-
Notifications
You must be signed in to change notification settings - Fork 58
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[82599] prevents new user verification creation for locked CSPs #16770
Conversation
b07901c
to
2019ecd
Compare
2019ecd
to
abd1ced
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Few comments for some small updates, otherwise looks good!
bcef8be
to
af9b8f9
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
sorry, couple more changes, I realized this was in a transaction so we can't have the log directly in there
187fcc2
to
b956d26
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Just one tiny comment that I found, otherwise looks good
app/services/login/user_verifier.rb
Outdated
end | ||
|
||
def locked | ||
@locked ||= existing_user_account&.user_verifications&.send(login_type)&.where(locked: true).present? |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Can you start with function with return false unless existing_user_account
?
This way you can remove all of the safety &.
operators here
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I removed it from the user_account & user_verification since we know they'll be there with the guard clause, but the last one I think needs to stay because most times the existing account won't have a user_verification of the CSP type so it will be trying to call .where
on a nil
value.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
actually, you don't have to worry about nil
, this is the beauty of ActiveRecord chaining:
UserAccount.last.user_verifications.send(:dslogon)
=> []
And then if you call .where
on the result of this:
UserAccount.last.user_verifications.send(:dslogon).where(locked: true)
=> []
How is that possible? It's because ActiveRecord queries actually return an ActiveRecord_AssociationRelation
, which you can still chain queries off of even if it's empty:
UserAccount.last.user_verifications.send(:dslogon).class
=> UserVerification::ActiveRecord_AssociationRelation
5cd3b58
to
8b1d0bc
Compare
8b1d0bc
to
3b07da7
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Created a new user verification, confirmed that locked: false, as expected. Set the user_verification.locked: true, then created yet another user verification but with the same ICN as the old one. Confirmed a new user verification was created with user_verification.locked: true
Summary
Related issue(s)
Testing done
To test, select the (Login.gov) user you wish to use and locate its corresponding UserAccount. Then delete the existing UserVerification if it exists and create a linked UserVerification that is locked.
locked
status and will setlocked
to true for the new UserVerification, as well as log the event.Rails -- [Login::UserVerifier] Locked UserVerification created for type=logingov_uuid identifier=e444837a-e88b-4f59-87da-10d3c74c787b
/token
with the selected user - login should be prevented by the existing credential lock behavior and Rails will throw an error:[SignInService] [V0::SignInController] token error -- { :errors => "Credential is locked" }
What areas of the site does it impact?
Authentication, new user creation
Acceptance criteria