diff --git a/app/controllers/concerns/two_factor_authenticatable.rb b/app/controllers/concerns/two_factor_authenticatable.rb index 250f2221c53..dcd58755ef0 100644 --- a/app/controllers/concerns/two_factor_authenticatable.rb +++ b/app/controllers/concerns/two_factor_authenticatable.rb @@ -36,7 +36,6 @@ def self.phishing_resistant?(auth_method) included do # rubocop:disable Rails/LexicallyScopedActionFilter before_action :authenticate_user - before_action :require_current_password, if: :current_password_required? before_action :check_already_authenticated before_action :reset_attempt_count_if_user_no_longer_locked_out, only: :create before_action :apply_secure_headers_override, only: %i[show create] diff --git a/app/controllers/concerns/two_factor_authenticatable_methods.rb b/app/controllers/concerns/two_factor_authenticatable_methods.rb index 7f41a55e785..d23e5aec323 100644 --- a/app/controllers/concerns/two_factor_authenticatable_methods.rb +++ b/app/controllers/concerns/two_factor_authenticatable_methods.rb @@ -53,14 +53,6 @@ def handle_max_attempts(type) render_full_width('two_factor_authentication/_locked', locals: { presenter: presenter }) end - def require_current_password - redirect_to user_password_confirm_url - end - - def current_password_required? - user_session[:current_password_required] == true - end - def check_already_authenticated return unless UserSessionContext.authentication_context?(context) return unless user_fully_authenticated? diff --git a/app/controllers/mfa_confirmation_controller.rb b/app/controllers/mfa_confirmation_controller.rb index bda5cda1fae..18ae426a3e8 100644 --- a/app/controllers/mfa_confirmation_controller.rb +++ b/app/controllers/mfa_confirmation_controller.rb @@ -20,23 +20,6 @@ def skip redirect_to after_skip_path end - def new - session[:password_attempts] ||= 0 - end - - def create - valid_password = current_user.valid_password?(password) - - irs_attempts_api_tracker.logged_in_profile_change_reauthentication_submitted( - success: valid_password, - ) - if valid_password - handle_valid_password - else - handle_invalid_password - end - end - private def mfa_confirmation_presenter @@ -49,34 +32,6 @@ def password params.require(:user)[:password] end - def handle_valid_password - if current_user.auth_app_configurations.any? - redirect_to login_two_factor_authenticator_url(reauthn: true) - else - redirect_to user_two_factor_authentication_url(reauthn: true) - end - session[:password_attempts] = 0 - user_session[:current_password_required] = false - end - - def handle_invalid_password - session[:password_attempts] = session[:password_attempts].to_i + 1 - - if session[:password_attempts] < IdentityConfig.store.password_max_attempts - flash[:error] = t('errors.confirm_password_incorrect') - redirect_to user_password_confirm_url - else - handle_max_password_attempts_reached - end - end - - def handle_max_password_attempts_reached - analytics.password_max_attempts - irs_attempts_api_tracker.logged_in_profile_change_reauthentication_rate_limited - sign_out - redirect_to root_url, flash: { error: t('errors.max_password_attempts_reached') } - end - def mfa_context @mfa_context ||= MfaContext.new(current_user) end diff --git a/app/controllers/password_capture_controller.rb b/app/controllers/password_capture_controller.rb index 0e0be1c2a4f..c306fec2c86 100644 --- a/app/controllers/password_capture_controller.rb +++ b/app/controllers/password_capture_controller.rb @@ -38,7 +38,6 @@ def password def handle_valid_password cache_active_profile(password) session[:password_attempts] = 0 - user_session[:current_password_required] = false redirect_to after_sign_in_path_for(current_user) end diff --git a/app/services/irs_attempts_api/tracker_events.rb b/app/services/irs_attempts_api/tracker_events.rb index 1f4eb829fa6..9179bb36ad2 100644 --- a/app/services/irs_attempts_api/tracker_events.rb +++ b/app/services/irs_attempts_api/tracker_events.rb @@ -376,14 +376,6 @@ def logged_in_password_change(success:, failure_reason: nil) ) end - # A logged-in user has been rate limited from submitting a password to reauthenticate prior to - # changing their profile too many times - def logged_in_profile_change_reauthentication_rate_limited - track_event( - :logged_in_profile_change_reauthentication_rate_limited, - ) - end - # @param [Boolean] success True if the password submitted for reauthentication matches the # current password # A logged-in user has submitted a password to reauthenticate prior to changing their profile diff --git a/app/views/mfa_confirmation/new.html.erb b/app/views/mfa_confirmation/new.html.erb deleted file mode 100644 index 1492e7d7323..00000000000 --- a/app/views/mfa_confirmation/new.html.erb +++ /dev/null @@ -1,26 +0,0 @@ -<% title t('titles.passwords.confirm') %> - -<%= render PageHeadingComponent.new.with_content(t('headings.passwords.confirm')) %> - -

- <%# for follow up: translate factor_to_change (LG-5701) %> - <%= t('help_text.change_factor', factor: user_session[:factor_to_change]) %> -

- -<%= simple_form_for( - current_user, - url: reauthn_user_password_path, - html: { autocomplete: 'off', method: 'post', class: 'margin-top-4' }, - ) do |f| %> - <%= render PasswordToggleComponent.new( - form: f, - field_options: { - required: true, - input_html: { - autocomplete: 'current-password', - }, - }, - ) %> - <%= f.submit t('forms.buttons.continue'), class: 'display-block margin-y-5' %> -<% end %> -<%= render 'shared/cancel', link: account_path %> diff --git a/config/locales/help_text/en.yml b/config/locales/help_text/en.yml index a5169c9caaa..0a90f49ced7 100644 --- a/config/locales/help_text/en.yml +++ b/config/locales/help_text/en.yml @@ -1,8 +1,6 @@ --- en: help_text: - change_factor: Before you’re able to reset your %{factor}, you will need to - confirm your password and use your authentication method. requested_attributes: address: Mailing address all_emails: Email addresses on your account diff --git a/config/locales/help_text/es.yml b/config/locales/help_text/es.yml index 21090ee05a0..cd0179d3b50 100644 --- a/config/locales/help_text/es.yml +++ b/config/locales/help_text/es.yml @@ -1,8 +1,6 @@ --- es: help_text: - change_factor: Antes de que pueda restablecer su %{factor}, tendrá que confirmar - su contraseña y utilizar su método de autenticación. requested_attributes: address: Dirección de correo postal all_emails: Direcciones de correo electrónico en su cuenta diff --git a/config/locales/help_text/fr.yml b/config/locales/help_text/fr.yml index 3f3d539f854..4b7e484f9c8 100644 --- a/config/locales/help_text/fr.yml +++ b/config/locales/help_text/fr.yml @@ -1,8 +1,6 @@ --- fr: help_text: - change_factor: Avant de pouvoir réinitialiser votre %{factor}, vous devrez - confirmer votre mot de passe et utiliser votre méthode d’authentification. requested_attributes: address: Adresse postale all_emails: Adresses e-mail sur votre compte diff --git a/config/locales/titles/en.yml b/config/locales/titles/en.yml index 1cb6e9de05f..f5448999dd4 100644 --- a/config/locales/titles/en.yml +++ b/config/locales/titles/en.yml @@ -50,7 +50,6 @@ en: logout: OpenID Connect Logout passwords: change: Change the password for your account - confirm: Confirm the password for your account forgot: Reset password personal_key: Just in case phone_setup: Get your one-time code diff --git a/config/locales/titles/es.yml b/config/locales/titles/es.yml index 04aae9bd3f0..cdc88f7fd44 100644 --- a/config/locales/titles/es.yml +++ b/config/locales/titles/es.yml @@ -50,7 +50,6 @@ es: logout: Cierre de sesión de OpenID Connect passwords: change: Cambie la contraseña de su cuenta - confirm: Confirme la contraseña de su cuenta forgot: Restablecer la contraseña personal_key: Por si acaso phone_setup: Obtenga su código único diff --git a/config/locales/titles/fr.yml b/config/locales/titles/fr.yml index c83d4dd04bf..6297821eaa1 100644 --- a/config/locales/titles/fr.yml +++ b/config/locales/titles/fr.yml @@ -50,7 +50,6 @@ fr: logout: Déconnexion OpenID Connect passwords: change: Changez le mot de passe de votre compte - confirm: Confirmez le mot de passe de votre compte forgot: Réinitialisez le mot de passe personal_key: Juste au cas phone_setup: Obtenez votre code à usage unique diff --git a/config/routes.rb b/config/routes.rb index 44ad891d3e5..886add94ccc 100644 --- a/config/routes.rb +++ b/config/routes.rb @@ -131,9 +131,6 @@ post 'login/add_piv_cac/prompt' => 'users/piv_cac_setup_from_sign_in#decline' get 'login/add_piv_cac/success' => 'users/piv_cac_setup_from_sign_in#success' post 'login/add_piv_cac/success' => 'users/piv_cac_setup_from_sign_in#next' - - get '/reauthn' => 'mfa_confirmation#new', as: :user_password_confirm - post '/reauthn' => 'mfa_confirmation#create', as: :reauthn_user_password end if IdentityConfig.store.enable_test_routes diff --git a/spec/controllers/mfa_confirmation_controller_spec.rb b/spec/controllers/mfa_confirmation_controller_spec.rb index aef969e444a..7c37c541de8 100644 --- a/spec/controllers/mfa_confirmation_controller_spec.rb +++ b/spec/controllers/mfa_confirmation_controller_spec.rb @@ -10,133 +10,4 @@ expect(response.status).to eq 200 end end - - describe '#new' do - it 'presents the password confirmation form' do - stub_sign_in - - get :new - - expect(response.status).to eq 200 - expect(session[:password_attempts]).to eq 0 - end - - it 'does not reset password attempts if already set' do - stub_sign_in - session[:password_attempts] = 1 - - get :new - - expect(session[:password_attempts]).to eq 1 - end - end - - describe '#create' do - let(:user) { build(:user, password: 'password') } - - before do - stub_sign_in(user) - stub_attempts_tracker - allow(@irs_attempts_api_tracker).to receive(:track_event) - session[:password_attempts] = 1 - end - - context 'password is empty' do - it 'redirects with error message and increments password attempts' do - post :create, params: { user: { password: '' } } - - expect(@irs_attempts_api_tracker).to have_received(:track_event). - with(:logged_in_profile_change_reauthentication_submitted, success: false) - - expect(response).to redirect_to(user_password_confirm_path) - expect(flash[:error]).to eq t('errors.confirm_password_incorrect') - expect(session[:password_attempts]).to eq 2 - end - end - - context 'password is wrong' do - it 'redirects with error message and increments password attempts' do - post :create, params: { user: { password: 'wrong' } } - - expect(@irs_attempts_api_tracker).to have_received(:track_event). - with(:logged_in_profile_change_reauthentication_submitted, success: false) - - expect(response).to redirect_to(user_password_confirm_path) - expect(flash[:error]).to eq t('errors.confirm_password_incorrect') - expect(session[:password_attempts]).to eq 2 - end - - context 'session data is missing' do - before do - session.delete(:password_attempts) - end - - it 'redirects and increments the password count' do - post :create, params: { user: { password: 'wrong' } } - - expect(@irs_attempts_api_tracker).to have_received(:track_event). - with(:logged_in_profile_change_reauthentication_submitted, success: false) - - expect(response).to redirect_to(user_password_confirm_path) - expect(session[:password_attempts]).to eq 1 - end - end - end - - context 'password is correct' do - it 'redirects to 2FA and resets password attempts' do - post :create, params: { user: { password: 'password' } } - - expect(@irs_attempts_api_tracker).to have_received(:track_event). - with(:logged_in_profile_change_reauthentication_submitted, success: true) - - expect(response).to redirect_to(user_two_factor_authentication_path(reauthn: true)) - expect(session[:password_attempts]).to eq 0 - end - end - end - - describe 'password attempts counter' do - context 'max password attempts reached' do - it 'signs the user out' do - user = create(:user, :fully_registered) - sign_in user - session[:password_attempts] = 0 - stub_analytics - stub_attempts_tracker - allow(@analytics).to receive(:track_event) - allow(@irs_attempts_api_tracker).to receive(:track_event) - - max_allowed_attempts = IdentityConfig.store.password_max_attempts - max_allowed_attempts.times do - post :create, params: { user: { password: 'wrong' } } - end - - expect(response).to redirect_to(root_path) - expect(controller.current_user).to be_nil - expect(flash[:error]).to eq t('errors.max_password_attempts_reached') - expect(@analytics).to have_received(:track_event). - with('Password Max Attempts Reached') - expect(@irs_attempts_api_tracker).to have_received(:track_event). - with(:logged_in_profile_change_reauthentication_rate_limited) - end - end - - context 'last password attempt is correct' do - it 'does not sign the user out' do - user = build_stubbed(:user, password: 'password') - stub_sign_in user - session[:password_attempts] = 0 - - max_allowed_attempts = IdentityConfig.store.password_max_attempts - (max_allowed_attempts - 1).times do - post :create, params: { user: { password: 'wrong' } } - end - - post :create, params: { user: { password: 'password' } } - - expect(response).to redirect_to user_two_factor_authentication_path(reauthn: true) - end - end - end end diff --git a/spec/controllers/users/two_factor_authentication_controller_spec.rb b/spec/controllers/users/two_factor_authentication_controller_spec.rb index 4ab40b4e664..bd18c1d5e20 100644 --- a/spec/controllers/users/two_factor_authentication_controller_spec.rb +++ b/spec/controllers/users/two_factor_authentication_controller_spec.rb @@ -11,7 +11,6 @@ expect(subject).to have_actions( :before, :authenticate_user, - [:require_current_password, if: :current_password_required?], :check_already_authenticated, :reset_attempt_count_if_user_no_longer_locked_out, :apply_secure_headers_override,