_name From 56cca83cb72d22e84f7f7cdf44738434fe3ba360 Mon Sep 17 00:00:00 2001 From: Malick Diarra Date: Wed, 7 Jun 2023 10:32:48 -0400 Subject: [PATCH 05/24] add rspec to check that functionality is working --- spec/features/users/user_profile_spec.rb | 44 ++++++++++++++++++++++++ 1 file changed, 44 insertions(+) diff --git a/spec/features/users/user_profile_spec.rb b/spec/features/users/user_profile_spec.rb index 65404010c36..d9cad8bfa03 100644 --- a/spec/features/users/user_profile_spec.rb +++ b/spec/features/users/user_profile_spec.rb @@ -181,4 +181,48 @@ expect(current_path).to eq(account_history_path) end end + + context 'allows verified user to see their information' do + let(:pii) { { ssn: '1234', dob: '1920-01-01' } } + context 'time between sign in and remember device' do + it 'does not have prompt to authenticate device' do + profile = create(:profile, :active, :verified, pii: pii) + sign_in_user(profile.user) + check t('forms.messages.remember_device') + fill_in_code_with_last_phone_otp + click_submit_default + visit account_path + expect(page).to_not have_link(t('account.re_verify.footer')) + end + end + + context 'when time expired' do + before do + allow(IdentityConfig.store).to receive(:pii_lock_timeout_in_minutes).and_return(1) + end + it 'has a prompt to authenticate device' do + profile = create(:profile, :active, :verified, pii: pii) + user = profile.user + sign_in_user(user) + + check t('forms.messages.remember_device') + fill_in_code_with_last_phone_otp + click_submit_default + + timeout_in_minutes = IdentityConfig.store.pii_lock_timeout_in_minutes.to_i + travel_to((timeout_in_minutes + 26).minutes.from_now) do + sign_in_user(user) + visit account_path + expect(page).to have_link(t('account.re_verify.footer')) + expect(page).to_not have_content('January 01, 1920') + click_link t('account.re_verify.footer') + fill_in t('account.index.password'), with: user.password + click_button t('forms.buttons.continue') + fill_in_code_with_last_phone_otp + click_submit_default + expect(page).to have_content('January 01, 1920') + end + end + end + end end From c13b4e48deddb849f884d94038b6e8a4893c59f7 Mon Sep 17 00:00:00 2001 From: Malick Diarra Date: Thu, 8 Jun 2023 09:36:49 -0400 Subject: [PATCH 06/24] just do reauthntication context --- app/controllers/mfa_confirmation_controller.rb | 1 - 1 file changed, 1 deletion(-) diff --git a/app/controllers/mfa_confirmation_controller.rb b/app/controllers/mfa_confirmation_controller.rb index d3abb90568d..b79fd559063 100644 --- a/app/controllers/mfa_confirmation_controller.rb +++ b/app/controllers/mfa_confirmation_controller.rb @@ -23,7 +23,6 @@ def skip def new session[:password_attempts] ||= 0 user_session[:context] = 'reauthentication' - user_session[:current_password_required] = true end def create From 622554241af4228b27c3f003f1188ed0e9b8deff Mon Sep 17 00:00:00 2001 From: Malick Diarra Date: Mon, 12 Jun 2023 10:47:43 -0400 Subject: [PATCH 07/24] user profile spec updates --- spec/features/users/user_profile_spec.rb | 8 +++----- 1 file changed, 3 insertions(+), 5 deletions(-) diff --git a/spec/features/users/user_profile_spec.rb b/spec/features/users/user_profile_spec.rb index d4e3f309077..3f5ba103694 100644 --- a/spec/features/users/user_profile_spec.rb +++ b/spec/features/users/user_profile_spec.rb @@ -183,7 +183,7 @@ end context 'allows verified user to see their information' do - let(:pii) { { ssn: '1234', dob: '1920-01-01' } } + let(:pii) { Idp::Constants::MOCK_IDV_APPLICANT } context 'time between sign in and remember device' do it 'does not have prompt to authenticate device' do profile = create(:profile, :active, :verified, pii: pii) @@ -193,13 +193,11 @@ click_submit_default visit account_path expect(page).to_not have_link(t('account.re_verify.footer')) + expect(page).to have_content('January 01, 1920') end end context 'when time expired' do - before do - allow(IdentityConfig.store).to receive(:pii_lock_timeout_in_minutes).and_return(1) - end it 'has a prompt to authenticate device' do profile = create(:profile, :active, :verified, pii: pii) user = profile.user @@ -210,7 +208,7 @@ click_submit_default timeout_in_minutes = IdentityConfig.store.pii_lock_timeout_in_minutes.to_i - travel_to((timeout_in_minutes + 26).minutes.from_now) do + travel_to((timeout_in_minutes + 1).minutes.from_now) do sign_in_user(user) visit account_path expect(page).to have_link(t('account.re_verify.footer')) From b63577288e5986981cf1b8bea41317342174c1f5 Mon Sep 17 00:00:00 2001 From: Malick Diarra Date: Mon, 12 Jun 2023 11:56:16 -0400 Subject: [PATCH 08/24] failing tests fix --- .../email_language_preference_spec.rb | 67 ++++++++++--------- 1 file changed, 34 insertions(+), 33 deletions(-) diff --git a/spec/features/visitors/email_language_preference_spec.rb b/spec/features/visitors/email_language_preference_spec.rb index bfc15258b57..ce9cee89366 100644 --- a/spec/features/visitors/email_language_preference_spec.rb +++ b/spec/features/visitors/email_language_preference_spec.rb @@ -1,45 +1,46 @@ require 'rails_helper' - -describe 'visitor signs up with email language preference' do - it 'defaults to the current locale' do - visit sign_up_email_path - - field = page.find_field( - t('account.email_language.default', language: t("i18n.locale.#{I18n.default_locale}")), - ) - expect(field).to be_present - expect(field[:lang]).to eq(I18n.default_locale.to_s) - (I18n.available_locales - [I18n.default_locale]).each do |locale| - field = page.find_field(t("i18n.locale.#{locale}")) +RSpec.feature 'Email confirmation during sign up' do + describe 'visitor signs up with email language preference' do + it 'defaults to the current locale' do + visit sign_up_email_path + + field = page.find_field( + t('account.email_language.default', language: t("i18n.locale.#{I18n.default_locale}")), + ) expect(field).to be_present - expect(field[:lang]).to eq(locale.to_s) - end + expect(field[:lang]).to eq(I18n.default_locale.to_s) + (I18n.available_locales - [I18n.default_locale]).each do |locale| + field = page.find_field(t("i18n.locale.#{locale}")) + expect(field).to be_present + expect(field[:lang]).to eq(locale.to_s) + end - visit sign_up_email_path(:es) + visit sign_up_email_path(:es) - field = page.find_field(t('account.email_language.default', language: t('i18n.locale.es'))) - expect(field).to be_present - expect(field[:lang]).to eq('es') - (I18n.available_locales - [:es]).each do |locale| - field = page.find_field(t("i18n.locale.#{locale}")) + field = page.find_field(t('account.email_language.default', language: t('i18n.locale.es'))) expect(field).to be_present - expect(field[:lang]).to eq(locale.to_s) + expect(field[:lang]).to eq('es') + (I18n.available_locales - [:es]).each do |locale| + field = page.find_field(t("i18n.locale.#{locale}")) + expect(field).to be_present + expect(field[:lang]).to eq(locale.to_s) + end end - end - it 'sends emails in the selected language' do - email = 'test@example.com' + it 'sends emails in the selected language' do + email = 'test@example.com' - visit sign_up_email_path - choose t('i18n.locale.es') - check t('sign_up.terms', app_name: APP_NAME) - fill_in t('forms.registration.labels.email'), with: email - click_button t('forms.buttons.submit.default') + visit sign_up_email_path + choose t('i18n.locale.es') + check t('sign_up.terms', app_name: APP_NAME) + fill_in t('forms.registration.labels.email'), with: email + click_button t('forms.buttons.submit.default') - emails = unread_emails_for(email) + emails = unread_emails_for(email) - expect(emails.last.subject).to eq( - t('user_mailer.email_confirmation_instructions.subject', locale: :es), - ) + expect(emails.last.subject).to eq( + t('user_mailer.email_confirmation_instructions.subject', locale: :es), + ) + end end end From cd50691f5459884abbbcd808c01586b18aed53f2 Mon Sep 17 00:00:00 2001 From: Malick Diarra Date: Mon, 12 Jun 2023 12:01:58 -0400 Subject: [PATCH 09/24] email preference --- spec/features/visitors/email_language_preference_spec.rb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/spec/features/visitors/email_language_preference_spec.rb b/spec/features/visitors/email_language_preference_spec.rb index ce9cee89366..29e4e296e15 100644 --- a/spec/features/visitors/email_language_preference_spec.rb +++ b/spec/features/visitors/email_language_preference_spec.rb @@ -1,5 +1,5 @@ require 'rails_helper' -RSpec.feature 'Email confirmation during sign up' do +RSpec.feature 'Email language Preference' do describe 'visitor signs up with email language preference' do it 'defaults to the current locale' do visit sign_up_email_path From 6cd2726d74e6484b752bcfd3c8d005c6ebe9af49 Mon Sep 17 00:00:00 2001 From: Malick Diarra Date: Mon, 12 Jun 2023 13:12:42 -0400 Subject: [PATCH 10/24] reauthn redirects to two_factor_login_path --- app/controllers/mfa_confirmation_controller.rb | 6 +----- 1 file changed, 1 insertion(+), 5 deletions(-) diff --git a/app/controllers/mfa_confirmation_controller.rb b/app/controllers/mfa_confirmation_controller.rb index b79fd559063..40f2433bde6 100644 --- a/app/controllers/mfa_confirmation_controller.rb +++ b/app/controllers/mfa_confirmation_controller.rb @@ -45,11 +45,7 @@ def password end def handle_valid_password - if current_user.auth_app_configurations.any? - redirect_to login_two_factor_authenticator_url(reauthn: true) - else - redirect_to user_two_factor_authentication_url(reauthn: true) - end + redirect_to login_two_factor_options_path(reauthn: true) session[:password_attempts] = 0 user_session[:current_password_required] = false end From f7ab4971f5339ac00d9863cb555d729d3e2b57de Mon Sep 17 00:00:00 2001 From: Malick Diarra Date: Mon, 12 Jun 2023 14:07:07 -0400 Subject: [PATCH 11/24] user profile spec dob --- spec/features/users/user_profile_spec.rb | 16 ++++++++++------ 1 file changed, 10 insertions(+), 6 deletions(-) diff --git a/spec/features/users/user_profile_spec.rb b/spec/features/users/user_profile_spec.rb index 3f5ba103694..977c6daf436 100644 --- a/spec/features/users/user_profile_spec.rb +++ b/spec/features/users/user_profile_spec.rb @@ -183,25 +183,29 @@ end context 'allows verified user to see their information' do - let(:pii) { Idp::Constants::MOCK_IDV_APPLICANT } context 'time between sign in and remember device' do it 'does not have prompt to authenticate device' do - profile = create(:profile, :active, :verified, pii: pii) + profile = create(:profile, :active, :verified, pii: Idp::Constants::MOCK_IDV_APPLICANT) sign_in_user(profile.user) check t('forms.messages.remember_device') fill_in_code_with_last_phone_otp click_submit_default visit account_path expect(page).to_not have_link(t('account.re_verify.footer')) - expect(page).to have_content('January 01, 1920') + + dob = Idp::Constants::MOCK_IDV_APPLICANT[:dob] + parsed_date = DateParser.parse_legacy(dob).to_formatted_s(:long) + expect(page).to have_content(parsed_date) end end context 'when time expired' do it 'has a prompt to authenticate device' do - profile = create(:profile, :active, :verified, pii: pii) + profile = create(:profile, :active, :verified, pii: Idp::Constants::MOCK_IDV_APPLICANT) user = profile.user sign_in_user(user) + dob = Idp::Constants::MOCK_IDV_APPLICANT[:dob] + parsed_date = DateParser.parse_legacy(dob).to_formatted_s(:long) check t('forms.messages.remember_device') fill_in_code_with_last_phone_otp @@ -212,13 +216,13 @@ sign_in_user(user) visit account_path expect(page).to have_link(t('account.re_verify.footer')) - expect(page).to_not have_content('January 01, 1920') + expect(page).to_not have_content(parsed_date) click_link t('account.re_verify.footer') fill_in t('account.index.password'), with: user.password click_button t('forms.buttons.continue') fill_in_code_with_last_phone_otp click_submit_default - expect(page).to have_content('January 01, 1920') + expect(page).to have_content(parsed_date) end end end From efb81b40f6748682e12f2dbdbdfed37cc2ec9410 Mon Sep 17 00:00:00 2001 From: Malick Diarra Date: Mon, 12 Jun 2023 14:49:55 -0400 Subject: [PATCH 12/24] fix profile --- spec/features/users/user_profile_spec.rb | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/spec/features/users/user_profile_spec.rb b/spec/features/users/user_profile_spec.rb index 977c6daf436..e9b4e0e4e7e 100644 --- a/spec/features/users/user_profile_spec.rb +++ b/spec/features/users/user_profile_spec.rb @@ -183,9 +183,10 @@ end context 'allows verified user to see their information' do + let(:pii) { dob: Idp::Constants::MOCK_IDV_APPLICANT[:dob]} context 'time between sign in and remember device' do it 'does not have prompt to authenticate device' do - profile = create(:profile, :active, :verified, pii: Idp::Constants::MOCK_IDV_APPLICANT) + profile = create(:profile, :active, :verified, pii: pii) sign_in_user(profile.user) check t('forms.messages.remember_device') fill_in_code_with_last_phone_otp @@ -201,7 +202,7 @@ context 'when time expired' do it 'has a prompt to authenticate device' do - profile = create(:profile, :active, :verified, pii: Idp::Constants::MOCK_IDV_APPLICANT) + profile = create(:profile, :active, :verified, pii: pii) user = profile.user sign_in_user(user) dob = Idp::Constants::MOCK_IDV_APPLICANT[:dob] From 4ff535faabd809326c8a21de3b38705a2b9b9d16 Mon Sep 17 00:00:00 2001 From: Malick Diarra Date: Tue, 13 Jun 2023 09:32:53 -0400 Subject: [PATCH 13/24] fix email language spec --- .../email_language_preference_spec.rb | 49 +++++++++---------- 1 file changed, 22 insertions(+), 27 deletions(-) diff --git a/spec/features/visitors/email_language_preference_spec.rb b/spec/features/visitors/email_language_preference_spec.rb index 94fab36bd6c..e64e096af45 100644 --- a/spec/features/visitors/email_language_preference_spec.rb +++ b/spec/features/visitors/email_language_preference_spec.rb @@ -12,39 +12,34 @@ (I18n.available_locales - [I18n.default_locale]).each do |locale| field = page.find_field(t("i18n.locale.#{locale}")) expect(field).to be_present - expect(field[:lang]).to eq(I18n.default_locale.to_s) - (I18n.available_locales - [I18n.default_locale]).each do |locale| - field = page.find_field(t("i18n.locale.#{locale}")) - expect(field).to be_present - expect(field[:lang]).to eq(locale.to_s) - end + expect(field[:lang]).to eq(locale.to_s) + end - visit sign_up_email_path(:es) + visit sign_up_email_path(:es) - field = page.find_field(t('account.email_language.default', language: t('i18n.locale.es'))) + field = page.find_field(t('account.email_language.default', language: t('i18n.locale.es'))) + expect(field).to be_present + expect(field[:lang]).to eq('es') + (I18n.available_locales - [:es]).each do |locale| + field = page.find_field(t("i18n.locale.#{locale}")) expect(field).to be_present - expect(field[:lang]).to eq('es') - (I18n.available_locales - [:es]).each do |locale| - field = page.find_field(t("i18n.locale.#{locale}")) - expect(field).to be_present - expect(field[:lang]).to eq(locale.to_s) - end + expect(field[:lang]).to eq(locale.to_s) end + end - it 'sends emails in the selected language' do - email = 'test@example.com' + it 'sends emails in the selected language' do + email = 'test@example.com' - visit sign_up_email_path - choose t('i18n.locale.es') - check t('sign_up.terms', app_name: APP_NAME) - fill_in t('forms.registration.labels.email'), with: email - click_button t('forms.buttons.submit.default') + visit sign_up_email_path + choose t('i18n.locale.es') + check t('sign_up.terms', app_name: APP_NAME) + fill_in t('forms.registration.labels.email'), with: email + click_button t('forms.buttons.submit.default') - emails = unread_emails_for(email) + emails = unread_emails_for(email) - expect(emails.last.subject).to eq( - t('user_mailer.email_confirmation_instructions.subject', locale: :es), - ) - end + expect(emails.last.subject).to eq( + t('user_mailer.email_confirmation_instructions.subject', locale: :es), + ) end -end +end \ No newline at end of file From 7b062d38083dcd5f7516c8460ebc84118417e3d1 Mon Sep 17 00:00:00 2001 From: Malick Diarra Date: Tue, 13 Jun 2023 09:49:43 -0400 Subject: [PATCH 14/24] fix rubocop --- spec/features/users/user_profile_spec.rb | 10 ++++++++-- .../visitors/email_language_preference_spec.rb | 2 +- 2 files changed, 9 insertions(+), 3 deletions(-) diff --git a/spec/features/users/user_profile_spec.rb b/spec/features/users/user_profile_spec.rb index 46809a0add9..396c8c7b0fc 100644 --- a/spec/features/users/user_profile_spec.rb +++ b/spec/features/users/user_profile_spec.rb @@ -185,7 +185,10 @@ context 'allows verified user to see their information' do context 'time between sign in and remember device' do it 'does not have prompt to authenticate device' do - profile = create(:profile, :active, :verified, pii: Idp::Constants::MOCK_IDV_APPLICANT_WITH_PHONE) + profile = create( + :profile, :active, :verified, + pii: Idp::Constants::MOCK_IDV_APPLICANT_WITH_PHONE + ) sign_in_user(profile.user) check t('forms.messages.remember_device') fill_in_code_with_last_phone_otp @@ -201,7 +204,10 @@ context 'when time expired' do it 'has a prompt to authenticate device' do - profile = create(:profile, :active, :verified, pii: Idp::Constants::MOCK_IDV_APPLICANT_WITH_PHONE) + profile = create( + :profile, :active, :verified, + pii: Idp::Constants::MOCK_IDV_APPLICANT_WITH_PHONE + ) user = profile.user sign_in_user(user) dob = Idp::Constants::MOCK_IDV_APPLICANT[:dob] diff --git a/spec/features/visitors/email_language_preference_spec.rb b/spec/features/visitors/email_language_preference_spec.rb index e64e096af45..cf45ee6d841 100644 --- a/spec/features/visitors/email_language_preference_spec.rb +++ b/spec/features/visitors/email_language_preference_spec.rb @@ -42,4 +42,4 @@ t('user_mailer.email_confirmation_instructions.subject', locale: :es), ) end -end \ No newline at end of file +end From 4f6550462654be3d5871e2a096ae83ce6967fb75 Mon Sep 17 00:00:00 2001 From: Malick Diarra Date: Thu, 15 Jun 2023 10:04:58 -0400 Subject: [PATCH 15/24] use a reverity to show controller to reauthenticate --- .../accounts/reverify_to_show_pii_controller.rb | 11 +++++++++++ app/views/accounts/_pii.html.erb | 9 +++++++-- config/routes.rb | 1 + 3 files changed, 19 insertions(+), 2 deletions(-) create mode 100644 app/controllers/accounts/reverify_to_show_pii_controller.rb diff --git a/app/controllers/accounts/reverify_to_show_pii_controller.rb b/app/controllers/accounts/reverify_to_show_pii_controller.rb new file mode 100644 index 00000000000..c84dd4a9620 --- /dev/null +++ b/app/controllers/accounts/reverify_to_show_pii_controller.rb @@ -0,0 +1,11 @@ +class Accounts::ReverifyToShowPiiController < ApplicationController + include RememberDeviceConcern + before_action :confirm_two_factor_authenticated + + def create + user_session[:stored_location] = account_url + user_session[:context] = 'reauthentication' + + redirect_to login_two_factor_options_path(reauthn: true) + end + end diff --git a/app/views/accounts/_pii.html.erb b/app/views/accounts/_pii.html.erb index 6bf05dae6cd..4bb91a87cd0 100644 --- a/app/views/accounts/_pii.html.erb +++ b/app/views/accounts/_pii.html.erb @@ -4,8 +4,13 @@
<%= t('account.re_verify.banner') %> - - <%= link_to(t('account.re_verify.footer'), user_password_confirm_path) %> + <%= render ButtonComponent.new( + action: ->(**tag_options, &block) do + button_to(reverify_to_show_pii_path, **tag_options, &block) + end, + method: :post, + class: 'usa-button usa-button--unstyled padding-y-1', + ).with_content(t('account.re_verify.footer')) %>
diff --git a/config/routes.rb b/config/routes.rb index 4db943f727f..0bb1d945092 100644 --- a/config/routes.rb +++ b/config/routes.rb @@ -185,6 +185,7 @@ as: :risc_configuration get '/account' => 'accounts#show' + post '/account/reverify_to_show_pii' => 'accounts/reverify_to_show_pii#create', as: :reverify_to_show_pii get '/account/connected_accounts' => 'accounts/connected_accounts#show' get '/account/devices/:id/events' => 'events#show', as: :account_events get '/account/delete' => 'users/delete#show', as: :account_delete From 828ec6075403ff21bc4b7aa121e7aeba854bf01a Mon Sep 17 00:00:00 2001 From: Malick Diarra Date: Thu, 15 Jun 2023 11:46:31 -0400 Subject: [PATCH 16/24] revert back mfa confirmation controller --- app/controllers/mfa_confirmation_controller.rb | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/app/controllers/mfa_confirmation_controller.rb b/app/controllers/mfa_confirmation_controller.rb index 40f2433bde6..b79fd559063 100644 --- a/app/controllers/mfa_confirmation_controller.rb +++ b/app/controllers/mfa_confirmation_controller.rb @@ -45,7 +45,11 @@ def password end def handle_valid_password - redirect_to login_two_factor_options_path(reauthn: true) + if current_user.auth_app_configurations.any? + redirect_to login_two_factor_authenticator_url(reauthn: true) + else + redirect_to user_two_factor_authentication_url(reauthn: true) + end session[:password_attempts] = 0 user_session[:current_password_required] = false end From 38c29d636c9bc3856dfba71465772cfc62800ed2 Mon Sep 17 00:00:00 2001 From: Malick Diarra Date: Thu, 15 Jun 2023 11:48:33 -0400 Subject: [PATCH 17/24] pii confirmation --- app/controllers/mfa_confirmation_controller.rb | 1 - app/views/accounts/_pii.html.erb | 2 +- 2 files changed, 1 insertion(+), 2 deletions(-) diff --git a/app/controllers/mfa_confirmation_controller.rb b/app/controllers/mfa_confirmation_controller.rb index b79fd559063..a5f21c3ccef 100644 --- a/app/controllers/mfa_confirmation_controller.rb +++ b/app/controllers/mfa_confirmation_controller.rb @@ -22,7 +22,6 @@ def skip def new session[:password_attempts] ||= 0 - user_session[:context] = 'reauthentication' end def create diff --git a/app/views/accounts/_pii.html.erb b/app/views/accounts/_pii.html.erb index 4bb91a87cd0..cb30ca21ffb 100644 --- a/app/views/accounts/_pii.html.erb +++ b/app/views/accounts/_pii.html.erb @@ -9,7 +9,7 @@ button_to(reverify_to_show_pii_path, **tag_options, &block) end, method: :post, - class: 'usa-button usa-button--unstyled padding-y-1', + class: 'usa-button usa-button--unstyled', ).with_content(t('account.re_verify.footer')) %> From e9f52855d86242be01423ad2b2b69de603222a08 Mon Sep 17 00:00:00 2001 From: Malick Diarra Date: Tue, 20 Jun 2023 10:32:22 -0400 Subject: [PATCH 18/24] Add reauthenticate option that works for verifying profile --- ...ller.rb => reauthentication_controller.rb} | 5 ++-- app/views/accounts/_pii.html.erb | 2 +- config/routes.rb | 2 +- .../reauthentication_controller_spec.rb | 28 +++++++++++++++++++ spec/features/users/user_profile_spec.rb | 7 +++-- 5 files changed, 36 insertions(+), 8 deletions(-) rename app/controllers/{accounts/reverify_to_show_pii_controller.rb => reauthentication_controller.rb} (68%) create mode 100644 spec/controllers/reauthentication_controller_spec.rb diff --git a/app/controllers/accounts/reverify_to_show_pii_controller.rb b/app/controllers/reauthentication_controller.rb similarity index 68% rename from app/controllers/accounts/reverify_to_show_pii_controller.rb rename to app/controllers/reauthentication_controller.rb index c84dd4a9620..eee9f8e925d 100644 --- a/app/controllers/accounts/reverify_to_show_pii_controller.rb +++ b/app/controllers/reauthentication_controller.rb @@ -1,5 +1,4 @@ -class Accounts::ReverifyToShowPiiController < ApplicationController - include RememberDeviceConcern +class ReauthenticationController < ApplicationController before_action :confirm_two_factor_authenticated def create @@ -8,4 +7,4 @@ def create redirect_to login_two_factor_options_path(reauthn: true) end - end +end diff --git a/app/views/accounts/_pii.html.erb b/app/views/accounts/_pii.html.erb index cb30ca21ffb..39d1a5a4818 100644 --- a/app/views/accounts/_pii.html.erb +++ b/app/views/accounts/_pii.html.erb @@ -6,7 +6,7 @@ <%= t('account.re_verify.banner') %> <%= render ButtonComponent.new( action: ->(**tag_options, &block) do - button_to(reverify_to_show_pii_path, **tag_options, &block) + button_to(reauthentication_path, **tag_options, &block) end, method: :post, class: 'usa-button usa-button--unstyled', diff --git a/config/routes.rb b/config/routes.rb index 0bb1d945092..587ba676dcc 100644 --- a/config/routes.rb +++ b/config/routes.rb @@ -185,7 +185,6 @@ as: :risc_configuration get '/account' => 'accounts#show' - post '/account/reverify_to_show_pii' => 'accounts/reverify_to_show_pii#create', as: :reverify_to_show_pii get '/account/connected_accounts' => 'accounts/connected_accounts#show' get '/account/devices/:id/events' => 'events#show', as: :account_events get '/account/delete' => 'users/delete#show', as: :account_delete @@ -203,6 +202,7 @@ post '/account/reactivate/verify_personal_key' => 'users/verify_personal_key#create', as: :create_verify_personal_key get '/account/two_factor_authentication' => 'accounts/two_factor_authentication#show' + post '/reauthentication' => 'reauthentication#create', as: :reauthentication get '/errors/service_provider_inactive' => 'users/service_provider_inactive#index', as: :sp_inactive_error diff --git a/spec/controllers/reauthentication_controller_spec.rb b/spec/controllers/reauthentication_controller_spec.rb new file mode 100644 index 00000000000..685264a409e --- /dev/null +++ b/spec/controllers/reauthentication_controller_spec.rb @@ -0,0 +1,28 @@ +require 'rails_helper' + +RSpec.describe ReauthenticationController do + let(:user) { create(:user, :fully_registered) } + + describe '#create' do + before(:each) do + stub_sign_in(user) + end + it 'redirects to 2FA options' do + post :create + + expect(response).to redirect_to login_two_factor_options_url(reauthn: true) + end + + it 'sets context to authentication' do + post :create + + expect(controller.user_session[:context]).to eq 'reauthentication' + end + + it 'sets stored location for redirecting' do + post :create + + expect(controller.user_session[:stored_location]).to eq account_url + end + end +end diff --git a/spec/features/users/user_profile_spec.rb b/spec/features/users/user_profile_spec.rb index 396c8c7b0fc..25c5cddb814 100644 --- a/spec/features/users/user_profile_spec.rb +++ b/spec/features/users/user_profile_spec.rb @@ -184,7 +184,7 @@ context 'allows verified user to see their information' do context 'time between sign in and remember device' do - it 'does not have prompt to authenticate device' do + it 'shows PII when timeout hasnt expired' do profile = create( :profile, :active, :verified, pii: Idp::Constants::MOCK_IDV_APPLICANT_WITH_PHONE @@ -203,7 +203,7 @@ end context 'when time expired' do - it 'has a prompt to authenticate device' do + it 'has a prompt to authenticate device and pii isnt visible until reauthenticate' do profile = create( :profile, :active, :verified, pii: Idp::Constants::MOCK_IDV_APPLICANT_WITH_PHONE @@ -224,7 +224,8 @@ expect(page).to have_link(t('account.re_verify.footer')) expect(page).to_not have_content(parsed_date) click_link t('account.re_verify.footer') - fill_in t('account.index.password'), with: user.password + expect(page). + to have_content t('two_factor_authentication.login_options.sms') click_button t('forms.buttons.continue') fill_in_code_with_last_phone_otp click_submit_default From 643bf4e3f50456bf1882732f74887544d0594e56 Mon Sep 17 00:00:00 2001 From: Malick Diarra Date: Tue, 20 Jun 2023 16:08:47 -0400 Subject: [PATCH 19/24] update pii routes --- .../accounts/reauthentication_controller.rb | 12 ++++++++++++ app/controllers/reauthentication_controller.rb | 10 ---------- app/views/accounts/_pii.html.erb | 18 +++++++++++------- config/routes.rb | 2 +- .../reauthentication_controller_spec.rb | 2 +- spec/features/users/user_profile_spec.rb | 6 +++--- 6 files changed, 28 insertions(+), 22 deletions(-) create mode 100644 app/controllers/accounts/reauthentication_controller.rb delete mode 100644 app/controllers/reauthentication_controller.rb rename spec/controllers/{ => accounts}/reauthentication_controller_spec.rb (91%) diff --git a/app/controllers/accounts/reauthentication_controller.rb b/app/controllers/accounts/reauthentication_controller.rb new file mode 100644 index 00000000000..5eda5c232bc --- /dev/null +++ b/app/controllers/accounts/reauthentication_controller.rb @@ -0,0 +1,12 @@ +module Accounts + class ReauthenticationController < ApplicationController + before_action :confirm_two_factor_authenticated + + def create + user_session[:stored_location] = account_url + user_session[:context] = 'reauthentication' + + redirect_to login_two_factor_options_path(reauthn: true) + end + end +end diff --git a/app/controllers/reauthentication_controller.rb b/app/controllers/reauthentication_controller.rb deleted file mode 100644 index eee9f8e925d..00000000000 --- a/app/controllers/reauthentication_controller.rb +++ /dev/null @@ -1,10 +0,0 @@ -class ReauthenticationController < ApplicationController - before_action :confirm_two_factor_authenticated - - def create - user_session[:stored_location] = account_url - user_session[:context] = 'reauthentication' - - redirect_to login_two_factor_options_path(reauthn: true) - end -end diff --git a/app/views/accounts/_pii.html.erb b/app/views/accounts/_pii.html.erb index 39d1a5a4818..614f9cb0f80 100644 --- a/app/views/accounts/_pii.html.erb +++ b/app/views/accounts/_pii.html.erb @@ -4,13 +4,17 @@
<%= t('account.re_verify.banner') %> - <%= render ButtonComponent.new( - action: ->(**tag_options, &block) do - button_to(reauthentication_path, **tag_options, &block) - end, - method: :post, - class: 'usa-button usa-button--unstyled', - ).with_content(t('account.re_verify.footer')) %> + <% if verify_banner_reauthentication_redirect do %> + <%= render ButtonComponent.new( + action: ->(**tag_options, &block) do + button_to(reauthentication_path, **tag_options, &block) + end, + method: :post, + class: 'usa-button usa-button--unstyled', + ).with_content(t('account.re_verify.footer')) %> + <% else %> + <%= link_to(t('account.re_verify.footer'), user_password_confirm_path) %> + <% end %>
diff --git a/config/routes.rb b/config/routes.rb index 587ba676dcc..f90797b6338 100644 --- a/config/routes.rb +++ b/config/routes.rb @@ -186,6 +186,7 @@ get '/account' => 'accounts#show' get '/account/connected_accounts' => 'accounts/connected_accounts#show' + post '/account/reauthentication' => 'accounts/reauthentication#create' get '/account/devices/:id/events' => 'events#show', as: :account_events get '/account/delete' => 'users/delete#show', as: :account_delete post '/account/delete' => 'users/delete#delete' @@ -202,7 +203,6 @@ post '/account/reactivate/verify_personal_key' => 'users/verify_personal_key#create', as: :create_verify_personal_key get '/account/two_factor_authentication' => 'accounts/two_factor_authentication#show' - post '/reauthentication' => 'reauthentication#create', as: :reauthentication get '/errors/service_provider_inactive' => 'users/service_provider_inactive#index', as: :sp_inactive_error diff --git a/spec/controllers/reauthentication_controller_spec.rb b/spec/controllers/accounts/reauthentication_controller_spec.rb similarity index 91% rename from spec/controllers/reauthentication_controller_spec.rb rename to spec/controllers/accounts/reauthentication_controller_spec.rb index 685264a409e..450e44fa42c 100644 --- a/spec/controllers/reauthentication_controller_spec.rb +++ b/spec/controllers/accounts/reauthentication_controller_spec.rb @@ -1,6 +1,6 @@ require 'rails_helper' -RSpec.describe ReauthenticationController do +RSpec.describe Accounts::ReauthenticationController do let(:user) { create(:user, :fully_registered) } describe '#create' do diff --git a/spec/features/users/user_profile_spec.rb b/spec/features/users/user_profile_spec.rb index 25c5cddb814..46b05b8ff56 100644 --- a/spec/features/users/user_profile_spec.rb +++ b/spec/features/users/user_profile_spec.rb @@ -194,7 +194,7 @@ fill_in_code_with_last_phone_otp click_submit_default visit account_path - expect(page).to_not have_link(t('account.re_verify.footer')) + expect(page).to_not have_button(t('account.re_verify.footer')) dob = Idp::Constants::MOCK_IDV_APPLICANT[:dob] parsed_date = DateParser.parse_legacy(dob).to_formatted_s(:long) @@ -221,9 +221,9 @@ travel_to((timeout_in_minutes + 1).minutes.from_now) do sign_in_user(user) visit account_path - expect(page).to have_link(t('account.re_verify.footer')) + expect(page).to have_button(t('account.re_verify.footer')) expect(page).to_not have_content(parsed_date) - click_link t('account.re_verify.footer') + click_button t('account.re_verify.footer') expect(page). to have_content t('two_factor_authentication.login_options.sms') click_button t('forms.buttons.continue') From 67047a56642eee978405832e05335a7910395114 Mon Sep 17 00:00:00 2001 From: Malick Diarra Date: Wed, 21 Jun 2023 10:10:14 -0400 Subject: [PATCH 20/24] add feature toggle --- app/controllers/accounts_controller.rb | 1 + app/views/accounts/_pii.html.erb | 4 ++-- app/views/accounts/show.html.erb | 3 ++- config/application.yml.default | 4 ++++ lib/feature_management.rb | 4 ++++ lib/identity_config.rb | 1 + 6 files changed, 14 insertions(+), 3 deletions(-) diff --git a/app/controllers/accounts_controller.rb b/app/controllers/accounts_controller.rb index cd88ada8d9e..6dcd6067d82 100644 --- a/app/controllers/accounts_controller.rb +++ b/app/controllers/accounts_controller.rb @@ -16,5 +16,6 @@ def show user: current_user, locked_for_session: pii_locked_for_session?(current_user), ) + @use_reauthentication_route = FeatureManagement.use_reauthentication_route? end end diff --git a/app/views/accounts/_pii.html.erb b/app/views/accounts/_pii.html.erb index 614f9cb0f80..ec2b963ecaf 100644 --- a/app/views/accounts/_pii.html.erb +++ b/app/views/accounts/_pii.html.erb @@ -4,10 +4,10 @@
<%= t('account.re_verify.banner') %> - <% if verify_banner_reauthentication_redirect do %> + <% if use_reauthentication_route %> <%= render ButtonComponent.new( action: ->(**tag_options, &block) do - button_to(reauthentication_path, **tag_options, &block) + button_to(account_reauthentication_path, **tag_options, &block) end, method: :post, class: 'usa-button usa-button--unstyled', diff --git a/app/views/accounts/show.html.erb b/app/views/accounts/show.html.erb index 77e94d34a4b..db3e36d8c58 100644 --- a/app/views/accounts/show.html.erb +++ b/app/views/accounts/show.html.erb @@ -96,5 +96,6 @@ <% if @presenter.show_pii_partial? %> <%= render 'accounts/pii', pii: @presenter.pii, - locked_for_session: @presenter.locked_for_session %> + locked_for_session: @presenter.locked_for_session, + use_reauthentication_route: @use_reauthentication_route %> <% end %> diff --git a/config/application.yml.default b/config/application.yml.default index 6d7010a08e2..a8263cc029b 100644 --- a/config/application.yml.default +++ b/config/application.yml.default @@ -346,6 +346,7 @@ verify_personal_key_max_attempts: 5 use_dashboard_service_providers: false use_clean_edit_password_url: true use_kms: false +use_reauthentication_route: true usps_confirmation_max_days: 10 usps_ipp_password: '' usps_ipp_client_id: '' @@ -428,6 +429,7 @@ development: state_tracking_enabled: true telephony_adapter: test use_dashboard_service_providers: true + use_reauthentication_route: true usps_ipp_transliteration_enabled: true usps_upload_sftp_directory: "/gsa_order" usps_upload_sftp_host: localhost @@ -511,6 +513,7 @@ production: state_tracking_enabled: false telephony_adapter: pinpoint use_clean_edit_password_url: false + use_reauthentication_route: false use_kms: true usps_confirmation_max_days: 30 usps_upload_sftp_directory: '' @@ -599,6 +602,7 @@ test: telephony_adapter: test test_ssn_allowed_list: '999999999' totp_code_interval: 3 + use_reauthentication_route: true verify_gpo_key_attempt_window_in_minutes: 3 verify_gpo_key_max_attempts: 2 verify_personal_key_attempt_window_in_minutes: 3 diff --git a/lib/feature_management.rb b/lib/feature_management.rb index 961a1ad2dc5..d86b6ce27a8 100644 --- a/lib/feature_management.rb +++ b/lib/feature_management.rb @@ -82,6 +82,10 @@ def self.show_no_pii_banner? Identity::Hostdata.in_datacenter? && Identity::Hostdata.domain != 'login.gov' end + def self.use_reauthentication_route? + IdentityConfig.store.use_reauthentication_route + end + def self.enable_saml_cert_rotation? IdentityConfig.store.saml_secret_rotation_enabled end diff --git a/lib/identity_config.rb b/lib/identity_config.rb index da8eddeffd5..531ed739e79 100644 --- a/lib/identity_config.rb +++ b/lib/identity_config.rb @@ -455,6 +455,7 @@ def self.build_store(config_map) config.add(:get_usps_proofing_results_job_cron, type: :string) config.add(:get_usps_proofing_results_job_reprocess_delay_minutes, type: :integer) config.add(:get_usps_proofing_results_job_request_delay_milliseconds, type: :integer) + config.add(:use_reauthentication_route, type: :boolean) config.add(:usps_upload_sftp_directory, type: :string) config.add(:usps_upload_sftp_host, type: :string) config.add(:usps_upload_sftp_password, type: :string) From 7dac893af45f86ee58d9663b6901f09719277f0c Mon Sep 17 00:00:00 2001 From: Malick Diarra Date: Thu, 22 Jun 2023 09:11:44 -0400 Subject: [PATCH 21/24] remove dev and test prod stuff --- config/application.yml.default | 2 -- 1 file changed, 2 deletions(-) diff --git a/config/application.yml.default b/config/application.yml.default index a8263cc029b..3af3bc24ebf 100644 --- a/config/application.yml.default +++ b/config/application.yml.default @@ -429,7 +429,6 @@ development: state_tracking_enabled: true telephony_adapter: test use_dashboard_service_providers: true - use_reauthentication_route: true usps_ipp_transliteration_enabled: true usps_upload_sftp_directory: "/gsa_order" usps_upload_sftp_host: localhost @@ -602,7 +601,6 @@ test: telephony_adapter: test test_ssn_allowed_list: '999999999' totp_code_interval: 3 - use_reauthentication_route: true verify_gpo_key_attempt_window_in_minutes: 3 verify_gpo_key_max_attempts: 2 verify_personal_key_attempt_window_in_minutes: 3 From 301e1daaf89446dfb5398102a799862a4e3c0048 Mon Sep 17 00:00:00 2001 From: Malick Diarra Date: Thu, 22 Jun 2023 16:07:28 -0400 Subject: [PATCH 22/24] change to put method in accounts controller --- .../accounts/reauthentication_controller.rb | 12 ---------- app/controllers/accounts_controller.rb | 7 ++++++ config/routes.rb | 2 +- spec/controllers/accounts_controller_spec.rb | 24 +++++++++++++++++++ 4 files changed, 32 insertions(+), 13 deletions(-) delete mode 100644 app/controllers/accounts/reauthentication_controller.rb diff --git a/app/controllers/accounts/reauthentication_controller.rb b/app/controllers/accounts/reauthentication_controller.rb deleted file mode 100644 index 5eda5c232bc..00000000000 --- a/app/controllers/accounts/reauthentication_controller.rb +++ /dev/null @@ -1,12 +0,0 @@ -module Accounts - class ReauthenticationController < ApplicationController - before_action :confirm_two_factor_authenticated - - def create - user_session[:stored_location] = account_url - user_session[:context] = 'reauthentication' - - redirect_to login_two_factor_options_path(reauthn: true) - end - end -end diff --git a/app/controllers/accounts_controller.rb b/app/controllers/accounts_controller.rb index 6dcd6067d82..8280339d388 100644 --- a/app/controllers/accounts_controller.rb +++ b/app/controllers/accounts_controller.rb @@ -18,4 +18,11 @@ def show ) @use_reauthentication_route = FeatureManagement.use_reauthentication_route? end + + def reauthentication + user_session[:stored_location] = account_url + user_session[:context] = 'reauthentication' + + redirect_to login_two_factor_options_path(reauthn: true) + end end diff --git a/config/routes.rb b/config/routes.rb index b00fab3ff79..102b15a28c5 100644 --- a/config/routes.rb +++ b/config/routes.rb @@ -183,7 +183,7 @@ get '/account' => 'accounts#show' get '/account/connected_accounts' => 'accounts/connected_accounts#show' - post '/account/reauthentication' => 'accounts/reauthentication#create' + post '/account/reauthentication' => 'accounts#reauthentication' get '/account/devices/:id/events' => 'events#show', as: :account_events get '/account/delete' => 'users/delete#show', as: :account_delete post '/account/delete' => 'users/delete#delete' diff --git a/spec/controllers/accounts_controller_spec.rb b/spec/controllers/accounts_controller_spec.rb index 0117b623f03..96afc76be3c 100644 --- a/spec/controllers/accounts_controller_spec.rb +++ b/spec/controllers/accounts_controller_spec.rb @@ -102,4 +102,28 @@ end end end + + describe '#reauthentication' do + let(:user) { create(:user, :fully_registered) } + before(:each) do + stub_sign_in(user) + end + it 'redirects to 2FA options' do + post :reauthentication + + expect(response).to redirect_to login_two_factor_options_url(reauthn: true) + end + + it 'sets context to authentication' do + post :reauthentication + + expect(controller.user_session[:context]).to eq 'reauthentication' + end + + it 'sets stored location for redirecting' do + post :reauthentication + + expect(controller.user_session[:stored_location]).to eq account_url + end + end end From c3384f849fe74f7f426f7942d96b2c020430fd49 Mon Sep 17 00:00:00 2001 From: Malick Diarra Date: Fri, 23 Jun 2023 09:25:52 -0400 Subject: [PATCH 23/24] remove reauthentication spec --- .../reauthentication_controller_spec.rb | 28 ------------------- 1 file changed, 28 deletions(-) delete mode 100644 spec/controllers/accounts/reauthentication_controller_spec.rb diff --git a/spec/controllers/accounts/reauthentication_controller_spec.rb b/spec/controllers/accounts/reauthentication_controller_spec.rb deleted file mode 100644 index 450e44fa42c..00000000000 --- a/spec/controllers/accounts/reauthentication_controller_spec.rb +++ /dev/null @@ -1,28 +0,0 @@ -require 'rails_helper' - -RSpec.describe Accounts::ReauthenticationController do - let(:user) { create(:user, :fully_registered) } - - describe '#create' do - before(:each) do - stub_sign_in(user) - end - it 'redirects to 2FA options' do - post :create - - expect(response).to redirect_to login_two_factor_options_url(reauthn: true) - end - - it 'sets context to authentication' do - post :create - - expect(controller.user_session[:context]).to eq 'reauthentication' - end - - it 'sets stored location for redirecting' do - post :create - - expect(controller.user_session[:stored_location]).to eq account_url - end - end -end From b8e7e7da6ad33c49bf7d68278a3b429aa351ee6a Mon Sep 17 00:00:00 2001 From: Malick Diarra Date: Mon, 26 Jun 2023 14:47:20 -0400 Subject: [PATCH 24/24] added additional comment --- app/controllers/accounts_controller.rb | 3 +++ 1 file changed, 3 insertions(+) diff --git a/app/controllers/accounts_controller.rb b/app/controllers/accounts_controller.rb index 8280339d388..986bb6bc8b4 100644 --- a/app/controllers/accounts_controller.rb +++ b/app/controllers/accounts_controller.rb @@ -19,6 +19,9 @@ def show @use_reauthentication_route = FeatureManagement.use_reauthentication_route? end + # This action is used to re-authenticate when PII on the account page is locked on `show` action + # This allows users to view their PII after reauthenticating their MFA. + def reauthentication user_session[:stored_location] = account_url user_session[:context] = 'reauthentication'