18F · kevinsmaster5 · Sep 26, 2023 · Sep 7, 2023 · Sep 11, 2023 · Sep 12, 2023
diff --git a/app/controllers/two_factor_authentication/otp_verification_controller.rb b/app/controllers/two_factor_authentication/otp_verification_controller.rb
@@ -178,6 +178,7 @@ def phone_view_data
         confirmation_for_add_phone: confirmation_for_add_phone?,
         phone_number: display_phone_to_deliver_to,
         code_value: direct_otp_code,
+        in_multi_mfa_selection_flow: in_multi_mfa_selection_flow?,
         otp_expiration: otp_expiration,
         otp_delivery_preference: params[:otp_delivery_preference],
         otp_make_default_number: selected_otp_make_default_number,

diff --git a/app/presenters/two_factor_auth_code/phone_delivery_presenter.rb b/app/presenters/two_factor_auth_code/phone_delivery_presenter.rb
@@ -7,9 +7,11 @@ class PhoneDeliveryPresenter < TwoFactorAuthCode::GenericDeliveryPresenter
     attr_reader :otp_delivery_preference,
                 :otp_make_default_number,
                 :unconfirmed_phone,
-                :otp_expiration
+                :otp_expiration,
+                :in_multi_mfa_selection_flow
 
     alias_method :unconfirmed_phone?, :unconfirmed_phone
+    alias_method :in_multi_mfa_selection_flow?, :in_multi_mfa_selection_flow
 
     def header
       t('two_factor_authentication.header_text')
@@ -58,7 +60,9 @@ def troubleshooting_options
 
     def cancel_link
       locale = LinkLocaleResolver.locale
-      if confirmation_for_add_phone || reauthn
+      if in_multi_mfa_selection_flow
+        authentication_methods_setup_path(locale: locale)
+      elsif confirmation_for_add_phone || reauthn
         account_path(locale: locale)
       else
         sign_out_path(locale: locale)

diff --git a/app/views/two_factor_authentication/otp_verification/show.html.erb b/app/views/two_factor_authentication/otp_verification/show.html.erb
@@ -62,7 +62,6 @@
 <% end %>
 
 <%= render 'two_factor_authentication/troubleshooting_options', presenter: @presenter %>
-
 <% if MfaPolicy.new(current_user).two_factor_enabled? %>
   <%= render 'shared/cancel', link: @presenter.cancel_link %>
 <% else %>

diff --git a/spec/features/two_factor_authentication/multiple_mfa_sign_up_spec.rb b/spec/features/two_factor_authentication/multiple_mfa_sign_up_spec.rb
@@ -266,6 +266,36 @@
     end
   end
 
+  describe 'adding a phone as a second mfa' do
+    it 'at setup, phone as second MFA show a cancel link that returns to mfa setup' do
+      allow(IdentityConfig.store).to receive(:platform_auth_set_up_enabled).and_return(true)
+      allow(IdentityConfig.store).
+        to receive(:show_unsupported_passkey_platform_authentication_setup).
+        and_return(true)
+
+      sign_up_and_set_password
+      mock_webauthn_setup_challenge
+      select_2fa_option('webauthn_platform', visible: :all)
+
+      click_continue
+      fill_in_nickname_and_click_continue
+      mock_press_button_on_hardware_key_on_setup
+
+      click_link t('mfa.add')
+
+      select_2fa_option('phone')
+      click_continue
+
+      fill_in :new_phone_form_phone, with: '3015551212'
+      click_send_one_time_code
+
+      expect(page).to have_link(
+        t('links.cancel'),
+        href: authentication_methods_setup_path,
+      )
+    end
+  end
+
   def click_2fa_option(option)
     find("label[for='two_factor_options_form_selection_#{option}']").click
   end