-
Notifications
You must be signed in to change notification settings - Fork 1
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Create new CbvFlow
object every time an invite link is clicked
#204
Conversation
CbvFlow
object every time a link is clickedCbvFlow
object every time an invite link is clicked
return redirect_to(cbv_flow_expired_invitation_path) | ||
end | ||
|
||
@cbv_flow = CbvFlow.create_from_invitation(invitation) | ||
session[:cbv_flow_id] = @cbv_flow.id | ||
NewRelicEventTracker.track("ClickedCBVInvitationLink", { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Unrelated, but is the assumption to query the associated cbv_flow_id
for the site_id
? That might be annoying to do in NR. We may want to include the site_id
here.
@@ -33,54 +33,18 @@ | |||
end | |||
|
|||
context "when returning to an already-visited flow invitation" do | |||
let(:existing_cbv_flow) { create(:cbv_flow, cbv_flow_invitation: invitation) } | |||
let!(:existing_cbv_flow) { create(:cbv_flow, cbv_flow_invitation: invitation) } |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Interesting... so vars declared with let
in an rspec test aren't hoisted to the top of the test? I can see why it would be good convention to use a !
here
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
let!
evaluates immediately, whereas let
is lazily evaluated the first time it's accessed. I had to convert this to a let!
because I'm not explicitly referring to the variable anymore in the tests, so it would never be lazily evaluated, and thus the test would actually not be testing what I had intended to test.
This converts the invitation's `has_one :cbv_flow` into a `has_many`. Every time the user clicks the tokenized link again, they will have a new CbvFlow started. This will prevent any compromise of the tokenized link during the time between a user linking their payroll account and completing the flow from revealing their session's data.
e561481
to
346fb20
Compare
Acceptance tested with Eryn ✅ |
Ticket
Resolves FFS-1416.
Changes
This converts the invitation's
has_one :cbv_flow
into ahas_many
.Every time the user clicks the tokenized link again, they will have a
new CbvFlow started. This will prevent any compromise of the tokenized
link during the time between a user linking their payroll account and
completing the flow from revealing their session's data.
Context for reviewers
This is a launch requirement from NYC.
Testing
I will acceptance test this with Eryn by walking through various scenarios of
linking Pinwheel accounts, letting the session expire, and then clicking the
link again to verify that the associated payroll data is gone.