From a4755102c86819170dd5da84bca5b7823a038dc8 Mon Sep 17 00:00:00 2001 From: jose-verdance Date: Wed, 27 May 2026 15:24:47 -0400 Subject: [PATCH 1/4] dpc-5454 - adding initail updates to omniauth and login_dot_gov_controller and tests --- .../controllers/login_dot_gov_controller.rb | 2 +- dpc-portal/config/initializers/omniauth.rb | 2 +- .../spec/requests/login_dot_gov_spec.rb | 66 ++----------------- 3 files changed, 7 insertions(+), 63 deletions(-) diff --git a/dpc-portal/app/controllers/login_dot_gov_controller.rb b/dpc-portal/app/controllers/login_dot_gov_controller.rb index e75c6d8a9..c88f9c3ae 100644 --- a/dpc-portal/app/controllers/login_dot_gov_controller.rb +++ b/dpc-portal/app/controllers/login_dot_gov_controller.rb @@ -131,7 +131,7 @@ def ial_2_actions(user, auth) end def path(user, auth) - if user.blank? && auth.extra.raw_info.ial == 'http://idmanagement.gov/ns/assurance/ial/1' + if user.blank? && auth.extra.raw_info.ial == 'http://idmanagement.gov/ns/assurance/ial/2' Rails.logger.info(['User logged in without account', { actionContext: LoggingConstants::ActionContext::Authentication, actionType: LoggingConstants::ActionType::UserLoginWithoutAccount }]) diff --git a/dpc-portal/config/initializers/omniauth.rb b/dpc-portal/config/initializers/omniauth.rb index c2a3d3fb8..65fc06260 100644 --- a/dpc-portal/config/initializers/omniauth.rb +++ b/dpc-portal/config/initializers/omniauth.rb @@ -21,7 +21,7 @@ discovery: true, scope: %i[openid email all_emails], response_type: :code, - acr_values: 'http://idmanagement.gov/ns/assurance/ial/1', + acr_values: 'http://idmanagement.gov/ns/assurance/ial/2', client_auth_method: :jwt_bearer, client_options: { port: 443, diff --git a/dpc-portal/spec/requests/login_dot_gov_spec.rb b/dpc-portal/spec/requests/login_dot_gov_spec.rb index fc1c13225..ff90241b2 100644 --- a/dpc-portal/spec/requests/login_dot_gov_spec.rb +++ b/dpc-portal/spec/requests/login_dot_gov_spec.rb @@ -94,67 +94,10 @@ end context :user_does_not_exist do - it 'does not sign in user' do - post '/auth/login_dot_gov' - follow_redirect! - expect(response.location).to eq organizations_url - expect(response).to be_redirect - follow_redirect! - expect(response).to be_redirect - end - - it 'sets authentication token' do - post '/auth/login_dot_gov' - follow_redirect! - expect(request.session[:login_dot_gov_token]).to eq token - expect(request.session[:login_dot_gov_token_exp]).to_not be_nil - expect(request.session[:login_dot_gov_token_exp]).to be_within(1.second).of 899.seconds.from_now - end - end - end - - context 'IAL/1' do - before do - OmniAuth.config.test_mode = true - OmniAuth.config.add_mock(:login_dot_gov, - { uid: uuid, - info: { email: 'bob3@example.com' }, - extra: { raw_info: { all_emails: %w[bob3@example.com bobby@example.com], - ial: 'http://idmanagement.gov/ns/assurance/ial/1' } } }) - end - - it_behaves_like 'an openid client' - - context :user_exists do - before do - user = create(:user, email: 'bob3@example.com', given_name: 'Bob', - family_name: 'Hoskins') - create(:csp_user, user:, uuid:, csp:) - end - it 'does not update user names' do - expect(User.where(email: 'bob3@example.com', given_name: 'Bob', - family_name: 'Hoskins').count).to eq 1 - post '/auth/login_dot_gov' - follow_redirect! - expect(response.location).to eq organizations_url - expect(User.where(email: 'bob3@example.com', given_name: 'Bob', - family_name: 'Hoskins').count).to eq 1 - end - - it 'does not set authentication token' do - post '/auth/login_dot_gov' - follow_redirect! - expect(request.session[:login_dot_gov_token]).to be_nil - expect(request.session[:login_dot_gov_token_exp]).to be_nil - end - end - - context 'user does not exist' do it 'does not sign in user' do post '/auth/login_dot_gov' follow_redirect! expect(response.location).to eq no_account_url - expect(response).to be_redirect end it 'should log' do @@ -168,11 +111,12 @@ follow_redirect! end - it 'does not set authentication token' do + it 'sets authentication token' do post '/auth/login_dot_gov' follow_redirect! - expect(request.session[:login_dot_gov_token]).to be_nil - expect(request.session[:login_dot_gov_token_exp]).to be_nil + expect(request.session[:login_dot_gov_token]).to eq token + expect(request.session[:login_dot_gov_token_exp]).to_not be_nil + expect(request.session[:login_dot_gov_token_exp]).to be_within(1.second).of 899.seconds.from_now end end end @@ -316,7 +260,7 @@ { uid: uuid, info: { email: 'bob4@example.com' }, extra: { raw_info: { all_emails: %w[bob4@example.com bobby@example.com], - ial: 'http://idmanagement.gov/ns/assurance/ial/1' } } }) + ial: 'http://idmanagement.gov/ns/assurance/ial/2' } } }) end it 'should log error' do From 5377086317436a0876791c89abdebf341471ce5f Mon Sep 17 00:00:00 2001 From: jose-verdance Date: Wed, 27 May 2026 16:13:48 -0400 Subject: [PATCH 2/4] dpc-5454 - updating addition spec for ial2 login --- dpc-portal/spec/support/login_support.rb | 9 +++++++-- dpc-portal/spec/system/accessibility_spec.rb | 9 +++++++-- dpc-portal/spec/system/new_invitation_spec.rb | 9 +++++++-- 3 files changed, 21 insertions(+), 6 deletions(-) diff --git a/dpc-portal/spec/support/login_support.rb b/dpc-portal/spec/support/login_support.rb index d75f49924..3273e8b54 100644 --- a/dpc-portal/spec/support/login_support.rb +++ b/dpc-portal/spec/support/login_support.rb @@ -11,9 +11,14 @@ def sign_in(user) OmniAuth.config.test_mode = true OmniAuth.config.add_mock(csp.name, { uid: csp_user.uuid, + credentials: { expires_in: 899, + token: 'bearer-token' }, info: { email: user.email }, - extra: { raw_info: { all_emails: [user.email], - ial: 'http://idmanagement.gov/ns/assurance/ial/1' } } }) + extra: { raw_info: { given_name: 'Bob', + family_name: 'Hoskins', + social_security_number: '1-2-3', + all_emails: [user.email], + ial: 'http://idmanagement.gov/ns/assurance/ial/2' } } }) post '/auth/login_dot_gov' follow_redirect! end diff --git a/dpc-portal/spec/system/accessibility_spec.rb b/dpc-portal/spec/system/accessibility_spec.rb index 6e1c6441b..eed8d1809 100644 --- a/dpc-portal/spec/system/accessibility_spec.rb +++ b/dpc-portal/spec/system/accessibility_spec.rb @@ -18,9 +18,14 @@ OmniAuth.config.test_mode = true OmniAuth.config.add_mock(:login_dot_gov, { uid:, + credentials: { expires_in: 899, + token: 'bearer-token' }, info: { email: 'bob@example.com' }, - extra: { raw_info: { all_emails: %w[bob@example.com bob2@example.com], - ial: 'http://idmanagement.gov/ns/assurance/ial/1' } } }) + extra: { raw_info: { given_name: 'Bob', + family_name: 'Hoskins', + social_security_number: '1-2-3', + all_emails: %w[bob@example.com bob2@example.com], + ial: 'http://idmanagement.gov/ns/assurance/ial/2' } } }) end def sign_in visit '/auth/login_dot_gov/callback' diff --git a/dpc-portal/spec/system/new_invitation_spec.rb b/dpc-portal/spec/system/new_invitation_spec.rb index b14645902..27579bbba 100644 --- a/dpc-portal/spec/system/new_invitation_spec.rb +++ b/dpc-portal/spec/system/new_invitation_spec.rb @@ -15,9 +15,14 @@ OmniAuth.config.test_mode = true OmniAuth.config.add_mock(:login_dot_gov, { uid:, + credentials: { expires_in: 899, + token: 'bearer-token' }, info: { email: 'bob@example.com' }, - extra: { raw_info: { all_emails: %w[bob@example.com bob2@example.com], - ial: 'http://idmanagement.gov/ns/assurance/ial/1' } } }) + extra: { raw_info: { given_name: 'Bob', + family_name: 'Hoskins', + social_security_number: '1-2-3', + all_emails: %w[bob@example.com bob2@example.com], + ial: 'http://idmanagement.gov/ns/assurance/ial/2' } } }) end def sign_in visit '/auth/login_dot_gov/callback' From 68e49a6e636aca779b9bda259015ec7b87b09a25 Mon Sep 17 00:00:00 2001 From: jose-verdance Date: Mon, 1 Jun 2026 17:22:26 -0400 Subject: [PATCH 3/4] dpc-5454 - updating controller logic to just check if portal account is avaible before redirect to no account --- dpc-portal/app/controllers/login_dot_gov_controller.rb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/dpc-portal/app/controllers/login_dot_gov_controller.rb b/dpc-portal/app/controllers/login_dot_gov_controller.rb index c88f9c3ae..b5543e4f6 100644 --- a/dpc-portal/app/controllers/login_dot_gov_controller.rb +++ b/dpc-portal/app/controllers/login_dot_gov_controller.rb @@ -131,7 +131,7 @@ def ial_2_actions(user, auth) end def path(user, auth) - if user.blank? && auth.extra.raw_info.ial == 'http://idmanagement.gov/ns/assurance/ial/2' + if user.blank? Rails.logger.info(['User logged in without account', { actionContext: LoggingConstants::ActionContext::Authentication, actionType: LoggingConstants::ActionType::UserLoginWithoutAccount }]) From ffa17199cbf6c12915dc15e46449c91a36753f7b Mon Sep 17 00:00:00 2001 From: jose-verdance Date: Tue, 2 Jun 2026 09:51:50 -0400 Subject: [PATCH 4/4] dpc-5454 - addressing linter issues --- dpc-portal/app/controllers/login_dot_gov_controller.rb | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/dpc-portal/app/controllers/login_dot_gov_controller.rb b/dpc-portal/app/controllers/login_dot_gov_controller.rb index b5543e4f6..85e426edc 100644 --- a/dpc-portal/app/controllers/login_dot_gov_controller.rb +++ b/dpc-portal/app/controllers/login_dot_gov_controller.rb @@ -130,8 +130,8 @@ def ial_2_actions(user, auth) session[:login_dot_gov_token_exp] = auth.credentials.expires_in.seconds.from_now end - def path(user, auth) - if user.blank? + def path(user, _auth) + if user.blank? Rails.logger.info(['User logged in without account', { actionContext: LoggingConstants::ActionContext::Authentication, actionType: LoggingConstants::ActionType::UserLoginWithoutAccount }])