Skip to content

Modify the SP requirement for IdV to require the SP to request verification #9663

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
jmhooper merged 1 commit into from
Nov 27, 2023
Merged

Modify the SP requirement for IdV to require the SP to request verification #9663

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
14 changes: 10 additions & 4 deletions app/controllers/concerns/idv_session.rb
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -3,7 +3,7 @@ module IdvSession

included do
before_action :redirect_unless_idv_session_user
before_action :redirect_if_sp_context_needed
before_action :redirect_unless_sp_requested_verification
end

def confirm_idv_needed
Expand Down Expand Up @@ -53,11 +53,17 @@ def redirect_unless_idv_session_user
redirect_to root_url if !idv_session_user
end

def redirect_if_sp_context_needed
return if sp_from_sp_session.present?
return unless IdentityConfig.store.idv_sp_required
def redirect_unless_sp_requested_verification
return if !IdentityConfig.store.idv_sp_required
return if idv_session_user.profiles.any?

ial_context = IalContext.new(
ial: sp_session_ial,
service_provider: sp_from_sp_session,
user: idv_session_user,
)
return if ial_context.ial2_or_greater?

redirect_to account_url
end

Expand Down
2 changes: 1 addition & 1 deletion spec/controllers/idv/by_mail/request_letter_controller_spec.rb
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -25,7 +25,7 @@
end

it 'includes before_actions from IdvSession' do
expect(subject).to have_actions(:before, :redirect_if_sp_context_needed)
expect(subject).to have_actions(:before, :redirect_unless_sp_requested_verification)
end
end

Expand Down
2 changes: 1 addition & 1 deletion spec/controllers/idv/cancellations_controller_spec.rb
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -3,7 +3,7 @@
RSpec.describe Idv::CancellationsController do
describe 'before_actions' do
it 'includes before_actions from IdvSession' do
expect(subject).to have_actions(:before, :redirect_if_sp_context_needed)
expect(subject).to have_actions(:before, :redirect_unless_sp_requested_verification)
end
end

Expand Down
2 changes: 1 addition & 1 deletion spec/controllers/idv/enter_password_controller_spec.rb
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -48,7 +48,7 @@
end

it 'includes before_actions from IdvSession' do
expect(subject).to have_actions(:before, :redirect_if_sp_context_needed)
expect(subject).to have_actions(:before, :redirect_unless_sp_requested_verification)
end
end

Expand Down
2 changes: 1 addition & 1 deletion spec/controllers/idv/forgot_password_controller_spec.rb
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -3,7 +3,7 @@
RSpec.describe Idv::ForgotPasswordController do
describe 'before_actions' do
it 'includes before_actions from IdvSession' do
expect(subject).to have_actions(:before, :redirect_if_sp_context_needed)
expect(subject).to have_actions(:before, :redirect_unless_sp_requested_verification)
end
end

Expand Down
2 changes: 1 addition & 1 deletion spec/controllers/idv/otp_verification_controller_spec.rb
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -36,7 +36,7 @@

describe 'before_actions' do
it 'includes before_actions from IdvSession' do
expect(subject).to have_actions(:before, :redirect_if_sp_context_needed)
expect(subject).to have_actions(:before, :redirect_unless_sp_requested_verification)
end
end

Expand Down
2 changes: 1 addition & 1 deletion spec/controllers/idv/personal_key_controller_spec.rb
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -51,7 +51,7 @@ def stub_idv_session
end

it 'includes before_actions from IdvSession' do
expect(subject).to have_actions(:before, :redirect_if_sp_context_needed)
expect(subject).to have_actions(:before, :redirect_unless_sp_requested_verification)
end

describe '#confirm_profile_has_been_created' do
Expand Down
2 changes: 1 addition & 1 deletion spec/controllers/idv/phone_controller_spec.rb
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -30,7 +30,7 @@

describe 'before_actions' do
it 'includes before_actions from IdvSession' do
expect(subject).to have_actions(:before, :redirect_if_sp_context_needed)
expect(subject).to have_actions(:before, :redirect_unless_sp_requested_verification)
end
end

Expand Down
2 changes: 1 addition & 1 deletion spec/controllers/idv/phone_errors_controller_spec.rb
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -21,7 +21,7 @@
shared_examples_for 'an idv phone errors controller action' do
describe 'before_actions' do
it 'includes before_actions from IdvSession' do
expect(subject).to have_actions(:before, :redirect_if_sp_context_needed)
expect(subject).to have_actions(:before, :redirect_unless_sp_requested_verification)
end
end

Expand Down
2 changes: 1 addition & 1 deletion spec/controllers/idv/resend_otp_controller_spec.rb
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -26,7 +26,7 @@

describe 'before_actions' do
it 'includes before_actions from IdvSession' do
expect(subject).to have_actions(:before, :redirect_if_sp_context_needed)
expect(subject).to have_actions(:before, :redirect_unless_sp_requested_verification)
end
end

Expand Down
2 changes: 1 addition & 1 deletion spec/controllers/idv/session_errors_controller_spec.rb
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -135,7 +135,7 @@

describe 'before_actions' do
it 'includes before_actions from IdvSession' do
expect(subject).to have_actions(:before, :redirect_if_sp_context_needed)
expect(subject).to have_actions(:before, :redirect_unless_sp_requested_verification)
end
end

Expand Down
86 changes: 70 additions & 16 deletions spec/controllers/idv_controller_spec.rb
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -167,30 +167,71 @@
expect(response).to redirect_to idv_welcome_path
end

context 'no SP context' do
describe 'SP for IdV requirement' do
let(:current_sp) { create(:service_provider) }
let(:ial) { 2 }
let(:user) { build(:user, password: ControllerHelper::VALID_PASSWORD) }

before do
stub_sign_in(user)
session[:sp] = {}
if current_sp.present?
session[:sp] = { issuer: current_sp.issuer, ial: ial }
else
session[:sp] = {}
end
allow(IdentityConfig.store).to receive(:idv_sp_required).and_return(idv_sp_required)
end

context 'sp required' do
let(:idv_sp_required) { true }
context 'without an SP context' do
let(:current_sp) { nil }

it 'redirects back to the account page' do
get :index
context 'when an SP is required' do
let(:idv_sp_required) { true }

expect(response).to redirect_to account_url
it 'redirects back to the account page' do
get :index
expect(response).to redirect_to account_url
end

it 'begins the proofing process if the user has a profile' do
create(:profile, :verified, user: user)
get :index
expect(response).to redirect_to idv_welcome_url
Copy link
Copy Markdown
Contributor

@soniaconnolly soniaconnolly Nov 27, 2023

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It looks like this says if an SP is required but not present, and the user already has a verified profile, they restart proofing. Is that correct? I would expect it not to proof if they're already verified.

Copy link
Copy Markdown
Contributor Author

@jmhooper jmhooper Nov 27, 2023

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The profile is verified, but not active. The logic allows a user who has gone through proofing before to go through proofing again without an SP requesting IdV for them. This enables things like proofing again after resetting a password without a personal key.

end
end

context 'user has an existing profile' do
let(:user) do
profile = create(:profile)
profile.user
context 'no SP required' do
let(:idv_sp_required) { false }

it 'begins the identity proofing process' do
get :index

expect(response).to redirect_to idv_welcome_url
end
end
end

context 'with an SP context that does not require IdV' do
let(:ial) { 1 }

context 'when an SP is required' do
let(:idv_sp_required) { true }

it 'redirects back to the account page' do
get :index
expect(response).to redirect_to account_url
end

it 'begins the proofing process if the user has a profile' do
create(:profile, :verified, user: user)
get :index
expect(response).to redirect_to idv_welcome_url
end
end

context 'no SP required' do
let(:idv_sp_required) { false }

it 'begins the identity proofing process' do
get :index

Expand All @@ -199,13 +240,26 @@
end
end

context 'sp not required' do
let(:idv_sp_required) { false }
context 'with an SP context that requires IdV' do
let(:ial) { 2 }

context 'when an SP is required' do
let(:idv_sp_required) { true }

it 'begins the identity proofing process' do
get :index
expect(response).to redirect_to idv_welcome_url
end
end

context 'no SP required' do
let(:idv_sp_required) { false }

it 'begins the identity proofing process' do
get :index
it 'begins the identity proofing process' do
get :index

expect(response).to redirect_to idv_welcome_url
expect(response).to redirect_to idv_welcome_url
end
end
end
end
Expand Down