vets-website icon indicating copy to clipboard operation
vets-website copied to clipboard

Published 20 hours ago verified publisher icon department-of-veterans-affairs

Fix SSO looping bug on terms of use page

Open asg5704 opened this issue 9 months ago • 0 comments

Summary

This PR fixes the single sign-on bug on the /terms-of-use page

Related issue(s)

  • department-of-veterans-affairs/va.gov-team#82990

Testing done

Added unit tests + manual (see steps below in Requested Feedback)

Screenshots

n/a

What areas of the site does it impact?

This will impact all areas of VA.gov

Acceptance criteria

Quality Assurance & Testing

  • [ ] I fixed|updated|added unit tests and integration tests for each feature (if applicable).
  • [ ] No sensitive information (i.e. PII/credentials/internal URLs/etc.) is captured in logging, hardcoded, or specs
  • [ ] Linting warnings have been addressed
  • [ ] Documentation has been updated (link to documentation *if necessary)
  • [ ] Screenshot of the developed feature is added
  • [ ] Accessibility testing has been performed

Error Handling

  • [ ] Browser console contains no warnings or errors.
  • [ ] Events are being sent to the appropriate logging solution
  • [ ] Feature/bug has a monitor built into Datadog or Grafana (if applicable)

Authentication

  • [ ] Did you login to a local build and verify all authenticated routes work as expected with a test user

:warning: Team Sites (only applies to modifications made to the VA.gov header) :warning:

  • [ ] The vets-website header does not contain any web-components
  • [ ] I used the proxy-rewrite steps to test the injected header scenario
  • [ ] I reached out in the #sitewide-public-websites Slack channel for questions

Requested Feedback

Setup

  1. Start vets-website and vets-api
  2. The following local storage items need to be set in the DevTools console. Copy and paste the below code into the console of your browser after starting vets-website 
localStorage.setItem('loginAttempted', true); // prevents infinite loop of attempting ot call `custom` endpoint
localStorage.setItem('hasSessionSSO', true); // set by the keepalive request
localStorage.setItem('sessionExpirationSSO', new Date().toString()) // set by keepalive request
  1. In local environments, the /keepalive call does not exist and instead a mock call is used by modifying query parameters. keepalive-ttl, keepalive-authn, and csp_type are the query parameters that are used to mock the /keepalive header values.

Testing

Response from /keepalive URL Result
Session alive
TTL: 900		 http://localhost:3001/?keepalive-ttl=900&keepalive-authn=http://idmanagement.gov/ns/assurance/loa/3&csp_type=IDME User SHOULD BE navigated to eAuth
Session dead
TTL: 0		 http://localhost:3001/?keepalive-ttl=0&keepalive-authn=http://idmanagement.gov/ns/assurance/loa/3&csp_type=IDME User SHOULD NOT be redirected to eAuth
Session alive
TTL: 900		 http://localhost:3001/terms-of-use/?keepalive-ttl=900&keepalive-authn=http://idmanagement.gov/ns/assurance/loa/3&csp_type=IDME User SHOULD NOT be redirected to eAuth
Session alive
TTL: 900		 http://localhost:3001/education/apply-for-education-benefits/application/1990/introduction?keepalive-ttl=900&keepalive-authn=http://idmanagement.gov/ns/assurance/loa/3&csp_type=IDME User SHOULD BE navigated to eAuth

asg5704 avatar May 13 '24 20:05 asg5704