xlorepdarkhelm
commented
1 week ago Thanks, @xlorepdarkhelm!
The only suggestion I have is whether or not we want to make the Redis key TTL an app config variable instead of setting it in each method, but I could also see an argument of keeping the times separate too, if we ever see a need to change the expiration time windows based on the need.
Either way, not a fix that needs to be done with this. 🙂 Thanks!
yeah, I had considered it, but held off setting up a standard variable yet, and we might want to revisit it for later.
A note to PR reviewers: it may be helpful to review our code review documentation to know what to keep in mind while reviewing pull requests.
Description
Fixed email verification step. The verify email process does not go through Login.gov, and therefore does not have state or nonce. So if we get to the part where we are checking for state in the sign_in code, and there's no state, we need to check if the user is in the verify_email() process, and on a return trip from that. If so, then we can bypass the check for checking state is correct or not.
I also have set up for the redis data to automatically be removed from redis after it expires, so we don't clog up redis with login information.
https://github.com/GSA/notifications-admin/issues/2098
Security Considerations
Login process is important to get right.