From 0132d76c167d181e3cfe35bd012e2dbfe535e927 Mon Sep 17 00:00:00 2001
From: Pea Tyczynska <pea.tyczynska@digital.cabinet-office.gov.uk>
Date: Fri, 31 Jan 2020 17:19:24 +0000
Subject: [PATCH] Validate email access based on code_type anot auth_type

when verifying the code is correct. This way if user has sms_auth
and we send them verification code to validate their email access,
and they click the link in the email, their access will be validated
correctly.
---
 app/user/rest.py                   |  2 +-
 tests/app/user/test_rest_verify.py | 10 ++++++++--
 2 files changed, 9 insertions(+), 3 deletions(-)

diff --git a/app/user/rest.py b/app/user/rest.py
index 7eed40c43..3d60f7319 100644
--- a/app/user/rest.py
+++ b/app/user/rest.py
@@ -197,7 +197,7 @@ def verify_user_code(user_id):
 
     user_to_verify.current_session_id = str(uuid.uuid4())
     user_to_verify.logged_in_at = datetime.utcnow()
-    if user_to_verify.auth_type == 'email_auth':
+    if data['code_type'] == 'email':
         user_to_verify.email_access_validated_at = datetime.utcnow()
     user_to_verify.failed_login_count = 0
     save_model_user(user_to_verify)
diff --git a/tests/app/user/test_rest_verify.py b/tests/app/user/test_rest_verify.py
index 2af880f5f..3af486979 100644
--- a/tests/app/user/test_rest_verify.py
+++ b/tests/app/user/test_rest_verify.py
@@ -344,6 +344,8 @@ def test_reset_failed_login_count_returns_404_when_user_does_not_exist(client):
     assert resp.status_code == 404
 
 
+# we send sms_auth users email code to validate their email access
+@pytest.mark.parametrize('auth_type', ['email_auth', 'sms_auth'])
 @pytest.mark.parametrize('data, expected_auth_url', (
     (
         {},
@@ -365,8 +367,10 @@ def test_send_user_email_code(
     email_2fa_code_template,
     data,
     expected_auth_url,
+    auth_type
 ):
     deliver_email = mocker.patch('app.celery.provider_tasks.deliver_email.apply_async')
+    sample_user.auth_type = auth_type
 
     admin_request.post(
         'user.send_user_2fa_code',
@@ -417,10 +421,12 @@ def test_send_email_code_returns_404_for_bad_input_data(admin_request):
 
 
 @freeze_time('2016-01-01T12:00:00')
-def test_user_verify_email_code(admin_request, sample_user):
+# we send sms_auth users email code to validate their email access
+@pytest.mark.parametrize('auth_type', ['email_auth', 'sms_auth'])
+def test_user_verify_email_code(admin_request, sample_user, auth_type):
     sample_user.logged_in_at = datetime.utcnow() - timedelta(days=1)
     sample_user.email_access_validated_at = datetime.utcnow() - timedelta(days=1)
-    sample_user.auth_type = "email_auth"
+    sample_user.auth_type = auth_type
     magic_code = str(uuid.uuid4())
     verify_code = create_user_code(sample_user, magic_code, EMAIL_TYPE)