AUT-4248: Send mfa method ID when requesting MFA

- This is so that the BE knows which number to send the OTP to

Author: alhcomer

src/components/common/mfa/mfa-service.ts

@@ -19,6 +19,7 @@ export function mfaService(axios: Http = http): MfaServiceInterface {
     isResendCodeRequest: boolean,
     userLanguage: string,
     req: Request,
+    mfaMethodId: string,
     journeyType?: JOURNEY_TYPE
   ): Promise<ApiResponseResult<DefaultApiResponse>> {
     const response = await axios.client.post<DefaultApiResponse>(
@@ -27,6 +28,7 @@ export function mfaService(axios: Http = http): MfaServiceInterface {
         email: emailAddress,
         isResendCodeRequest,
         journeyType,
+        mfaMethodId,
       },
       getInternalRequestConfigWithSecurityHeaders(
         {

src/components/common/mfa/tests/mfa-service.test.ts

@@ -49,14 +49,15 @@ describe("mfa service", () => {
     const userLanguage = "cy";
     const journeyType = JOURNEY_TYPE.SIGN_IN;
     const isResendCodeRequest = true;
+    const mfaMethodId = "9b1deb4d-3b7d-4bad-9bdd-2b0d7a3a03d7";
 
     const expectedApiCallDetails = {
       expectedPath: API_ENDPOINTS.MFA,
       expectedHeaders: {
         ...expectedHeadersFromCommonVarsWithSecurityHeaders,
         "User-Language": userLanguage,
       },
-      expectedBody: { email, isResendCodeRequest, journeyType },
+      expectedBody: { email, isResendCodeRequest, journeyType, mfaMethodId },
     };
 
     const result = await service.sendMfaCode(
@@ -67,6 +68,7 @@ describe("mfa service", () => {
       isResendCodeRequest,
       userLanguage,
       req,
+      mfaMethodId,
       journeyType
     );
 

src/components/common/mfa/types.ts

@@ -11,6 +11,7 @@ export interface MfaServiceInterface {
     isResendCodeRequest: boolean,
     userLanguage: string,
     req: Request,
+    mfaMethodId: string,
     journeyType?: JOURNEY_TYPE
   ) => Promise<ApiResponseResult<DefaultApiResponse>>;
 }

src/components/enter-mfa/enter-mfa-controller.ts

@@ -3,11 +3,7 @@ import { NOTIFICATION_TYPE, PATH_NAMES } from "../../app.constants.js";
 import type { VerifyCodeInterface } from "../common/verify-code/types.js";
 import { codeService } from "../common/verify-code/verify-code-service.js";
 import { verifyCodePost } from "../common/verify-code/verify-code-controller.js";
-import type {
-  ExpressRouteFunc,
-  MfaMethod,
-  SmsMfaMethod,
-} from "../../types.js";
+import type { ExpressRouteFunc, MfaMethod, SmsMfaMethod } from "../../types.js";
 import type { SecurityCodeErrorType } from "../common/constants.js";
 import { ERROR_CODES } from "../common/constants.js";
 import type { AccountRecoveryInterface } from "../common/account-recovery/types.js";

src/components/enter-password/enter-password-controller.ts

@@ -205,6 +205,7 @@ export function enterPasswordPost(
         false,
         xss(req.cookies.lng as string),
         req,
+        req.session.user.activeMfaMethodId,
         journeyType
       );
 

src/components/enter-password/tests/enter-password-controller.test.ts

@@ -34,6 +34,7 @@ describe("enter password controller", () => {
   let req: RequestOutput;
   let res: ResponseOutput;
   const { email } = commonVariables;
+  const DEFAULT_MFA_METHOD_ID = "test-id1";
 
   beforeEach(() => {
     req = createMockRequest(PATH_NAMES.ENTER_PASSWORD);
@@ -72,7 +73,7 @@ describe("enter password controller", () => {
               mfaMethodType: "SMS",
               passwordChangeRequired: false,
               mfaMethods: buildMfaMethods({
-                id: "test-id1",
+                id: DEFAULT_MFA_METHOD_ID,
                 phoneNumber: "07123456789",
               }),
             },
@@ -106,7 +107,7 @@ describe("enter password controller", () => {
               mfaMethodType: "SMS",
               passwordChangeRequired: false,
               mfaMethods: buildMfaMethods({
-                id: "test-id1",
+                id: DEFAULT_MFA_METHOD_ID,
                 phoneNumber: "07123456789",
               }),
             },
@@ -157,6 +158,7 @@ describe("enter password controller", () => {
           sinon.match.any,
           sinon.match.any,
           sinon.match.any,
+          DEFAULT_MFA_METHOD_ID,
           JOURNEY_TYPE.REAUTHENTICATION
         );
       });
@@ -197,7 +199,7 @@ describe("enter password controller", () => {
             mfaMethodVerified: true,
             mfaMethodType: "SMS",
             mfaMethods: buildMfaMethods({
-              id: "test-id1",
+              id: DEFAULT_MFA_METHOD_ID,
               phoneNumber: "07123456789",
             }),
           },
@@ -310,7 +312,7 @@ describe("enter password controller", () => {
               mfaMethodVerified: true,
               mfaMethodType: "SMS",
               mfaMethods: buildMfaMethods({
-                id: "test-id1",
+                id: DEFAULT_MFA_METHOD_ID,
                 phoneNumber: "07123456789",
               }),
             },
@@ -362,7 +364,7 @@ describe("enter password controller", () => {
               mfaMethodVerified: true,
               mfaMethodType: "SMS",
               mfaMethods: buildMfaMethods({
-                id: "test-id1",
+                id: DEFAULT_MFA_METHOD_ID,
                 phoneNumber: "07123456789",
               }),
             },
@@ -430,7 +432,7 @@ describe("enter password controller", () => {
             mfaMethodVerified: true,
             mfaMethodType: "SMS",
             mfaMethods: buildMfaMethods({
-              id: "test-id1",
+              id: DEFAULT_MFA_METHOD_ID,
               phoneNumber: "07123456789",
             }),
           },
@@ -455,7 +457,7 @@ describe("enter password controller", () => {
             mfaMethodVerified: false,
             mfaMethodType: "SMS",
             mfaMethods: buildMfaMethods({
-              id: "test-id1",
+              id: DEFAULT_MFA_METHOD_ID,
               phoneNumber: "07123456789",
             }),
           },
@@ -480,7 +482,7 @@ describe("enter password controller", () => {
             mfaMethodVerified: true,
             mfaMethodType: "SMS",
             mfaMethods: buildMfaMethods({
-              id: "test-id1",
+              id: DEFAULT_MFA_METHOD_ID,
               phoneNumber: "07123456789",
             }),
           },
@@ -533,7 +535,7 @@ describe("enter password controller", () => {
             mfaMethodType: "SMS",
             passwordChangeRequired: true,
             mfaMethods: buildMfaMethods({
-              id: "test-id1",
+              id: DEFAULT_MFA_METHOD_ID,
               phoneNumber: "07123456789",
             }),
           },

src/components/how-do-you-want-security-codes/how-do-you-want-security-codes-controller.ts

@@ -1,8 +1,17 @@
 import type { Request, Response } from "express";
 import { MFA_METHOD_TYPE, PATH_NAMES } from "../../app.constants.js";
-import type { MfaMethod } from "../../types.js";
-import { getNextPathAndUpdateJourney } from "../common/constants.js";
+import type { ExpressRouteFunc, MfaMethod } from "../../types.js";
+import {
+  ERROR_CODES,
+  getErrorPathByCode,
+  getNextPathAndUpdateJourney,
+} from "../common/constants.js";
 import { USER_JOURNEY_EVENTS } from "../common/state-machine/state-machine.js";
+import type { MfaServiceInterface } from "../common/mfa/types.js";
+import { mfaService } from "../common/mfa/mfa-service.js";
+import xss from "xss";
+import { getJourneyTypeFromUserSession } from "../common/journey/journey.js";
+import { BadRequestError } from "../../utils/error.js";
 
 export function sortMfaMethodsBackupFirst(
   mfaMethods: MfaMethod[]
@@ -22,24 +31,71 @@ export function howDoYouWantSecurityCodesGet(
   });
 }
 
-export async function howDoYouWantSecurityCodesPost(
-  req: Request,
-  res: Response
-): Promise<void> {
-  const mfaMethodId = req.body["mfa-method-id"];
-  const selectedMethod = req.session.user.mfaMethods.find(
-    (method: MfaMethod) => method.id === mfaMethodId
-  );
-  if (selectedMethod.type === MFA_METHOD_TYPE.SMS) {
-    req.session.user.activeMfaMethodId = mfaMethodId;
-    res.redirect(
-      await getNextPathAndUpdateJourney(
-        req,
-        req.path,
-        USER_JOURNEY_EVENTS.SELECT_SMS_MFA_METHOD,
-        null,
-        res.locals.sessionId
-      )
+export function howDoYouWantSecurityCodesPost(
+  mfaCodeService: MfaServiceInterface = mfaService()
+): ExpressRouteFunc {
+  return async function (req: Request, res: Response) {
+    const mfaMethodId = req.body["mfa-method-id"];
+    const selectedMethod = req.session.user.mfaMethods.find(
+      (method: MfaMethod) => method.id === mfaMethodId
     );
-  }
+
+    if (selectedMethod.type === MFA_METHOD_TYPE.SMS) {
+      if (mfaMethodId !== req.session.user.activeMfaMethodId) {
+        req.session.user.activeMfaMethodId = mfaMethodId;
+        const { email } = req.session.user;
+        const { sessionId, clientSessionId, persistentSessionId } = res.locals;
+
+        const result = await mfaCodeService.sendMfaCode(
+          sessionId,
+          clientSessionId,
+          email,
+          persistentSessionId,
+          false,
+          xss(req.cookies.lng as string),
+          req,
+          req.session.user.activeMfaMethodId,
+          getJourneyTypeFromUserSession(req.session.user, {
+            includeReauthentication: true,
+          })
+        );
+
+        if (!result.success) {
+          if (result.data.code === ERROR_CODES.MFA_CODE_REQUESTS_BLOCKED) {
+            return res.render("security-code-error/index-wait.njk");
+          }
+
+          if (result.data.code === ERROR_CODES.ENTERED_INVALID_MFA_MAX_TIMES) {
+            return res.render(
+              "security-code-error/index-security-code-entered-exceeded.njk",
+              {
+                show2HrScreen: true,
+                contentId: "727a0395-cc00-48eb-a411-bfe9d8ac5fc8",
+              }
+            );
+          }
+
+          const path = getErrorPathByCode(result.data.code);
+
+          if (path) {
+            return res.redirect(path);
+          }
+
+          throw new BadRequestError(result.data.message, result.data.code);
+        }
+
+        return res.redirect(
+          await getNextPathAndUpdateJourney(
+            req,
+            req.path,
+            USER_JOURNEY_EVENTS.SELECT_SMS_MFA_METHOD,
+            null,
+            res.locals.sessionId
+          )
+        );
+      }
+    }
+
+    throw new BadRequestError("Unexpected MFA Type", 500);
+  };
 }

src/components/how-do-you-want-security-codes/how-do-you-want-security-codes-routes.ts

@@ -22,7 +22,7 @@ router.post(
   validateSessionMiddleware,
   allowUserJourneyMiddleware,
   validateHowDoYouWantSecurityCodesRequest(),
-  howDoYouWantSecurityCodesPost
+  howDoYouWantSecurityCodesPost()
 );
 
 export { router as howDoYouWantSecurityCodesRouter };

src/components/how-do-you-want-security-codes/tests/how-do-you-want-security-codes-controller.test.ts

@@ -12,6 +12,7 @@ import { MFA_METHOD_TYPE, PATH_NAMES } from "../../../app.constants.js";
 import { sinon } from "../../../../test/utils/test-utils.js";
 import { MfaMethodPriority } from "../../../types.js";
 import type { MfaMethod } from "../../../types.js";
+import type { MfaServiceInterface } from "../../common/mfa/types.js";
 
 describe("how do you want security codes controller", () => {
   let req: RequestOutput;
@@ -57,12 +58,23 @@ describe("how do you want security codes controller", () => {
         },
       ] as MfaMethod[];
 
-      req.body["mfa-method-id"] = backupId;
+      for (const mfaMethodId of [defaultId, backupId]) {
+        const fakeMfaCodeService: MfaServiceInterface = {
+          sendMfaCode: sinon.fake.returns({
+            success: true,
+          }),
+        } as unknown as MfaServiceInterface;
 
-      await howDoYouWantSecurityCodesPost(req as Request, res as Response);
+        req.body["mfa-method-id"] = mfaMethodId;
 
-      expect(res.redirect).to.have.been.calledWith(PATH_NAMES.ENTER_MFA);
-      expect(req.session.user.activeMfaMethodId).to.equal(backupId);
+        await howDoYouWantSecurityCodesPost(fakeMfaCodeService)(
+          req as Request,
+          res as Response
+        );
+
+        expect(res.redirect).to.have.been.calledWith(PATH_NAMES.ENTER_MFA);
+        expect(req.session.user.activeMfaMethodId).to.equal(mfaMethodId);
+      }
     });
   });
 });