From 8bad5926abc3659cb0b072a3cc37ec527d395f94 Mon Sep 17 00:00:00 2001
From: Leo Hemsted <leo.hemsted@digital.cabinet-office.gov.uk>
Date: Fri, 24 Feb 2017 15:14:47 +0000
Subject: [PATCH] dont set session_id or logged_in_at if user provides email
 code

---
 app/user/rest.py                   | 17 +++++++++--------
 tests/app/user/test_rest_verify.py | 21 ++++++++++++++++++++-
 2 files changed, 29 insertions(+), 9 deletions(-)

diff --git a/app/user/rest.py b/app/user/rest.py
index c0eabd403..0f55796ed 100644
--- a/app/user/rest.py
+++ b/app/user/rest.py
@@ -110,21 +110,21 @@ def verify_user_code(user_id):
     user_to_verify = get_user_by_id(user_id=user_id)
 
     req_json = request.get_json()
-    txt_code = None
-    txt_type = None
+    verify_code = None
+    code_type = None
     errors = {}
     try:
-        txt_code = req_json['code']
+        verify_code = req_json['code']
     except KeyError:
         errors.update({'code': ['Required field missing data']})
     try:
-        txt_type = req_json['code_type']
+        code_type = req_json['code_type']
     except KeyError:
         errors.update({'code_type': ['Required field missing data']})
     if errors:
         raise InvalidRequest(errors, status_code=400)
 
-    code = get_user_code(user_to_verify, txt_code, txt_type)
+    code = get_user_code(user_to_verify, verify_code, code_type)
     if not code:
         increment_failed_login_count(user_to_verify)
         raise InvalidRequest("Code not found", status_code=404)
@@ -132,9 +132,10 @@ def verify_user_code(user_id):
         increment_failed_login_count(user_to_verify)
         raise InvalidRequest("Code has expired", status_code=400)
 
-    user_to_verify.current_session_id = str(uuid.uuid4())
-    user_to_verify.logged_in_at = datetime.utcnow()
-    save_model_user(user_to_verify)
+    if code_type == 'sms':
+        user_to_verify.current_session_id = str(uuid.uuid4())
+        user_to_verify.logged_in_at = datetime.utcnow()
+        save_model_user(user_to_verify)
 
     use_user_code(code.id)
     reset_failed_login_count(user_to_verify)
diff --git a/tests/app/user/test_rest_verify.py b/tests/app/user/test_rest_verify.py
index 92dc6d609..c65961d38 100644
--- a/tests/app/user/test_rest_verify.py
+++ b/tests/app/user/test_rest_verify.py
@@ -22,7 +22,7 @@ from tests import create_authorization_header
 
 
 @freeze_time('2016-01-01T12:00:00')
-def test_user_verify_code(client, sample_sms_code):
+def test_user_verify_sms_code(client, sample_sms_code):
     sample_sms_code.user.logged_in_at = datetime.utcnow() - timedelta(days=1)
     assert not VerifyCode.query.first().code_used
     assert sample_sms_code.user.current_session_id is None
@@ -40,6 +40,25 @@ def test_user_verify_code(client, sample_sms_code):
     assert sample_sms_code.user.current_session_id is not None
 
 
+@freeze_time('2016-01-01T12:00:00')
+def test_user_verify_email_code(client, sample_email_code):
+    sample_email_code.user.logged_in_at = datetime.utcnow() - timedelta(days=1)
+    assert not VerifyCode.query.first().code_used
+    assert sample_email_code.user.current_session_id is None
+    data = json.dumps({
+        'code_type': sample_email_code.code_type,
+        'code': sample_email_code.txt_code})
+    auth_header = create_authorization_header()
+    resp = client.post(
+        url_for('user.verify_user_code', user_id=sample_email_code.user.id),
+        data=data,
+        headers=[('Content-Type', 'application/json'), auth_header])
+    assert resp.status_code == 204
+    assert VerifyCode.query.first().code_used
+    assert sample_email_code.user.logged_in_at == datetime.utcnow() - timedelta(days=1)
+    assert sample_email_code.user.current_session_id is None
+
+
 def test_user_verify_code_missing_code(client,
                                        sample_sms_code):
     assert not VerifyCode.query.first().code_used