Create new CbvFlow object every time an invite link is clicked
#204
Conversation
tdooner
changed the title
CbvFlow object every time a link is clickedCbvFlow object every time an invite link is clicked
| return redirect_to(cbv_flow_expired_invitation_path) | ||
| end | ||
|
|
||
| @cbv_flow = CbvFlow.create_from_invitation(invitation) | ||
| session[:cbv_flow_id] = @cbv_flow.id | ||
| NewRelicEventTracker.track("ClickedCBVInvitationLink", { |
There was a problem hiding this comment.
Unrelated, but is the assumption to query the associated cbv_flow_id for the site_id? That might be annoying to do in NR. We may want to include the site_id here.
| @@ -33,54 +33,18 @@ | |||
| end | |||
|
|
|||
| context "when returning to an already-visited flow invitation" do | |||
| let(:existing_cbv_flow) { create(:cbv_flow, cbv_flow_invitation: invitation) } | |||
| let!(:existing_cbv_flow) { create(:cbv_flow, cbv_flow_invitation: invitation) } | |||
There was a problem hiding this comment.
Interesting... so vars declared with let in an rspec test aren't hoisted to the top of the test? I can see why it would be good convention to use a ! here
There was a problem hiding this comment.
let! evaluates immediately, whereas let is lazily evaluated the first time it's accessed. I had to convert this to a let! because I'm not explicitly referring to the variable anymore in the tests, so it would never be lazily evaluated, and thus the test would actually not be testing what I had intended to test.
This converts the invitation's `has_one :cbv_flow` into a `has_many`. Every time the user clicks the tokenized link again, they will have a new CbvFlow started. This will prevent any compromise of the tokenized link during the time between a user linking their payroll account and completing the flow from revealing their session's data.
tdooner
force-pushed
the
td/FFS-1416-restart-flow
branch
from
e561481
to
346fb20
Compare
|
Acceptance tested with Eryn ✅ |
Ticket
Resolves FFS-1416.
Changes
This converts the invitation's
has_one :cbv_flowinto ahas_many.Every time the user clicks the tokenized link again, they will have a
new CbvFlow started. This will prevent any compromise of the tokenized
link during the time between a user linking their payroll account and
completing the flow from revealing their session's data.
Context for reviewers
This is a launch requirement from NYC.
Testing
I will acceptance test this with Eryn by walking through various scenarios of
linking Pinwheel accounts, letting the session expire, and then clicking the
link again to verify that the associated payroll data is gone.