18F · mdiarra3 · Jun 26, 2023 · May 31, 2023 · Jun 5, 2023 · Jun 5, 2023
diff --git a/app/controllers/accounts_controller.rb b/app/controllers/accounts_controller.rb
@@ -16,5 +16,16 @@ def show
       user: current_user,
       locked_for_session: pii_locked_for_session?(current_user),
     )
+    @use_reauthentication_route = FeatureManagement.use_reauthentication_route?
+  end
+
+  # This action is used to re-authenticate when PII on the account page is locked on `show` action
+  # This allows users to view their PII after reauthenticating their MFA.
+
+  def reauthentication
+    user_session[:stored_location] = account_url
+    user_session[:context] = 'reauthentication'
+
+    redirect_to login_two_factor_options_path(reauthn: true)
   end
 end
diff --git a/app/views/accounts/_pii.html.erb b/app/views/accounts/_pii.html.erb
@@ -4,8 +4,17 @@
       <div class="usa-alert__body">
         <div class="usa-alert__text">
           <%= t('account.re_verify.banner') %>
-
-          <%= link_to(t('account.re_verify.footer'), user_password_confirm_path) %>
+          <% if use_reauthentication_route %>
+            <%= render ButtonComponent.new(
+                  action: ->(**tag_options, &block) do
+                    button_to(account_reauthentication_path, **tag_options, &block)
+                  end,
+                  method: :post,
+                  class: 'usa-button usa-button--unstyled',
+                ).with_content(t('account.re_verify.footer')) %>
+          <% else %>
+            <%= link_to(t('account.re_verify.footer'), user_password_confirm_path) %>
+          <% end %>
         </div>
       </div>
     </div>

diff --git a/app/views/accounts/show.html.erb b/app/views/accounts/show.html.erb
@@ -96,5 +96,6 @@
 
 <% if @presenter.show_pii_partial? %>
   <%= render 'accounts/pii', pii: @presenter.pii,
-                             locked_for_session: @presenter.locked_for_session %>
+                             locked_for_session: @presenter.locked_for_session,
+                             use_reauthentication_route: @use_reauthentication_route %>
 <% end %>
diff --git a/config/application.yml.default b/config/application.yml.default
@@ -345,6 +345,7 @@ verify_personal_key_max_attempts: 5
 version_headers_enabled: false
 use_dashboard_service_providers: false
 use_kms: false
+use_reauthentication_route: true
 usps_confirmation_max_days: 10
 usps_ipp_password: ''
 usps_ipp_client_id: ''
@@ -508,6 +509,7 @@ production:
   skip_encryption_allowed_list: '["urn:gov:gsa:SAML:2.0.profiles:sp:sso:dev", "urn:gov:gsa:SAML:2.0.profiles:sp:sso:int"]'
   state_tracking_enabled: false
   telephony_adapter: pinpoint
+  use_reauthentication_route: false
   use_kms: true
   usps_confirmation_max_days: 30
   usps_upload_sftp_directory: ''

diff --git a/config/routes.rb b/config/routes.rb
@@ -183,6 +183,7 @@
 
     get '/account' => 'accounts#show'
     get '/account/connected_accounts' => 'accounts/connected_accounts#show'
+    post '/account/reauthentication' => 'accounts#reauthentication'
     get '/account/devices/:id/events' => 'events#show', as: :account_events
     get '/account/delete' => 'users/delete#show', as: :account_delete
     post '/account/delete' => 'users/delete#delete'

diff --git a/lib/feature_management.rb b/lib/feature_management.rb
@@ -78,6 +78,10 @@ def self.show_no_pii_banner?
     Identity::Hostdata.in_datacenter? && Identity::Hostdata.domain != 'login.gov'
   end
 
+  def self.use_reauthentication_route?
+    IdentityConfig.store.use_reauthentication_route
+  end
+
   def self.enable_saml_cert_rotation?
     IdentityConfig.store.saml_secret_rotation_enabled
   end

diff --git a/lib/identity_config.rb b/lib/identity_config.rb
@@ -463,6 +463,7 @@ def self.build_store(config_map)
     config.add(:get_usps_proofing_results_job_cron, type: :string)
     config.add(:get_usps_proofing_results_job_reprocess_delay_minutes, type: :integer)
     config.add(:get_usps_proofing_results_job_request_delay_milliseconds, type: :integer)
+    config.add(:use_reauthentication_route, type: :boolean)
     config.add(:usps_upload_sftp_directory, type: :string)
     config.add(:usps_upload_sftp_host, type: :string)
     config.add(:usps_upload_sftp_password, type: :string)

diff --git a/spec/controllers/accounts_controller_spec.rb b/spec/controllers/accounts_controller_spec.rb
@@ -102,4 +102,28 @@
       end
     end
   end
+
+  describe '#reauthentication' do
+    let(:user) { create(:user, :fully_registered) }
+    before(:each) do
+      stub_sign_in(user)
+    end
+    it 'redirects to 2FA options' do
+      post :reauthentication
+
+      expect(response).to redirect_to login_two_factor_options_url(reauthn: true)
+    end
+
+    it 'sets context to authentication' do
+      post :reauthentication
+
+      expect(controller.user_session[:context]).to eq 'reauthentication'
+    end
+
+    it 'sets stored location for redirecting' do
+      post :reauthentication
+
+      expect(controller.user_session[:stored_location]).to eq account_url
+    end
+  end
 end
diff --git a/spec/features/users/user_profile_spec.rb b/spec/features/users/user_profile_spec.rb
@@ -181,4 +181,57 @@
       expect(current_path).to eq(account_history_path)
     end
   end
+
+  context 'allows verified user to see their information' do
+    context 'time between sign in and remember device' do
+      it 'shows PII when timeout hasnt expired' do
+        profile = create(
+          :profile, :active, :verified,
+          pii: Idp::Constants::MOCK_IDV_APPLICANT_WITH_PHONE
+        )
+        sign_in_user(profile.user)
+        check t('forms.messages.remember_device')
+        fill_in_code_with_last_phone_otp
+        click_submit_default
+        visit account_path
+        expect(page).to_not have_button(t('account.re_verify.footer'))
+
+        dob = Idp::Constants::MOCK_IDV_APPLICANT[:dob]
+        parsed_date = DateParser.parse_legacy(dob).to_formatted_s(:long)
+        expect(page).to have_content(parsed_date)
+      end
+    end
+
+    context 'when time expired' do
+      it 'has a prompt to authenticate device and pii isnt visible until reauthenticate' do
+        profile = create(
+          :profile, :active, :verified,
+          pii: Idp::Constants::MOCK_IDV_APPLICANT_WITH_PHONE
+        )
+        user = profile.user
+        sign_in_user(user)
+        dob = Idp::Constants::MOCK_IDV_APPLICANT[:dob]
+        parsed_date = DateParser.parse_legacy(dob).to_formatted_s(:long)
+
+        check t('forms.messages.remember_device')
+        fill_in_code_with_last_phone_otp
+        click_submit_default
+
+        timeout_in_minutes = IdentityConfig.store.pii_lock_timeout_in_minutes.to_i
+        travel_to((timeout_in_minutes + 1).minutes.from_now) do
+          sign_in_user(user)
+          visit account_path
+          expect(page).to have_button(t('account.re_verify.footer'))
+          expect(page).to_not have_content(parsed_date)
+          click_button t('account.re_verify.footer')
+          expect(page).
+            to have_content t('two_factor_authentication.login_options.sms')
+          click_button t('forms.buttons.continue')
+          fill_in_code_with_last_phone_otp
+          click_submit_default
+          expect(page).to have_content(parsed_date)
+        end
+      end
+    end
+  end
 end