Fyst 1516 add email validation step to prior year access flow

app/controllers/state_file/archived_intakes/archived_intake_controller.rb

@@ -0,0 +1,23 @@
+module StateFile
+  module ArchivedIntakes
+    class ArchivedIntakeController < ApplicationController
+      def current_request
+        StateFileArchivedIntakeRequest.find_by(ip_address: ip_for_irs, email_address: session[:email_address])
+      end
+
+      def create_state_file_access_log(event_type)
+        StateFileArchivedIntakeAccessLog.create!(
+          event_type: event_type,
+          state_file_archived_intake_request: current_request
+        )
+      end
+
+      def check_feature_flag
+        unless Flipper.enabled?(:get_your_pdf)
+          # this redirect to be changed when we have an offboarding page
+          redirect_to root_path
+        end
+      end
+    end
+  end
+end

app/controllers/state_file/archived_intakes/email_address_controller.rb

@@ -0,0 +1,31 @@
+module StateFile
+  module ArchivedIntakes
+    class EmailAddressController < ArchivedIntakeController
+      before_action :check_feature_flag
+      def edit
+        @form = EmailAddressForm.new
+      end
+
+      def update
+        @form = EmailAddressForm.new(email_address_form_params)
+
+        if @form.valid?
+          archived_intake = StateFileArchivedIntake.find_by(email_address: @form.email_address)
+          session[:email_address] = @form.email_address
+          StateFileArchivedIntakeRequest.find_or_create_by(email_address: @form.email_address, ip_address: ip_for_irs, state_file_archived_intakes_id: archived_intake&.id )
+          create_state_file_access_log("issued_email_challenge")
+
+          redirect_to state_file_archived_intakes_edit_verification_code_path
+        else
+          render :edit
+        end
+      end
+
+      private
+
+      def email_address_form_params
+        params.require(:state_file_archived_intakes_email_address_form).permit(:email_address)
+      end
+    end
+  end
+end

app/controllers/state_file/archived_intakes/verification_code_controller.rb

@@ -0,0 +1,48 @@
+module StateFile
+  module ArchivedIntakes
+    class VerificationCodeController < ArchivedIntakeController
+      before_action :check_feature_flag
+      def edit
+        if current_request.access_locked?
+          # this redirect to be changed when we have an offboarding page
+          redirect_to root_path
+          return
+        end
+        @form = VerificationCodeForm.new(email_address: current_request.email_address)
+        @email_address = current_request.email_address
+        ArchivedIntakeEmailVerificationCodeJob.perform_later(
+          email_address: @email_address,
+          locale: I18n.locale
+        )
+      end
+
+      def update
+        @form = VerificationCodeForm.new(verification_code_form_params, email_address: current_request.email_address)
+        @email_address = current_request.email_address
+
+        if @form.valid?
+          create_state_file_access_log("correct_email_code")
+          current_request.reset_failed_attempts!
+          # this should take us to the ssn page
+          redirect_to root_path
+        else
+          create_state_file_access_log("incorrect_email_code")
+          current_request.increment_failed_attempts
+          if current_request.access_locked?
+            create_state_file_access_log("client_lockout_begin")
+            # this redirect to be changed when we have an offboarding page
+            redirect_to root_path
+            return
+          end
+          render :edit
+        end
+      end
+
+      private
+
+      def verification_code_form_params
+        params.require(:state_file_archived_intakes_verification_code_form).permit(:verification_code)
+      end
+    end
+  end
+end

app/forms/state_file/archived_intakes/email_address_form.rb

@@ -0,0 +1,10 @@
+module StateFile
+  module ArchivedIntakes
+    class EmailAddressForm < Form
+      attr_accessor :email_address
+
+      validates :email_address, presence: true, 'valid_email_2/email': true
+
+    end
+  end
+end

app/forms/state_file/archived_intakes/verification_code_form.rb

@@ -0,0 +1,23 @@
+module StateFile
+  module ArchivedIntakes
+    class VerificationCodeForm < Form
+      attr_accessor :verification_code, :email_address
+
+      validates :verification_code, presence: true
+      def initialize(attributes = {}, email_address: nil)
+        super(attributes)
+        @email_address = email_address
+      end
+
+      def valid?
+        hashed_verification_code = VerificationCodeService.hash_verification_code_with_contact_info(@email_address, verification_code)
+
+        valid_code = EmailAccessToken.lookup(hashed_verification_code).exists?
+
+        errors.add(:verification_code, I18n.t("state_file.archived_intakes.verification_code.edit.error_message")) unless valid_code
+
+        valid_code.present?
+      end
+    end
+  end
+end

app/jobs/archived_intake_email_verification_code_job.rb

@@ -0,0 +1,11 @@
+class ArchivedIntakeEmailVerificationCodeJob < ApplicationJob
+  retry_on Mailgun::CommunicationError
+
+  def priority
+    PRIORITY_HIGH - 1 # Subtracting one to push to the top of the queue
+  end
+
+  def perform(email_address:, locale:)
+    ArchivedIntakeEmailVerificationCodeService.request_code(email_address: email_address, locale: locale)
+  end
+end

app/models/state_file_archived_intake.rb

@@ -17,5 +17,5 @@
 #
 class StateFileArchivedIntake < ApplicationRecord
   has_one_attached :submission_pdf
-  has_many :access_logs, class_name: 'StateFileArchivedIntakeAccessLog'
+  has_many :intake_requests, class_name: 'StateFileArchivedIntakeRequest'
 end

app/models/state_file_archived_intake_access_log.rb

@@ -2,24 +2,19 @@
 #
 # Table name: state_file_archived_intake_access_logs
 #
-#  id                             :bigint           not null, primary key
-#  details                        :jsonb
-#  event_type                     :integer
-#  ip_address                     :string
-#  created_at                     :datetime         not null
-#  updated_at                     :datetime         not null
-#  state_file_archived_intakes_id :bigint
-#
-# Indexes
-#
-#  idx_on_state_file_archived_intakes_id_e878049c06  (state_file_archived_intakes_id)
+#  id                                    :bigint           not null, primary key
+#  details                               :jsonb
+#  event_type                            :integer
+#  created_at                            :datetime         not null
+#  updated_at                            :datetime         not null
+#  state_file_archived_intake_request_id :bigint
 #
 # Foreign Keys
 #
-#  fk_rails_...  (state_file_archived_intakes_id => state_file_archived_intakes.id)
+#  fk_rails_...  (state_file_archived_intake_request_id => state_file_archived_intake_requests.id)
 #
 class StateFileArchivedIntakeAccessLog < ApplicationRecord
-  belongs_to :state_file_archived_intake
+  belongs_to :state_file_archived_intake_request, optional: true
   enum event_type: {
     issued_email_challenge: 0, 
     correct_email_code: 1,

app/models/state_file_archived_intake_request.rb

@@ -0,0 +1,36 @@
+# == Schema Information
+#
+# Table name: state_file_archived_intake_requests
+#
+#  id                             :bigint           not null, primary key
+#  email_address                  :string
+#  failed_attempts                :integer          default(0), not null
+#  ip_address                     :string
+#  locked_at                      :datetime
+#  created_at                     :datetime         not null
+#  updated_at                     :datetime         not null
+#  state_file_archived_intakes_id :bigint
+#
+# Indexes
+#
+#  idx_on_state_file_archived_intakes_id_31501c23f8  (state_file_archived_intakes_id)
+#
+# Foreign Keys
+#
+#  fk_rails_...  (state_file_archived_intakes_id => state_file_archived_intakes.id)
+#
+class StateFileArchivedIntakeRequest < ApplicationRecord
+  devise :lockable, unlock_in: 60.minutes, unlock_strategy: :time
+  has_many :access_logs, class_name: 'StateFileArchivedIntakeAccessLog'
+
+  def self.maximum_attempts
+    2
+  end
+
+  def increment_failed_attempts
+    super
+    if attempts_exceeded? && !access_locked?
+      lock_access!
+    end
+  end
+end

app/services/archived_intake_email_verification_code_service.rb

@@ -0,0 +1,19 @@
+class ArchivedIntakeEmailVerificationCodeService
+  def initialize(email_address: , locale: :en)
+    @email_address = email_address
+    @locale = locale
+  end
+
+  def request_code
+    verification_code, = EmailAccessToken.generate!(email_address: @email_address)
+    VerificationCodeMailer.archived_intake_verification_code(
+      to: @email_address,
+      verification_code: verification_code,
+      locale: @locale
+    ).deliver_now
+  end
+
+  def self.request_code(**args)
+    new(**args).request_code
+  end
+end

app/views/state_file/archived_intakes/email_address/edit.html.erb

@@ -0,0 +1,21 @@
+<% title = t(".enter_email") %>
+<% content_for :page_title, title %>
+<section class="slab question-layout <%= controller_name.gsub("_", "-") %>-outer">
+  <div class="grid">
+    <div class="grid__item question-wrapper">
+      <h1 class="h2" id="main-question"><%= title %></h1>
+      <%= form_with model: @form, url: state_file_archived_intakes_email_address_path, local: true, method: :patch, builder: VitaMinFormBuilder do |f| %>
+        <div class="white-group">
+          <%= f.cfa_input_field(:email_address, t("state_file.questions.email_address.edit.email_address_label"), help_text: '[email protected]', classes: ["form-width--long"]) %>
+        </div>
+
+        <div class="form-actions">
+          <button type="submit" class="button button--primary button--wide spacing-below-15">
+            <%= t("state_file.questions.email_address.edit.action") %>
+          </button>
+        </div>
+      <% end %>
+    </div>
+  </div>
+</section>
+

app/views/state_file/archived_intakes/verification_code/edit.html.erb

@@ -0,0 +1,23 @@
+<% title = t(".title_html", email_address: @email_address) %>
+<section class="slab question-layout <%= controller_name.gsub("_", "-") %>-outer">
+  <div class="grid">
+    <div class="grid__item question-wrapper">
+      <div class="grid__item question-wrapper">
+        <% content_for :page_title, title %>
+        <%= form_with model: @form, url: { action: :update }, local: true, method: :patch, builder: VitaMinFormBuilder do |f| %>
+            <h1 class="h2" id="main-question"><%= title %></h1>
+            <p><%= t(".subtitle_html") %></p>
+            <p><%= t(".subtitle_html_2") %></p>
+            <div class="white-group">
+              <%= f.cfa_input_field(:verification_code, t("state_file.questions.verification_code.edit.verification_code_label"), classes: ["form-width--long"]) %>
+            </div>
+          <div class="form-actions">
+            <button type="submit" class="button button--primary button--wide spacing-below-15">
+              <%= t(".verify") %>
+            </button>
+          </div>
+        <% end %>
+      </div>
+    </div>
+  </div>
+</section>

app/views/state_file/state_file_pages/about_page.html.erb

@@ -45,4 +45,13 @@
     </div>
   <% end %>
 </section>
-<% end %>
+<% end %>
+
+<% if Flipper.enabled?(:get_your_pdf) %>
+  <div>
+      <%= t(".looking_for_return_html")%>
+        <div class = "spacing-above-10">
+          <%= link_to t(".tax_return_link"), state_file_archived_intakes_edit_email_address_path %>
+        </div>
+  </div>
+<% end %>

config/locales/en.yml

@@ -2063,6 +2063,17 @@ en:
         04_detail_links_html: See our <a href="%{terms_link}" target="_blank" rel="noopener noreferrer">Terms and Conditions</a> and <a href="%{privacy_link}" target="_blank" rel="noopener noreferrer">Privacy Policy.</a>
       subheader: Please sign up here to receive a notification when we open in January.
   state_file:
+    archived_intakes:
+      email_address:
+        edit:
+          enter_email: Enter the email address linked to your account
+      verification_code:
+        edit:
+          error_message: Incorrect verification code. After 2 failed attempts, accounts are locked.
+          subtitle_html: If you didn’t receive a code, please check your spam folder.
+          subtitle_html_2: If you still need help resubscribing, chat with us.
+          title_html: We’ve sent your code to <strong>%{email_address}</strong>
+          verify: Verify code
     faq:
       index:
         title: Common questions from %{state} taxpayers
@@ -3900,6 +3911,7 @@ en:
           Already filed your state taxes with us? <strong>You can download a copy of your state return until December 31, 2024</strong><br /><br />
         header: A free state filing service for taxpayers using IRS Direct File
         helper_heading_html: "<strong>How does this service work? </strong>"
+        looking_for_return_html: "<strong>Looking for your 2023 Arizona or New York State Tax Return?</strong>"
         section1_html: |
           <ol class="list--numbered"  style="padding-left: 2rem">
             <li>File and submit your federal return with <a target="_blank" rel="nofollow noopener" href="https://directfile.irs.gov/">IRS Direct File</a> before using this service.</li>
@@ -3919,6 +3931,7 @@ en:
           <strong>In 2025, this service will support filing state tax returns in Arizona, Idaho, North Carolina, New Jersey, and Maryland.</strong>
         subheader_2_html: To start filing your federal return, go to <a target="_blank" rel="nofollow noopener" href="https://directfile.irs.gov/">directfile.irs.gov.</a>
         subheader_3_html: "<strong>Already filed your federal return with IRS Direct File and need to complete your state return?</strong> <a href=%{login_path}>Sign in here</a>."
+        tax_return_link: Click here to access your tax return
       card_postscript:
         responses_saved_html: Your responses are saved. If you need a break, you can come back and log in to your account at <a href="https://fileyourstatetaxes.org">fileyourstatetaxes.org</a>.
       coming_soon: