LG-1316 Send an email when a user adds a phone to their account (#3017)

**Why**: So that the user is alerted that a new phone has been added to their account.
18F · Jun 18, 2019 · a2ee544 · a2ee544
1 parent 1e67142
commit a2ee544
Show file tree

Hide file tree

Showing 10 changed files with 59 additions and 29 deletions.
diff --git a/app/controllers/concerns/two_factor_authenticatable.rb b/app/controllers/concerns/two_factor_authenticatable.rb
@@ -147,13 +147,21 @@ def assign_phone
 
   def phone_changed
     create_user_event(:phone_changed)
-    current_user.confirmed_email_addresses.each do |email_address|
-      UserMailer.phone_changed(email_address).deliver_later
-    end
+    send_phone_added_email
   end
 
   def phone_confirmed
     create_user_event(:phone_confirmed)
+    # If the user has MFA configured, then they are not adding a phone during sign up and are
+    # instead adding it outside the sign up flow
+    return unless MfaPolicy.new(current_user).sufficient_factors_enabled?
+    send_phone_added_email
+  end
+
+  def send_phone_added_email
+    current_user.confirmed_email_addresses.each do |email_address|
+      UserMailer.phone_added(email_address).deliver_later
+    end
   end
 
   def update_phone_attributes

diff --git a/app/mailers/user_mailer.rb b/app/mailers/user_mailer.rb
@@ -32,8 +32,8 @@ def password_changed(email_address, disavowal_token:)
     mail(to: email_address.email, subject: t('devise.mailer.password_updated.subject'))
   end
 
-  def phone_changed(email_address)
-    mail(to: email_address.email, subject: t('user_mailer.phone_changed.subject'))
+  def phone_added(email_address)
+    mail(to: email_address.email, subject: t('user_mailer.phone_added.subject'))
   end
 
   def account_does_not_exist(email, request_id)

diff --git a/...views/user_mailer/phone_changed.html.slim → app/views/user_mailer/phone_added.html.slim b/...views/user_mailer/phone_changed.html.slim → app/views/user_mailer/phone_added.html.slim
diff --git a/config/locales/user_mailer/en.yml b/config/locales/user_mailer/en.yml
@@ -130,11 +130,11 @@ en:
         <br>Thanks,<br>The login.gov team
       intro: Personal key used to sign in
       subject: Account Security Alert
-    phone_changed:
-      help: If you did not want to change your phone number, please visit the %{app}
-        %{help_link} or %{contact_link}.
-      intro: The phone number associated with your %{app} account has been changed.
-      subject: New phone number
+    phone_added:
+      help: If you did not make this change, sign in to your profile and manage your
+        phone numbers. We recommend that you also change your password.
+      intro: A new phone number was added to your %{app} profile.
+      subject: New phone number added
     please_reset_password:
       additional_help_html: If you’ve used your login.gov password on other websites,
         we encourage you to update these passwords as well. If you have any questions,

diff --git a/config/locales/user_mailer/es.yml b/config/locales/user_mailer/es.yml
@@ -134,11 +134,11 @@ es:
         equipo de login.gov
       intro: Clave personal utilizada para iniciar sesión
       subject: Alerta de seguridad de cuenta
-    phone_changed:
-      help: Si no desea cambiar su número de teléfono, visite el %{app} %{help_link}
-        o el %{contact_link}.
-      intro: El número de teléfono asociado a su cuenta de %{app} ha sido cambiado.
-      subject: Nuevo número de teléfono
+    phone_added:
+      help: Si no realizó este cambio, inicie sesión en su perfil y administre sus
+        números de teléfono. Le recomendamos que también cambie su contraseña.
+      intro: Se agregó un nuevo número de teléfono a su perfil de %{app}.
+      subject: Nuevo número de teléfono añadido
     please_reset_password:
       additional_help_html: Si ha utilizado su contraseña de login.gov en otros sitios,
         le pedimos que actualice estas contraseñas también. Si tiene preguntas, por

diff --git a/config/locales/user_mailer/fr.yml b/config/locales/user_mailer/fr.yml
@@ -142,11 +142,12 @@ fr:
         login.gov
       intro: La clé personnelle utilisée pour vous connecter
       subject: Alerte de sécurité du compte
-    phone_changed:
-      help: Si vous ne souhaitiez pas changer votre numéro de téléphone, veuillez
-        visiter le %{help_link} de %{app} ou %{contact_link}.
-      intro: Le numéro de téléphone associé à votre compte %{app} a été changé.
-      subject: Nouveau numéro de téléphone
+    phone_added:
+      help: Si vous n'avez pas apporté cette modification, connectez-vous à votre
+        profil et gérez vos numéros de téléphone. Nous vous recommandons de changer
+        également votre mot de passe.
+      intro: Un nouveau numéro de téléphone a été ajouté à votre profil %{app}.
+      subject: Nouveau numéro de téléphone ajouté
     please_reset_password:
       additional_help_html: Si vous avez utilisé votre mot de passe login.gov sur
         d'autres sites internet, nous vous encourageons à mettre ces mots de passe

diff --git a/spec/controllers/two_factor_authentication/otp_verification_controller_spec.rb b/spec/controllers/two_factor_authentication/otp_verification_controller_spec.rb
@@ -290,7 +290,7 @@
         allow(subject).to receive(:create_user_event)
         @mailer = instance_double(ActionMailer::MessageDelivery, deliver_later: true)
         subject.current_user.email_addresses.each do |email_address|
-          allow(UserMailer).to receive(:phone_changed).with(email_address).
+          allow(UserMailer).to receive(:phone_added).with(email_address).
             and_return(@mailer)
         end
         @previous_phone = MfaContext.new(subject.current_user).phone_configurations.first&.phone
@@ -329,7 +329,7 @@
             expect(subject).to have_received(:create_user_event).with(:phone_changed)
             expect(subject).to have_received(:create_user_event).exactly(:once)
             subject.current_user.email_addresses.each do |email_address|
-              expect(UserMailer).to have_received(:phone_changed).with(email_address)
+              expect(UserMailer).to have_received(:phone_added).with(email_address)
             end
             expect(@mailer).to have_received(:deliver_later)
           end

diff --git a/spec/features/two_factor_authentication/change_factor_spec.rb b/spec/features/two_factor_authentication/change_factor_spec.rb
@@ -29,7 +29,7 @@
 
       mailer = instance_double(ActionMailer::MessageDelivery, deliver_later: true)
       user.email_addresses.each do |email_address|
-        allow(UserMailer).to receive(:phone_changed).with(email_address).and_return(mailer)
+        allow(UserMailer).to receive(:phone_added).with(email_address).and_return(mailer)
       end
 
       @previous_phone_confirmed_at =
@@ -59,7 +59,7 @@
 
       expect(current_path).to eq account_path
       user.email_addresses.each do |email_address|
-        expect(UserMailer).to have_received(:phone_changed).with(email_address)
+        expect(UserMailer).to have_received(:phone_added).with(email_address)
       end
       expect(mailer).to have_received(:deliver_later)
       expect(page).to have_content new_phone

diff --git a/spec/features/users/add_phone_spec.rb b/spec/features/users/add_phone_spec.rb
@@ -0,0 +1,22 @@
+require 'rails_helper'
+
+describe 'Add a new phone number' do
+  scenario 'Adding and confirming a new phone number allows the phone number to be used for MFA' do
+    user = create(:user, :signed_up)
+    phone = '+1 (225) 278-1234'
+
+    expect(UserMailer).to receive(:phone_added).with(user.email_addresses.first).and_call_original
+
+    sign_in_and_2fa_user(user)
+    click_on t('account.index.phone_add')
+    fill_in :phone, with: phone
+    click_continue
+    fill_in_code_with_last_phone_otp
+    click_submit_default
+
+    expect(page).to have_current_path(account_path)
+    expect(user.reload.phone_configurations.count).to eq(2)
+    expect(user.phone_configurations[0].confirmed_at).to be_present
+    expect(user.phone_configurations[1].confirmed_at).to be_present
+  end
+end
diff --git a/spec/mailers/user_mailer_spec.rb b/spec/mailers/user_mailer_spec.rb
@@ -190,8 +190,8 @@
     end
   end
 
-  describe 'phone_changed' do
-    let(:mail) { UserMailer.phone_changed(email_address) }
+  describe 'phone_added' do
+    let(:mail) { UserMailer.phone_added(email_address) }
 
     it_behaves_like 'a system email'
 
@@ -200,14 +200,13 @@
     end
 
     it 'renders the subject' do
-      expect(mail.subject).to eq t('user_mailer.phone_changed.subject')
+      expect(mail.subject).to eq t('user_mailer.phone_added.subject')
     end
 
     it 'renders the body' do
       expect(mail.html_part.body).to have_content(
-        t('user_mailer.phone_changed.intro', app: APP_NAME),
+        t('user_mailer.phone_added.intro', app: APP_NAME),
       )
-      expect_email_body_to_have_help_and_contact_links
     end
   end