From d14d7a6b8814870a205db7e692354b7c9d429444 Mon Sep 17 00:00:00 2001
From: Sonia Connolly <sonia.connolly@gsa.gov>
Date: Fri, 27 Oct 2023 11:15:09 -0700
Subject: [PATCH] Don't redirect to PhoneQuestion from HybridHandoff if referer
 is nil

We see that referer is nil if the user tries to visit idv_link_sent_url while still on
HybridHandoff. Not sure why, but web search indicates that the user can turn off referer
in the HTTP header, which would cause a redirect loop in #maybe_redirect_for_phone_question_ab_test.
So this adds a check for nil referer in that method.

[skip changelog]

Co-authored-by: Doug Price <douglas.price@gsa.gov>
Co-authored-by: Amir Reavis-Bey <amir.reavis-bey@gsa.gov>
Co-authored-by: Jessica Dembe: <jessica.dembe@gsa.gov>
---
 .../concerns/idv/phone_question_ab_test_concern.rb           | 1 +
 spec/features/idv/doc_auth/hybrid_handoff_spec.rb            | 5 +++++
 2 files changed, 6 insertions(+)

diff --git a/app/controllers/concerns/idv/phone_question_ab_test_concern.rb b/app/controllers/concerns/idv/phone_question_ab_test_concern.rb
index 69a8e082d9a..30260e58af2 100644
--- a/app/controllers/concerns/idv/phone_question_ab_test_concern.rb
+++ b/app/controllers/concerns/idv/phone_question_ab_test_concern.rb
@@ -14,6 +14,7 @@ def phone_question_user
 
     def maybe_redirect_for_phone_question_ab_test
       return if phone_question_ab_test_bucket != :show_phone_question
+      return if request.referer.blank? # avoid redirect loop
       return if request.referer == idv_phone_question_url
       return if request.referer == idv_link_sent_url
       return if request.referer == idv_hybrid_handoff_url
diff --git a/spec/features/idv/doc_auth/hybrid_handoff_spec.rb b/spec/features/idv/doc_auth/hybrid_handoff_spec.rb
index b6bd723911b..0008895d958 100644
--- a/spec/features/idv/doc_auth/hybrid_handoff_spec.rb
+++ b/spec/features/idv/doc_auth/hybrid_handoff_spec.rb
@@ -201,6 +201,11 @@
         expect(page).to have_current_path(idv_phone_question_path)
         click_link t('doc_auth.buttons.have_phone')
 
+        # added to test FlowPolicy behavior with PhoneQuestion
+        expect(page).to have_current_path(idv_hybrid_handoff_path)
+        visit(idv_link_sent_url)
+        expect(page).to have_current_path(idv_hybrid_handoff_path)
+
         freeze_time do
           idv_send_link_max_attempts.times do
             expect(page).to_not have_content(