security: enforce minimum IAL gate on address update and card replacement

James Blair · James Blair · commit 7c1f058bc244 · 2026-04-14T09:41:22.000-06:00
Closes authorization bypass where a user blocked from viewing household
data (403 on GET /household/data) could still modify it via PUT
/household/address or POST /household/cards/replace.

Both handlers now inject IMinimumIalService and check the user's IAL
against the case-derived minimum before proceeding with write operations.

Also adds ForbiddenResult handling to MvcResultExtensions so any handler
returning ForbiddenResult gets a consistent 403 ProblemDetails response.
diff --git a/src/SEBT.Portal.Kernel.AspNetCore/MvcResultExtensions.cs b/src/SEBT.Portal.Kernel.AspNetCore/MvcResultExtensions.cs
@@ -67,6 +67,10 @@ UnauthorizedResult when useProblemDetails
                 => result.ToProblemDetailsResult(HttpStatusCode.Forbidden),
             UnauthorizedResult when !useProblemDetails
                 => new ForbidResult(),
+            ForbiddenResult forbidden when useProblemDetails
+                => forbidden.ToProblemDetailsResult(HttpStatusCode.Forbidden),
+            ForbiddenResult when !useProblemDetails
+                => new StatusCodeResult((int)HttpStatusCode.Forbidden),
             DependencyFailedResult when useProblemDetails
                 => result.ToProblemDetailsResult(HttpStatusCode.BadGateway),
             DependencyFailedResult when !useProblemDetails
@@ -142,6 +146,10 @@ UnauthorizedResult<T> when useProblemDetails
                 => result.ToProblemDetailsResult(HttpStatusCode.Forbidden),
             UnauthorizedResult<T> when !useProblemDetails
                 => new ForbidResult(),
+            ForbiddenResult<T> forbidden when useProblemDetails
+                => forbidden.ToProblemDetailsWithExtensionsResult(HttpStatusCode.Forbidden),
+            ForbiddenResult<T> when !useProblemDetails
+                => new StatusCodeResult((int)HttpStatusCode.Forbidden),
             DependencyFailedResult<T> when useProblemDetails
                 => result.ToProblemDetailsResult(HttpStatusCode.BadGateway),
             DependencyFailedResult<T> when !useProblemDetails
@@ -168,4 +176,23 @@ public static IActionResult ToProblemDetailsResult(this Result result, HttpStatu
         {
             StatusCode = (int)statusCode,
         };
+
+    /// <summary>
+    /// Converts a <see cref="ForbiddenResult{T}"/> into a <see cref="ObjectResult"/> containing
+    /// <see cref="ProblemDetails"/> with the result's extensions merged in.
+    /// </summary>
+    private static IActionResult ToProblemDetailsWithExtensionsResult<T>(this ForbiddenResult<T> result, HttpStatusCode statusCode)
+    {
+        var problemDetails = new ProblemDetails
+        {
+            Title = "Insufficient identity assurance level",
+            Detail = result.Message,
+            Status = (int)statusCode,
+        };
+        foreach (var (key, value) in result.Extensions)
+        {
+            problemDetails.Extensions[key] = value;
+        }
+        return new ObjectResult(problemDetails) { StatusCode = (int)statusCode };
+    }
 }
diff --git a/src/SEBT.Portal.UseCases/Household/RequestCardReplacement/RequestCardReplacementCommandHandler.cs b/src/SEBT.Portal.UseCases/Household/RequestCardReplacement/RequestCardReplacementCommandHandler.cs
@@ -17,6 +17,7 @@ public class RequestCardReplacementCommandHandler(
     IValidator<RequestCardReplacementCommand> validator,
     IHouseholdIdentifierResolver resolver,
     IHouseholdRepository repository,
+    IMinimumIalService minimumIalService,
     TimeProvider timeProvider,
     ILogger<RequestCardReplacementCommandHandler> logger)
     : ICommandHandler<RequestCardReplacementCommand>
@@ -56,6 +57,19 @@ public async Task<Result> Handle(
             return Result.PreconditionFailed(PreconditionFailedReason.NotFound, "Household data not found.");
         }
 
+        // SECURITY: Block write operations when the user has not met the minimum IAL
+        // required by their cases. See docs/tdd/minimum-ial-determination.md.
+        var minimumIal = minimumIalService.GetMinimumIal(household.SummerEbtCases);
+        if (userIalLevel < minimumIal)
+        {
+            logger.LogInformation(
+                "Card replacement denied: user IAL {UserIal} is below minimum {MinimumIal}",
+                userIalLevel,
+                minimumIal);
+            return Result.Forbidden(
+                $"This household requires {minimumIal}. Complete identity verification to request card replacements.");
+        }
+
         var cooldownErrors = CheckCooldown(command.CaseIds, household, timeProvider);
         if (cooldownErrors.Count > 0)
         {
diff --git a/src/SEBT.Portal.UseCases/Household/UpdateAddress/UpdateAddressCommandHandler.cs b/src/SEBT.Portal.UseCases/Household/UpdateAddress/UpdateAddressCommandHandler.cs
@@ -26,6 +26,7 @@ public class UpdateAddressCommandHandler(
     IHouseholdIdentifierResolver resolver,
     IHouseholdRepository householdRepository,
     IIdProofingRequirementsService idProofingRequirementsService,
+    IMinimumIalService minimumIalService,
     IStateAddressUpdateService stateAddressUpdateService,
     ILogger<UpdateAddressCommandHandler> logger)
     : ICommandHandler<UpdateAddressCommand, AddressValidationResult>
@@ -110,6 +111,23 @@ public async Task<Result<AddressValidationResult>> Handle(UpdateAddressCommand c
         var household = await householdRepository.GetHouseholdByIdentifierAsync(
             identifier, piiVisibility, userIalLevel, cancellationToken);
 
+        if (household != null)
+        {
+            // SECURITY: Block write operations when the user has not met the minimum IAL
+            // required by their cases. See docs/tdd/minimum-ial-determination.md.
+            var minimumIal = minimumIalService.GetMinimumIal(household.SummerEbtCases);
+            if (userIalLevel < minimumIal)
+            {
+                logger.LogInformation(
+                    "Address update denied: user IAL {UserIal} is below minimum {MinimumIal}",
+                    userIalLevel,
+                    minimumIal);
+                return Result<AddressValidationResult>.Forbidden(
+                    $"This household requires {minimumIal}. Complete identity verification to update your address.",
+                    new Dictionary<string, object?> { ["requiredIal"] = minimumIal.ToString() });
+            }
+        }
+
         if (household is { BenefitIssuanceType: BenefitIssuanceType.SnapEbtCard or BenefitIssuanceType.TanfEbtCard })
         {
             logger.LogWarning(
diff --git a/test/SEBT.Portal.Tests/Unit/UseCases/DependenciesTests.cs b/test/SEBT.Portal.Tests/Unit/UseCases/DependenciesTests.cs
@@ -23,6 +23,7 @@ private static ServiceProvider BuildProviderWithUseCases()
         // Stub infrastructure dependencies that handlers need at construction time
         services.AddSingleton(Substitute.For<IHouseholdIdentifierResolver>());
         services.AddSingleton(Substitute.For<IHouseholdRepository>());
+        services.AddSingleton(Substitute.For<IMinimumIalService>());
         services.AddSingleton(TimeProvider.System);
         services.AddSingleton(typeof(ILogger<>), typeof(NullLogger<>));
 
diff --git a/test/SEBT.Portal.Tests/Unit/UseCases/Household/RequestCardReplacementCommandHandlerTests.cs b/test/SEBT.Portal.Tests/Unit/UseCases/Household/RequestCardReplacementCommandHandlerTests.cs
@@ -22,11 +22,19 @@ public class RequestCardReplacementCommandHandlerTests
         Substitute.For<IHouseholdIdentifierResolver>();
     private readonly IHouseholdRepository _repository =
         Substitute.For<IHouseholdRepository>();
+    private readonly IMinimumIalService _minimumIalService =
+        Substitute.For<IMinimumIalService>();
     private readonly NullLogger<RequestCardReplacementCommandHandler> _logger =
         NullLogger<RequestCardReplacementCommandHandler>.Instance;
 
+    public RequestCardReplacementCommandHandlerTests()
+    {
+        // Default: IAL gate passes (no elevated requirement)
+        _minimumIalService.GetMinimumIal(Arg.Any<IReadOnlyList<SummerEbtCase>>()).Returns(UserIalLevel.None);
+    }
+
     private RequestCardReplacementCommandHandler CreateHandler(TimeProvider? timeProvider = null) =>
-        new(_validator, _resolver, _repository, timeProvider ?? TimeProvider.System, _logger);
+        new(_validator, _resolver, _repository, _minimumIalService, timeProvider ?? TimeProvider.System, _logger);
 
     private static ClaimsPrincipal CreateUser(string email, string? ialClaim = null)
     {
diff --git a/test/SEBT.Portal.Tests/Unit/UseCases/Household/UpdateAddressCommandHandlerTests.cs b/test/SEBT.Portal.Tests/Unit/UseCases/Household/UpdateAddressCommandHandlerTests.cs
@@ -36,6 +36,8 @@ public class UpdateAddressCommandHandlerTests
         Substitute.For<IIdProofingRequirementsService>();
     private readonly IStateAddressUpdateService _stateAddressUpdateService =
         Substitute.For<IStateAddressUpdateService>();
+    private readonly IMinimumIalService _minimumIalService =
+        Substitute.For<IMinimumIalService>();
     private readonly NullLogger<UpdateAddressCommandHandler> _logger =
         NullLogger<UpdateAddressCommandHandler>.Instance;
 
@@ -64,11 +66,13 @@ public UpdateAddressCommandHandlerTests()
             .Returns(AddressUpdateResult.Success());
         _idProofingRequirementsService.GetPiiVisibility(Arg.Any<UserIalLevel>())
             .Returns(new PiiVisibility(false, false, false));
+        // Default: IAL gate passes (no elevated requirement)
+        _minimumIalService.GetMinimumIal(Arg.Any<IReadOnlyList<SummerEbtCase>>()).Returns(UserIalLevel.None);
     }
 
     private UpdateAddressCommandHandler CreateHandler() =>
         new(_validator, _addressUpdateService, _addressValidationService, _resolver, _householdRepository,
-            _idProofingRequirementsService, _stateAddressUpdateService, _logger);
+            _idProofingRequirementsService, _minimumIalService, _stateAddressUpdateService, _logger);
 
     private static ClaimsPrincipal CreateUser(string email)
     {
