Merge pull request #2805 from govuk-one-login/AUT-4249/allow-auth-app-when-picking-mfa-method

AUT-4249: Allow auth app when picking MFA method

Author: ben-fernandes-sw

src/components/common/state-machine/state-machine.ts

@@ -59,6 +59,7 @@ const USER_JOURNEY_EVENTS = {
   IPV_REVERIFICATION_FAILED_OR_DID_NOT_MATCH:
     "IPV_REVERIFICATION_FAILED_OR_DID_NOT_MATCH",
   MFA_RESET_ATTEMPTED_VIA_AUTH_APP: "MFA_RESET_ATTEMPTED_VIA_AUTH_APP",
+  SELECT_AUTH_APP_MFA_METHOD: "SELECT_AUTH_APP_MFA_METHOD",
 };
 
 const authStateMachine = createMachine(
@@ -731,6 +732,13 @@ const authStateMachine = createMachine(
           ],
         },
       },
+      [PATH_NAMES.HOW_DO_YOU_WANT_SECURITY_CODES]: {
+        on: {
+          [USER_JOURNEY_EVENTS.SELECT_AUTH_APP_MFA_METHOD]: [
+            PATH_NAMES.ENTER_AUTHENTICATOR_APP_CODE,
+          ],
+        },
+      },
     },
   },
   {

src/components/enter-authenticator-app-code/index.njk

@@ -21,7 +21,7 @@
         classes: "govuk-label--l",
         isPageHeading: true
       },
-    classes: "govuk-input--width-10",
+    classes: "govuk-input--width-10 govuk-!-font-weight-bold",
     id: "code",
     name: "code",
     inputmode: "numeric",

src/components/how-do-you-want-security-codes/how-do-you-want-security-codes-controller.ts

@@ -1,6 +1,9 @@
 import type { Request, Response } from "express";
-import { PATH_NAMES } from "../../app.constants.js";
+import { MFA_METHOD_TYPE, PATH_NAMES } from "../../app.constants.js";
 import type { MfaMethod } from "../../types.js";
+import { getNextPathAndUpdateJourney } from "../common/constants.js";
+import { USER_JOURNEY_EVENTS } from "../common/state-machine/state-machine.js";
+import { BadRequestError } from "../../utils/error.js";
 
 export function sortMfaMethodsBackupFirst(
   mfaMethods: MfaMethod[]
@@ -24,9 +27,30 @@ export function howDoYouWantSecurityCodesGet(
   });
 }
 
-export function howDoYouWantSecurityCodesPost(
+export async function howDoYouWantSecurityCodesPost(
   req: Request,
   res: Response
-): void {
-  res.send("Unimplemented");
+): Promise<void> {
+  const selectedMfaMethod: MfaMethod | undefined =
+    req.session.user.mfaMethods?.find(
+      (mfaMethod: MfaMethod) => mfaMethod.id === req.body["mfa-method-id"]
+    );
+
+  if (!selectedMfaMethod) {
+    throw new BadRequestError("No MFA methods found");
+  }
+
+  if (selectedMfaMethod.type === MFA_METHOD_TYPE.AUTH_APP) {
+    return res.redirect(
+      await getNextPathAndUpdateJourney(
+        req,
+        req.path,
+        USER_JOURNEY_EVENTS.SELECT_AUTH_APP_MFA_METHOD,
+        null,
+        res.locals.sessionId
+      )
+    );
+  } else {
+    res.send("Unimplemented");
+  }
 }

src/components/how-do-you-want-security-codes/tests/__snapshots__/how-do-you-want-security-codes-integration.test.ts.snap

@@ -1,5 +1,38 @@
 // Jest Snapshot v1, https://goo.gl/fbAQLP
 
+exports[`Integration::how do you want security codes GET /how-do-you-want-security-codes should return page as expected for AUTH APP user with SMS backup 1`] = `
+Object {
+  "contentId": "",
+  "taxonomyLevel1": "authentication",
+  "taxonomyLevel2": "",
+  "taxonomyLevel3": "",
+  "taxonomyLevel4": "",
+  "taxonomyLevel5": "",
+}
+`;
+
+exports[`Integration::how do you want security codes GET /how-do-you-want-security-codes should return page as expected for SMS user with AUTH APP backup 1`] = `
+Object {
+  "contentId": "",
+  "taxonomyLevel1": "authentication",
+  "taxonomyLevel2": "",
+  "taxonomyLevel3": "",
+  "taxonomyLevel4": "",
+  "taxonomyLevel5": "",
+}
+`;
+
+exports[`Integration::how do you want security codes GET /how-do-you-want-security-codes should return page as expected for SMS user with SMS backup 1`] = `
+Object {
+  "contentId": "",
+  "taxonomyLevel1": "authentication",
+  "taxonomyLevel2": "",
+  "taxonomyLevel3": "",
+  "taxonomyLevel4": "",
+  "taxonomyLevel5": "",
+}
+`;
+
 exports[`Integration::how do you want security codes should include link to reset mfa methods 1`] = `
 Object {
   "contentId": "",

src/components/how-do-you-want-security-codes/tests/how-do-you-want-security-codes-controller.test.ts

@@ -1,12 +1,18 @@
 import { describe } from "mocha";
 import type { Request, Response } from "express";
 import { expect } from "chai";
-import { howDoYouWantSecurityCodesGet } from "../how-do-you-want-security-codes-controller.js";
+import { strict as assert } from "assert";
+import {
+  howDoYouWantSecurityCodesGet,
+  howDoYouWantSecurityCodesPost,
+} from "../how-do-you-want-security-codes-controller.js";
 import { mockResponse } from "mock-req-res";
 import type { RequestOutput, ResponseOutput } from "mock-req-res";
 import { createMockRequest } from "../../../../test/helpers/mock-request-helper.js";
 import { PATH_NAMES } from "../../../app.constants.js";
 import { sinon } from "../../../../test/utils/test-utils.js";
+import { BadRequestError } from "../../../utils/error.js";
+import { buildMfaMethods } from "../../../../test/helpers/mfa-helper.js";
 
 describe("how do you want security codes controller", () => {
   let req: RequestOutput;
@@ -59,4 +65,33 @@ describe("how do you want security codes controller", () => {
       );
     });
   });
+
+  describe("howDoYouWantSecurityCodesPost", () => {
+    it("should throw error if the user has no MFA methods", async () => {
+      req.session.user.mfaMethods = [];
+
+      await assert.rejects(
+        async () => howDoYouWantSecurityCodesPost(req, res),
+        BadRequestError,
+        "No MFA methods found"
+      );
+    });
+
+    it("should redirect to /enter-authenticator-app-code if 'authenticator app' is selected", async () => {
+      req.body["mfa-method-id"] = "testAuthApp";
+      req.session.user.mfaMethods = buildMfaMethods([
+        {
+          id: "testPhone",
+          redactedPhoneNumber: "07000000000",
+        },
+        { id: "testAuthApp", authApp: true },
+      ]);
+
+      await howDoYouWantSecurityCodesPost(req, res);
+
+      expect(res.redirect).to.have.been.calledWith(
+        PATH_NAMES.ENTER_AUTHENTICATOR_APP_CODE
+      );
+    });
+  });
 });