Merge pull request #1276 from govuk-one-login/AUT-1553/apply-15-minut…

…e-block-consistently AUT-1553: Change error screens for new journeys with block in place
govuk-one-login · Jan 15, 2024 · 1773315 · 1773315
2 parents 93e523c + e2a6dd5
commit 1773315
Show file tree

Hide file tree

Showing 6 changed files with 49 additions and 7 deletions.
diff --git a/src/components/account-recovery/check-your-email-security-codes/send-email-otp-middleware.ts b/src/components/account-recovery/check-your-email-security-codes/send-email-otp-middleware.ts
@@ -1,7 +1,7 @@
 import { Request, Response, NextFunction } from "express";
 import { sendNotificationService } from "../../common/send-notification/send-notification-service";
 import { JOURNEY_TYPE, NOTIFICATION_TYPE } from "../../../app.constants";
-import { getErrorPathByCode } from "../../common/constants";
+import { ERROR_CODES, getErrorPathByCode } from "../../common/constants";
 import { BadRequestError } from "../../../utils/error";
 import xss from "xss";
 import { ExpressRouteFunc } from "../../../types";
@@ -33,6 +33,13 @@ export function sendEmailOtp(
       return next();
     }
 
+    if (
+      sendNotificationResponse.data?.code ===
+      ERROR_CODES.VERIFY_CHANGE_HOW_GET_SECURITY_CODES_CODE_REQUEST_BLOCKED
+    ) {
+      return res.render("security-code-error/index-wait.njk");
+    }
+
     const path = sendNotificationResponse.data?.code
       ? getErrorPathByCode(sendNotificationResponse.data.code)
       : undefined;

diff --git a/src/components/enter-authenticator-app-code/enter-authenticator-app-code-controller.ts b/src/components/enter-authenticator-app-code/enter-authenticator-app-code-controller.ts
@@ -6,7 +6,10 @@ import {
   getNextPathAndUpdateJourney,
   pathWithQueryParam,
 } from "../common/constants";
-import { supportAccountRecovery } from "../../config";
+import {
+  getCodeEnteredWrongBlockDurationInMinutes,
+  supportAccountRecovery,
+} from "../../config";
 import { VerifyMfaCodeInterface } from "./types";
 import { AccountRecoveryInterface } from "../common/account-recovery/types";
 import { accountRecoveryService } from "../common/account-recovery/account-recovery-service";
@@ -131,6 +134,15 @@ export const enterAuthenticatorAppCodePost = (
         return renderBadRequest(res, req, template, error);
       }
 
+      if (
+        result.data.code ===
+        ERROR_CODES.AUTH_APP_INVALID_CODE_MAX_ATTEMPTS_REACHED
+      ) {
+        req.session.user.wrongCodeEnteredLock = new Date(
+          Date.now() + getCodeEnteredWrongBlockDurationInMinutes() * 60000
+        ).toUTCString();
+      }
+
       const path = getErrorPathByCode(result.data.code);
 
       if (path) {

diff --git a/src/components/enter-email/enter-email-controller.ts b/src/components/enter-email/enter-email-controller.ts
@@ -40,7 +40,7 @@ export function enterEmailPost(
 
     if (!result.success) {
       if (result.data.code === ERROR_CODES.ACCOUNT_LOCKED) {
-        return res.redirect(getErrorPathByCode(result.data.code));
+        return res.render("enter-password/index-sign-in-retry-blocked.njk");
       }
       throw new BadRequestError(result.data.message, result.data.code);
     }

diff --git a/src/components/enter-email/tests/enter-email-controller.test.ts b/src/components/enter-email/tests/enter-email-controller.test.ts
@@ -144,7 +144,9 @@ describe("enter email controller", () => {
 
       await enterEmailPost(fakeService)(req as Request, res as Response);
 
-      expect(res.redirect).to.have.calledWith(PATH_NAMES.ACCOUNT_LOCKED);
+      expect(res.render).to.have.calledWith(
+        "enter-password/index-sign-in-retry-blocked.njk"
+      );
       expect(fakeService.userExists).to.have.been.calledOnce;
     });
   });

diff --git a/src/components/enter-password/enter-password-controller.ts b/src/components/enter-password/enter-password-controller.ts
@@ -152,6 +152,16 @@ export function enterPasswordPost(
       );
 
       if (!result.success) {
+        if (result.data.code === ERROR_CODES.MFA_CODE_REQUESTS_BLOCKED) {
+          return res.render("security-code-error/index-wait.njk");
+        }
+
+        if (result.data.code === ERROR_CODES.ENTERED_INVALID_MFA_MAX_TIMES) {
+          return res.render(
+            "security-code-error/index-security-code-entered-exceeded.njk"
+          );
+        }
+
         const path = getErrorPathByCode(result.data.code);
 
         if (path) {

diff --git a/src/components/reset-password-check-email/reset-password-check-email-controller.ts b/src/components/reset-password-check-email/reset-password-check-email-controller.ts
@@ -64,10 +64,21 @@ export function resetPasswordCheckEmailGet(
         ERROR_CODES.ENTERED_INVALID_PASSWORD_RESET_CODE_MAX_TIMES,
       ].includes(result.data.code)
     ) {
-      const errorTemplate =
+      let errorTemplate: string;
+
+      if (
         result.data.code === ERROR_CODES.RESET_PASSWORD_LINK_MAX_RETRIES_REACHED
-          ? "security-code-error/index-too-many-requests.njk"
-          : "security-code-error/index-wait.njk";
+      ) {
+        errorTemplate = "security-code-error/index-too-many-requests.njk";
+      } else if (
+        result.data.code ===
+        ERROR_CODES.ENTERED_INVALID_PASSWORD_RESET_CODE_MAX_TIMES
+      ) {
+        errorTemplate =
+          "security-code-error/index-security-code-entered-exceeded.njk";
+      } else {
+        errorTemplate = "security-code-error/index-wait.njk";
+      }
 
       return res.render(errorTemplate);
     } else {