Remove unused reauthn routes

app/controllers/concerns/two_factor_authenticatable.rb

@@ -36,7 +36,6 @@ def self.phishing_resistant?(auth_method)
   included do
     # rubocop:disable Rails/LexicallyScopedActionFilter
     before_action :authenticate_user
-    before_action :require_current_password, if: :current_password_required?
     before_action :check_already_authenticated
     before_action :reset_attempt_count_if_user_no_longer_locked_out, only: :create
     before_action :apply_secure_headers_override, only: %i[show create]

app/controllers/concerns/two_factor_authenticatable_methods.rb

@@ -53,14 +53,6 @@ def handle_max_attempts(type)
     render_full_width('two_factor_authentication/_locked', locals: { presenter: presenter })
   end
 
-  def require_current_password
-    redirect_to user_password_confirm_url
-  end
-
-  def current_password_required?
-    user_session[:current_password_required] == true
-  end
-
   def check_already_authenticated
     return unless UserSessionContext.authentication_context?(context)
     return unless user_fully_authenticated?

app/controllers/mfa_confirmation_controller.rb

@@ -20,23 +20,6 @@ def skip
     redirect_to after_skip_path
   end
 
-  def new
-    session[:password_attempts] ||= 0
-  end
-
-  def create
-    valid_password = current_user.valid_password?(password)
-
-    irs_attempts_api_tracker.logged_in_profile_change_reauthentication_submitted(
-      success: valid_password,
-    )
-    if valid_password
-      handle_valid_password
-    else
-      handle_invalid_password
-    end
-  end
-
   private
 
   def mfa_confirmation_presenter
@@ -49,34 +32,6 @@ def password
     params.require(:user)[:password]
   end
 
-  def handle_valid_password
-    if current_user.auth_app_configurations.any?
-      redirect_to login_two_factor_authenticator_url(reauthn: true)
-    else
-      redirect_to user_two_factor_authentication_url(reauthn: true)
-    end
-    session[:password_attempts] = 0
-    user_session[:current_password_required] = false
-  end
-
-  def handle_invalid_password
-    session[:password_attempts] = session[:password_attempts].to_i + 1
-
-    if session[:password_attempts] < IdentityConfig.store.password_max_attempts
-      flash[:error] = t('errors.confirm_password_incorrect')
-      redirect_to user_password_confirm_url
-    else
-      handle_max_password_attempts_reached
-    end
-  end
-
-  def handle_max_password_attempts_reached
-    analytics.password_max_attempts
-    irs_attempts_api_tracker.logged_in_profile_change_reauthentication_rate_limited
-    sign_out
-    redirect_to root_url, flash: { error: t('errors.max_password_attempts_reached') }
-  end
-
   def mfa_context
     @mfa_context ||= MfaContext.new(current_user)
   end

app/controllers/password_capture_controller.rb

@@ -38,7 +38,6 @@ def password
   def handle_valid_password
     cache_active_profile(password)
     session[:password_attempts] = 0
-    user_session[:current_password_required] = false
     redirect_to after_sign_in_path_for(current_user)
   end
 

app/services/irs_attempts_api/tracker_events.rb

@@ -376,14 +376,6 @@ def logged_in_password_change(success:, failure_reason: nil)
       )
     end
 
-    # A logged-in user has been rate limited from submitting a password to reauthenticate prior to
-    # changing their profile too many times
-    def logged_in_profile_change_reauthentication_rate_limited
-      track_event(
-        :logged_in_profile_change_reauthentication_rate_limited,
-      )
-    end
-
     # @param [Boolean] success True if the password submitted for reauthentication matches the
     # current password
     # A logged-in user has submitted a password to reauthenticate prior to changing their profile

config/locales/help_text/en.yml

@@ -1,8 +1,6 @@
 ---
 en:
   help_text:
-    change_factor: Before you’re able to reset your %{factor}, you will need to
-      confirm your password and use your authentication method.
     requested_attributes:
       address: Mailing address
       all_emails: Email addresses on your account

config/locales/help_text/es.yml

@@ -1,8 +1,6 @@
 ---
 es:
   help_text:
-    change_factor: Antes de que pueda restablecer su %{factor}, tendrá que confirmar
-      su contraseña y utilizar su método de autenticación.
     requested_attributes:
       address: Dirección de correo postal
       all_emails: Direcciones de correo electrónico en su cuenta

config/locales/help_text/fr.yml

@@ -1,8 +1,6 @@
 ---
 fr:
   help_text:
-    change_factor: Avant de pouvoir réinitialiser votre %{factor}, vous devrez
-      confirmer votre mot de passe et utiliser votre méthode d’authentification.
     requested_attributes:
       address: Adresse postale
       all_emails: Adresses e-mail sur votre compte

config/locales/titles/en.yml

@@ -50,7 +50,6 @@ en:
       logout: OpenID Connect Logout
     passwords:
       change: Change the password for your account
-      confirm: Confirm the password for your account
       forgot: Reset password
     personal_key: Just in case
     phone_setup: Get your one-time code

config/locales/titles/es.yml

@@ -50,7 +50,6 @@ es:
       logout: Cierre de sesión de OpenID Connect
     passwords:
       change: Cambie la contraseña de su cuenta
-      confirm: Confirme la contraseña de su cuenta
       forgot: Restablecer la contraseña
     personal_key: Por si acaso
     phone_setup: Obtenga su código único

config/locales/titles/fr.yml

@@ -50,7 +50,6 @@ fr:
       logout: Déconnexion OpenID Connect
     passwords:
       change: Changez le mot de passe de votre compte
-      confirm: Confirmez le mot de passe de votre compte
       forgot: Réinitialisez le mot de passe
     personal_key: Juste au cas
     phone_setup: Obtenez votre code à usage unique

config/routes.rb

@@ -131,9 +131,6 @@
       post 'login/add_piv_cac/prompt' => 'users/piv_cac_setup_from_sign_in#decline'
       get 'login/add_piv_cac/success' => 'users/piv_cac_setup_from_sign_in#success'
       post 'login/add_piv_cac/success' => 'users/piv_cac_setup_from_sign_in#next'
-
-      get '/reauthn' => 'mfa_confirmation#new', as: :user_password_confirm
-      post '/reauthn' => 'mfa_confirmation#create', as: :reauthn_user_password
     end
 
     if IdentityConfig.store.enable_test_routes

spec/controllers/mfa_confirmation_controller_spec.rb

@@ -10,133 +10,4 @@
       expect(response.status).to eq 200
     end
   end
-
-  describe '#new' do
-    it 'presents the password confirmation form' do
-      stub_sign_in
-
-      get :new
-
-      expect(response.status).to eq 200
-      expect(session[:password_attempts]).to eq 0
-    end
-
-    it 'does not reset password attempts if already set' do
-      stub_sign_in
-      session[:password_attempts] = 1
-
-      get :new
-
-      expect(session[:password_attempts]).to eq 1
-    end
-  end
-
-  describe '#create' do
-    let(:user) { build(:user, password: 'password') }
-
-    before do
-      stub_sign_in(user)
-      stub_attempts_tracker
-      allow(@irs_attempts_api_tracker).to receive(:track_event)
-      session[:password_attempts] = 1
-    end
-
-    context 'password is empty' do
-      it 'redirects with error message and increments password attempts' do
-        post :create, params: { user: { password: '' } }
-
-        expect(@irs_attempts_api_tracker).to have_received(:track_event).
-          with(:logged_in_profile_change_reauthentication_submitted, success: false)
-
-        expect(response).to redirect_to(user_password_confirm_path)
-        expect(flash[:error]).to eq t('errors.confirm_password_incorrect')
-        expect(session[:password_attempts]).to eq 2
-      end
-    end
-
-    context 'password is wrong' do
-      it 'redirects with error message and increments password attempts' do
-        post :create, params: { user: { password: 'wrong' } }
-
-        expect(@irs_attempts_api_tracker).to have_received(:track_event).
-          with(:logged_in_profile_change_reauthentication_submitted, success: false)
-
-        expect(response).to redirect_to(user_password_confirm_path)
-        expect(flash[:error]).to eq t('errors.confirm_password_incorrect')
-        expect(session[:password_attempts]).to eq 2
-      end
-
-      context 'session data is missing' do
-        before do
-          session.delete(:password_attempts)
-        end
-
-        it 'redirects and increments the password count' do
-          post :create, params: { user: { password: 'wrong' } }
-
-          expect(@irs_attempts_api_tracker).to have_received(:track_event).
-            with(:logged_in_profile_change_reauthentication_submitted, success: false)
-
-          expect(response).to redirect_to(user_password_confirm_path)
-          expect(session[:password_attempts]).to eq 1
-        end
-      end
-    end
-
-    context 'password is correct' do
-      it 'redirects to 2FA and resets password attempts' do
-        post :create, params: { user: { password: 'password' } }
-
-        expect(@irs_attempts_api_tracker).to have_received(:track_event).
-          with(:logged_in_profile_change_reauthentication_submitted, success: true)
-
-        expect(response).to redirect_to(user_two_factor_authentication_path(reauthn: true))
-        expect(session[:password_attempts]).to eq 0
-      end
-    end
-  end
-
-  describe 'password attempts counter' do
-    context 'max password attempts reached' do
-      it 'signs the user out' do
-        user = create(:user, :fully_registered)
-        sign_in user
-        session[:password_attempts] = 0
-        stub_analytics
-        stub_attempts_tracker
-        allow(@analytics).to receive(:track_event)
-        allow(@irs_attempts_api_tracker).to receive(:track_event)
-
-        max_allowed_attempts = IdentityConfig.store.password_max_attempts
-        max_allowed_attempts.times do
-          post :create, params: { user: { password: 'wrong' } }
-        end
-
-        expect(response).to redirect_to(root_path)
-        expect(controller.current_user).to be_nil
-        expect(flash[:error]).to eq t('errors.max_password_attempts_reached')
-        expect(@analytics).to have_received(:track_event).
-          with('Password Max Attempts Reached')
-        expect(@irs_attempts_api_tracker).to have_received(:track_event).
-          with(:logged_in_profile_change_reauthentication_rate_limited)
-      end
-    end
-
-    context 'last password attempt is correct' do
-      it 'does not sign the user out' do
-        user = build_stubbed(:user, password: 'password')
-        stub_sign_in user
-        session[:password_attempts] = 0
-
-        max_allowed_attempts = IdentityConfig.store.password_max_attempts
-        (max_allowed_attempts - 1).times do
-          post :create, params: { user: { password: 'wrong' } }
-        end
-
-        post :create, params: { user: { password: 'password' } }
-
-        expect(response).to redirect_to user_two_factor_authentication_path(reauthn: true)
-      end
-    end
-  end
 end

spec/controllers/users/two_factor_authentication_controller_spec.rb

@@ -11,7 +11,6 @@
       expect(subject).to have_actions(
         :before,
         :authenticate_user,
-        [:require_current_password, if: :current_password_required?],
         :check_already_authenticated,
         :reset_attempt_count_if_user_no_longer_locked_out,
         :apply_secure_headers_override,