LG-10022: Add second MFA reminder screen

[aduth]

🎫 Ticket

LG-10022

🛠 Summary of changes

Adds a new MFA reminder screen that shows if the user only has a single MFA method, upon the first of either (a) the user has signed in 10 or more times or (b) their account is 30 days old.

📜 Testing Plan

It's easiest to test by setting an artificially low config override for sign-ins or account page, e.g. in config/application.yml:

second_mfa_reminder_sign_in_count: 2

1. Go to http://localhost:3000
2. Create an account
3. After account creation, sign out
4. Sign in
5. Observe that you are prompted with the screen in screenshots below if (and only if) you had set up a single method during account creation
6. Click one of the action buttons
7. Observe that:
   a. If you chose to set up another MFA method, you're redirected to the MFA setup screen, with a "Cancel" link at the bottom
   b. If you chose to Continue, you're redirected to your account dashboard (or to the partner if coming from a partner authentication request)
8. Sign out
9. Sign in
10. Observe that you are not prompted with the screen in screenshots below regardless of which action you took at Step 6

👀 Screenshots

[aduth]

Another thing to sort out while draft: I need to add more logging to satisfy the AC:

• Log when the user successfully sets up MFA after clicking upsell Edit: Added in 87236b1

[aduth]

Since I expect this page will get a lot of traffic and we're adding new routes which won't exist on old boxes during 50/50 state, I think I'm going to add a temporary feature flag so that we can get the code fully deployed before turning this on, to handle that more gracefully.

[aduth]

I found an issue here where clicking "Continue to [SP]" looks like it just refreshes the page when authenticating with a partner with whom the user has already consented. I'm wondering if it's an issue where we're expecting to redirect to after_sign_in_path_for, which would try immediately concluding the authentication via sp_session_request_url_with_updated_params, but since this is initiated by a PUT (not a POST), it doesn't work as expected. I think we've seen issues like this in the past with trying to redirect to completion URLs 😕

[aduth]

I think we've seen issues like this in the past with trying to redirect to completion URLs 😕

More specifically there's a CSP violation when trying to POST back to the partner like this.

[aduth]

I found an issue here where clicking "Continue to [SP]" looks like it just refreshes the page when authenticating with a partner with whom the user has already consented.

This should be fixed now in 84b028a, the primary revision being the inclusion of apply_secure_headers_override.