Merge pull request #2101 from govuk-one-login/BAU/remove-2fa-before-p…

…assword-reset-flag

BAU: remove 2fa before password reset flag

ci/terraform/authdev1.tfvars

@@ -14,7 +14,6 @@ support_account_recovery                            = "1"
 support_authorize_controller                        = "1"
 support_account_interventions                       = "1"
 support_reauthentication                            = "1"
-support_2fa_b4_password_reset                       = "1"
 support_2hr_lockout                                 = "1"
 password_reset_code_entered_wrong_blocked_minutes   = "1"
 account_recovery_code_entered_wrong_blocked_minutes = "1"

ci/terraform/authdev2.tfvars

@@ -18,7 +18,6 @@ support_account_recovery                            = "1"
 support_authorize_controller                        = "1"
 support_account_interventions                       = "1"
 support_reauthentication                            = "1"
-support_2fa_b4_password_reset                       = "1"
 support_2hr_lockout                                 = "1"
 password_reset_code_entered_wrong_blocked_minutes   = "1"
 account_recovery_code_entered_wrong_blocked_minutes = "1"

ci/terraform/build.tfvars

@@ -15,7 +15,6 @@ support_account_recovery                            = "1"
 support_authorize_controller                        = "1"
 support_account_interventions                       = "1"
 support_reauthentication                            = "0"
-support_2fa_b4_password_reset                       = "1"
 support_2hr_lockout                                 = "1"
 password_reset_code_entered_wrong_blocked_minutes   = "1"
 account_recovery_code_entered_wrong_blocked_minutes = "1"

ci/terraform/dev.tfvars

@@ -20,7 +20,6 @@ support_account_recovery                            = "1"
 support_authorize_controller                        = "1"
 support_account_interventions                       = "1"
 support_reauthentication                            = "1"
-support_2fa_b4_password_reset                       = "1"
 support_2hr_lockout                                 = "1"
 password_reset_code_entered_wrong_blocked_minutes   = "1"
 account_recovery_code_entered_wrong_blocked_minutes = "1"

ci/terraform/ecs.tf

@@ -136,10 +136,6 @@ locals {
         name  = "REDUCED_CODE_BLOCK_DURATION_MINUTES"
         value = var.reduced_code_block_duration_minutes
       },
-      {
-        name  = "SUPPORT_2FA_B4_PASSWORD_RESET"
-        value = var.support_2fa_b4_password_reset
-      },
       {
         name  = "SUPPORT_ACCOUNT_INTERVENTIONS"
         value = var.support_account_interventions

ci/terraform/integration.tfvars

@@ -14,7 +14,6 @@ frontend_task_definition_memory  = 1024
 support_account_recovery      = "1"
 support_account_interventions = "1"
 support_authorize_controller  = "1"
-support_2fa_b4_password_reset = "1"
 support_2hr_lockout           = "1"
 support_reauthentication      = "1"
 language_toggle_enabled       = "1"

ci/terraform/production.tfvars

@@ -17,7 +17,6 @@ ecs_desired_count                                   = 4
 support_account_recovery                            = "1"
 support_account_interventions                       = "1"
 support_authorize_controller                        = "1"
-support_2fa_b4_password_reset                       = "1"
 support_2hr_lockout                                 = "1"
 code_request_blocked_minutes                        = "120"
 account_recovery_code_entered_wrong_blocked_minutes = "120"

ci/terraform/sandpit.tfvars

@@ -15,7 +15,6 @@ support_account_recovery                            = "1"
 support_authorize_controller                        = "1"
 support_account_interventions                       = "1"
 support_reauthentication                            = "1"
-support_2fa_b4_password_reset                       = "1"
 support_2hr_lockout                                 = "1"
 password_reset_code_entered_wrong_blocked_minutes   = "1"
 account_recovery_code_entered_wrong_blocked_minutes = "1"

ci/terraform/staging.tfvars

@@ -16,7 +16,6 @@ ecs_desired_count                                   = 4
 support_account_recovery                            = "1"
 support_account_interventions                       = "1"
 support_authorize_controller                        = "1"
-support_2fa_b4_password_reset                       = "1"
 support_2hr_lockout                                 = "1"
 code_request_blocked_minutes                        = "120"
 account_recovery_code_entered_wrong_blocked_minutes = "120"

ci/terraform/variables.tf

@@ -236,12 +236,6 @@ variable "orch_to_auth_audience" {
 variable "dynatrace_secret_arn" {
 }
 
-variable "support_2fa_b4_password_reset" {
-  description = "When true enables 2FA before password reset"
-  type        = string
-  default     = "0"
-}
-
 variable "support_2hr_lockout" {
   description = "When true enables 2hr lockout"
   type        = string

cloudformation/deploy/template.yaml

@@ -554,8 +554,6 @@ Resources:
               Value: 1
             - Name: REDUCED_CODE_BLOCK_DURATION_MINUTES
               Value: 0.5
-            - Name: SUPPORT_2FA_B4_PASSWORD_RESET
-              Value: 1
             - Name: SUPPORT_ACCOUNT_INTERVENTIONS
               Value: 1
             - Name: SUPPORT_REAUTHENTICATION

scripts/_create_env_file.py

@@ -88,7 +88,6 @@ class EnvFileSection(TypedDict):
             "SUPPORT_ACCOUNT_RECOVERY": 1,
             "SUPPORT_AUTHORIZE_CONTROLLER": 1,
             "SUPPORT_ACCOUNT_INTERVENTIONS": 1,
-            "SUPPORT_2FA_B4_PASSWORD_RESET": 1,
             "SUPPORT_REAUTHENTICATION": 1,
             "SUPPORT_2HR_LOCKOUT": 1,
             "SUPPORT_CHECK_EMAIL_FRAUD": 1,

src/app.ts

@@ -20,7 +20,6 @@ import {
   getNodeEnv,
   getSessionExpiry,
   getSessionSecret,
-  support2FABeforePasswordReset,
   supportAccountInterventions,
   supportAccountRecovery,
   supportAuthorizeController,
@@ -129,10 +128,8 @@ function registerRoutes(app: express.Application) {
   app.use(signedOutRouter);
   app.use(updatedTermsConditionsRouter);
   app.use(resetPasswordRouter);
-  if (support2FABeforePasswordReset()) {
-    app.use(resetPassword2FARouter);
-    app.use(resetPassword2FAAuthAppRouter);
-  }
+  app.use(resetPassword2FARouter);
+  app.use(resetPassword2FAAuthAppRouter);
   app.use(upliftJourneyRouter);
   app.use(contactUsRouter);
   app.use(healthcheckRouter);

src/components/auth-code/tests/auth-code-service.test.ts

@@ -7,10 +7,7 @@ import { SinonStub } from "sinon";
 import { API_ENDPOINTS, PATH_NAMES } from "../../../app.constants";
 import { AuthCodeServiceInterface } from "../types";
 import { Http } from "../../../utils/http";
-import {
-  support2FABeforePasswordReset,
-  support2hrLockout,
-} from "../../../config";
+import { support2hrLockout } from "../../../config";
 import { createMockRequest } from "../../../../test/helpers/mock-request-helper";
 
 describe("authentication auth code service", () => {
@@ -211,26 +208,6 @@ describe("authentication auth code service", () => {
     });
   });
 
-  describe("support2FABeforePasswordReset() with the support 2FA before password reset feature flag on", () => {
-    it("should return true when SUPPORT_2FA_B4_PASSWORD_RESET is set to '1'", async () => {
-      process.env.SUPPORT_2FA_B4_PASSWORD_RESET = "1";
-
-      expect(support2FABeforePasswordReset()).to.be.true;
-    });
-
-    it("should return false  when SUPPORT_2FA_B4_PASSWORD_RESET is set to '0'", async () => {
-      process.env.SUPPORT_2FA_B4_PASSWORD_RESET = "0";
-
-      expect(support2FABeforePasswordReset()).to.be.false;
-    });
-
-    it("should return false when SUPPORT_2FA_B4_PASSWORD_RESET is undefined", async () => {
-      process.env.SUPPORT_2FA_B4_PASSWORD_RESET = undefined;
-
-      expect(support2FABeforePasswordReset()).to.be.false;
-    });
-  });
-
   describe("support2hrLockout() with the support 2hr lockout for password and code lockouts", () => {
     it("should return true when SUPPORT_2HR_LOCKOUT is set to '1'", async () => {
       process.env.SUPPORT_2HR_LOCKOUT = "1";

src/components/common/state-machine/state-machine.ts

@@ -75,7 +75,6 @@ const authStateMachine = createMachine(
       isMfaMethodVerified: true,
       isPasswordChangeRequired: false,
       isAccountRecoveryJourney: false,
-      support2FABeforePasswordReset: false,
       isReauthenticationRequired: false,
       requiresResetPasswordMFASmsCode: false,
       requiresResetPasswordMFAAuthAppCode: false,
@@ -760,26 +759,20 @@ const authStateMachine = createMachine(
         context.requiresTwoFactorAuth === true,
       requiresResetPasswordMFAAuthAppCode: (context) =>
         context.mfaMethodType === MFA_METHOD_TYPE.AUTH_APP &&
-        context.isOnForcedPasswordResetJourney !== true &&
-        context.support2FABeforePasswordReset === true,
+        context.isOnForcedPasswordResetJourney !== true,
       requiresResetPasswordMFASmsCode: (context) =>
         context.mfaMethodType === MFA_METHOD_TYPE.SMS &&
-        context.isOnForcedPasswordResetJourney !== true &&
-        context.support2FABeforePasswordReset === true,
+        context.isOnForcedPasswordResetJourney !== true,
       isPasswordChangeRequired: (context) => context.isPasswordChangeRequired,
       is2FASMSPasswordChangeRequired: (context) =>
         context.isPasswordChangeRequired === true &&
         context.mfaMethodType === MFA_METHOD_TYPE.SMS &&
-        context.support2FABeforePasswordReset === true &&
         context.requiresTwoFactorAuth === true,
       is2FAAuthAppPasswordChangeRequired: (context) =>
         context.isPasswordChangeRequired === true &&
         context.mfaMethodType === MFA_METHOD_TYPE.AUTH_APP &&
-        context.support2FABeforePasswordReset === true &&
         context.requiresTwoFactorAuth === true,
       isAccountRecoveryJourney: (context) => context.isAccountRecoveryJourney,
-      support2FABeforePasswordReset: (context) =>
-        context.support2FABeforePasswordReset,
     },
   }
 );

src/components/common/verify-code/verify-code-controller.ts

@@ -18,7 +18,6 @@ import {
   PATH_NAMES,
 } from "../../../app.constants";
 import {
-  support2FABeforePasswordReset,
   supportAccountInterventions,
   supportReauthentication,
 } from "../../../config";
@@ -158,7 +157,6 @@ export function verifyCodePost(
           isIdentityRequired: req.session.user.isIdentityRequired,
           isLatestTermsAndConditionsAccepted:
             req.session.user.isLatestTermsAndConditionsAccepted,
-          support2FABeforePasswordReset: support2FABeforePasswordReset(),
           mfaMethodType: req.session.user.enterEmailMfaType,
           isPasswordChangeRequired: req.session.user.isPasswordChangeRequired,
           isOnForcedPasswordResetJourney:

src/components/enter-password/enter-password-controller.ts

@@ -19,11 +19,7 @@ import { JOURNEY_TYPE, MFA_METHOD_TYPE, PATH_NAMES } from "../../app.constants";
 import xss from "xss";
 import { EnterEmailServiceInterface } from "../enter-email/types";
 import { enterEmailService } from "../enter-email/enter-email-service";
-import {
-  support2FABeforePasswordReset,
-  support2hrLockout,
-  supportAccountInterventions,
-} from "../../config";
+import { support2hrLockout, supportAccountInterventions } from "../../config";
 import { getJourneyTypeFromUserSession } from "../common/journey/journey";
 import { accountInterventionService } from "../account-intervention/account-intervention-service";
 import { AccountInterventionsInterface } from "../account-intervention/types";
@@ -256,7 +252,6 @@ export function enterPasswordPost(
           mfaMethodType: userLogin.data.mfaMethodType,
           isMfaMethodVerified: userLogin.data.mfaMethodVerified,
           isPasswordChangeRequired: isPasswordChangeRequired,
-          support2FABeforePasswordReset: support2FABeforePasswordReset(),
         },
         sessionId
       )

src/components/enter-password/tests/enter-password-integration.test.ts

@@ -6,6 +6,10 @@ import * as cheerio from "cheerio";
 import decache from "decache";
 import { API_ENDPOINTS, PATH_NAMES } from "../../../app.constants";
 import { ERROR_CODES } from "../../common/constants";
+import {
+  noInterventions,
+  setupAccountInterventionsResponse,
+} from "../../../../test/helpers/account-interventions-helpers";
 
 describe("Integration::enter password", () => {
   let token: string | string[];
@@ -38,7 +42,6 @@ describe("Integration::enter password", () => {
       });
 
     process.env.SUPPORT_REAUTHENTICATION = "0";
-
     app = await require("../../../app").createApp();
 
     baseApi = process.env.FRONTEND_API_BASE_URL;
@@ -127,6 +130,48 @@ describe("Integration::enter password", () => {
       .expect(302);
   });
 
+  it("should redirect to /reset-password-2fa-sms when password is correct and user's MFA is set to SMS when 2FA is not required", async () => {
+    nock(baseApi).post(API_ENDPOINTS.LOG_IN_USER).once().reply(200, {
+      mfaRequired: false,
+      mfaMethodType: "SMS",
+      passwordChangeRequired: true,
+    });
+
+    setupAccountInterventionsResponse(baseApi, noInterventions);
+
+    await request(app)
+      .post(ENDPOINT)
+      .type("form")
+      .set("Cookie", cookies)
+      .send({
+        _csrf: token,
+        password: "password",
+      })
+      .expect("Location", PATH_NAMES.RESET_PASSWORD_REQUIRED)
+      .expect(302);
+  });
+
+  it("should redirect to /reset-password-2fa-sms when password is correct and user's MFA is set to SMS when 2FA is required", async () => {
+    nock(baseApi).post(API_ENDPOINTS.LOG_IN_USER).once().reply(200, {
+      mfaRequired: true,
+      mfaMethodType: "SMS",
+      passwordChangeRequired: true,
+    });
+
+    setupAccountInterventionsResponse(baseApi, noInterventions);
+
+    await request(app)
+      .post(ENDPOINT)
+      .type("form")
+      .set("Cookie", cookies)
+      .send({
+        _csrf: token,
+        password: "password",
+      })
+      .expect("Location", PATH_NAMES.RESET_PASSWORD_2FA_SMS)
+      .expect(302);
+  });
+
   it("should redirect to /account-locked from sign-in flow when incorrect password entered 5 times", async () => {
     nock(baseApi).post(API_ENDPOINTS.LOG_IN_USER).times(6).reply(400, {
       code: ERROR_CODES.INVALID_PASSWORD_MAX_ATTEMPTS_REACHED,