18F · mdiarra3 · Dec 19, 2023 · Dec 12, 2023 · Dec 13, 2023 · Dec 13, 2023
diff --git a/app/controllers/two_factor_authentication/personal_key_verification_controller.rb b/app/controllers/two_factor_authentication/personal_key_verification_controller.rb
@@ -46,6 +46,7 @@ def handle_result(result)
         _event, disavowal_token = create_user_event_with_disavowal(:personal_key_used)
         alert_user_about_personal_key_sign_in(disavowal_token)
         remove_personal_key
+
         handle_valid_otp
       else
         handle_invalid_otp(context: context, type: 'personal_key')
@@ -74,7 +75,8 @@ def handle_valid_otp
       )
       if current_user.identity_verified? || current_user.password_reset_profile.present?
         redirect_to manage_personal_key_url
-      elsif MfaPolicy.new(current_user).two_factor_enabled?
+      elsif MfaPolicy.new(current_user).two_factor_enabled? &&
+            !FeatureManagement.enable_additional_mfa_redirect_for_personal_key_mfa?
         redirect_to after_mfa_setup_path
       else
         redirect_to authentication_methods_setup_url

diff --git a/config/application.yml.default b/config/application.yml.default
@@ -96,6 +96,7 @@ email_from_display_name: Login.gov
 email_registrations_per_ip_limit: 20
 email_registrations_per_ip_period: 20
 email_registrations_per_ip_track_only_mode: false
+enable_add_mfa_redirect_for_personal_key: false
 enable_load_testing_mode: false
 enable_rate_limiting: true
 enable_test_routes: true

diff --git a/lib/feature_management.rb b/lib/feature_management.rb
@@ -39,6 +39,10 @@ def self.enable_load_testing_mode?
     IdentityConfig.store.enable_load_testing_mode
   end
 
+  def self.enable_additional_mfa_redirect_for_personal_key_mfa?
+    IdentityConfig.store.enable_add_mfa_redirect_for_personal_key
+  end
+
   def self.use_kms?
     IdentityConfig.store.use_kms
   end

diff --git a/lib/identity_config.rb b/lib/identity_config.rb
@@ -201,6 +201,7 @@ def self.build_store(config_map)
     config.add(:email_registrations_per_ip_limit, type: :integer)
     config.add(:email_registrations_per_ip_period, type: :integer)
     config.add(:email_registrations_per_ip_track_only_mode, type: :boolean)
+    config.add(:enable_add_mfa_redirect_for_personal_key, type: :boolean)
     config.add(:enable_load_testing_mode, type: :boolean)
     config.add(:enable_rate_limiting, type: :boolean)
     config.add(:enable_test_routes, type: :boolean)

diff --git a/spec/controllers/two_factor_authentication/personal_key_verification_controller_spec.rb b/spec/controllers/two_factor_authentication/personal_key_verification_controller_spec.rb
@@ -80,6 +80,32 @@
           expect(subject.user_session[TwoFactorAuthenticatable::NEED_AUTHENTICATION]).to eq false
         end
       end
+
+      context 'with enable_additional_mfa_redirect_for_personal_key_mfa? set to true' do
+        before do
+          personal_key
+          sign_in_before_2fa(user)
+          allow(FeatureManagement).
+            to receive(:enable_additional_mfa_redirect_for_personal_key_mfa?).and_return(true)
+        end
+        it 'should redirect to mfa selection page' do
+          post :create, params: payload
+          expect(response).to redirect_to(authentication_methods_setup_url)
+        end
+      end
+
+      context 'with enable_additional_mfa_redirect_for_personal_key_mfa? set to false' do
+        before do
+          personal_key
+          sign_in_before_2fa(user)
+          allow(FeatureManagement).
+            to receive(:enable_additional_mfa_redirect_for_personal_key_mfa?).and_return(false)
+        end
+        it 'should redirect to account page' do
+          post :create, params: payload
+          expect(response).to redirect_to(account_path)
+        end
+      end
     end
 
     it 'does generate a new personal key after the user signs in with their old one' do