Bugfix: Do not direct to suspensions screen when password reset inter…

…vention also applies This fixes the case where, when resetting a password due to an account intervention of password reset required, we are taken to the temporarily blocked screen, since in the reset password routes we still care about the suspension status as we don't want to allow password resets on suspended users. However, when someone has an account intervention of 'password_reset_required', they will always have a suspension also until they have reset their password. Therefore, in the password reset routes and in the middleware, we want to differentiate between the case where a user only has a suspension status (in which case they should not be allowed to reset their password) from the case where they have a suspension status because they need to reset their password. Co-authored-by: Aidan Comer <[email protected]>
govuk-one-login · Mar 6, 2024 · fb0a69d · fb0a69d
1 parent 2f23892
commit fb0a69d
Show file tree

Hide file tree

Showing 2 changed files with 18 additions and 0 deletions.
diff --git a/src/middleware/account-interventions-middleware.ts b/src/middleware/account-interventions-middleware.ts
@@ -45,6 +45,7 @@ export function accountInterventionsMiddleware(
         );
       } else if (
         accountInterventionsResponse.data.temporarilySuspended &&
+        !accountInterventionsResponse.data.passwordResetRequired &&
         handleSuspendedStatus
       ) {
         return res.redirect(

diff --git a/test/unit/middleware/account-interventions-middleware.test.ts b/test/unit/middleware/account-interventions-middleware.test.ts
@@ -136,6 +136,23 @@ describe("accountInterventionsMiddleware", () => {
     );
   });
 
+  it("should not redirect to getNextPathAndUpdateJourney with the journey being UNAVAILABLE_TEMPORARY when passwordResetRequired === true and both password reset and suspension interventions are on", async () => {
+    const fakeAccountInterventionService: AccountInterventionsInterface = {
+      accountInterventionStatus: sinon.fake.returns({
+        data: {
+          email: "[email protected]",
+          passwordResetRequired: true,
+          blocked: false,
+          temporarilySuspended: true,
+        },
+      }),
+    } as unknown as AccountInterventionsInterface;
+    await callMiddleware(true, false, fakeAccountInterventionService);
+    expect(res.redirect).to.not.have.been.calledWith(
+      PATH_NAMES.UNAVAILABLE_TEMPORARY
+    );
+  });
+
   it("should not redirect to UNAVAILABLE_TEMPORARY when temporarilySuspended === true in the response and supportAccountInterventions() returns true", async () => {
     const fakeAccountInterventionService = fakeAccountInterventionsService({
       passwordResetRequired: false,