refactor: reduce code complexity by using loginHint from oidc interac…

…tion only to trigger a login submission once

src/controllers/interaction.ts

@@ -7,11 +7,10 @@ import {
   isWithinAuthenticatedSession,
   isWithinTwoFactorAuthenticatedSession,
 } from "../managers/session/authenticated";
-import { setEmailInUnauthenticatedSession } from "../managers/session/unauthenticated";
+import { setLoginHintInUnauthenticatedSession } from "../managers/session/unauthenticated";
 import epochTime from "../services/epoch-time";
 import { mustReturnOneOrganizationInPayload } from "../services/must-return-one-organization-in-payload";
 import { shouldTrigger2fa } from "../services/should-trigger-2fa";
-import { postStartSignInController } from "./user/signin-signup";
 
 export const interactionStartControllerFactory =
   (oidcProvider: any) =>
@@ -30,30 +29,21 @@ export const interactionStartControllerFactory =
         req.session.mustUse2FA = true;
       }
 
-      if (prompt.name === "login" && prompt.reasons.includes("login_prompt")) {
-        if (login_hint) {
-          setEmailInUnauthenticatedSession(req, login_hint);
-          req.body.login = login_hint;
-          return postStartSignInController(req, res, next);
-        }
+      if (login_hint) {
+        setLoginHintInUnauthenticatedSession(req, login_hint);
+      }
 
+      if (prompt.name === "login" && prompt.reasons.includes("login_prompt")) {
         return res.redirect(`/users/start-sign-in`);
       }
 
       if (prompt.name === "login" || prompt.name === "choose_organization") {
-        if (login_hint) {
-          const isAuthenticated = isWithinAuthenticatedSession(req.session);
-          const authenticatedUserEmail = isAuthenticated
-            ? getUserFromAuthenticatedSession(req).email
-            : null;
-          const isDifferentEmail = authenticatedUserEmail !== login_hint;
-
-          if (!isAuthenticated || (isAuthenticated && isDifferentEmail)) {
-            setEmailInUnauthenticatedSession(req, login_hint);
-            req.body.login = login_hint;
-
-            return postStartSignInController(req, res, next);
-          }
+        if (
+          login_hint &&
+          isWithinAuthenticatedSession(req.session) &&
+          getUserFromAuthenticatedSession(req).email !== login_hint
+        ) {
+          return res.redirect(`/users/start-sign-in`);
         }
 
         return res.redirect(`/interaction/${interactionId}/login`);

src/controllers/user/signin-signup.ts

@@ -11,6 +11,7 @@ import {
 } from "../../config/errors";
 import { createAuthenticatedSession } from "../../managers/session/authenticated";
 import {
+  getAndRemoveLoginHintFromUnauthenticatedSession,
   getEmailFromUnauthenticatedSession,
   setEmailInUnauthenticatedSession,
   setPartialUserFromUnauthenticatedSession,
@@ -33,13 +34,22 @@ export const getStartSignInController = async (
   next: NextFunction,
 ) => {
   try {
+    // Bypass email submission when a login hint is provided in the interaction
+    const hintFromOidcInteraction =
+      getAndRemoveLoginHintFromUnauthenticatedSession(req);
+    if (hintFromOidcInteraction) {
+      setEmailInUnauthenticatedSession(req, hintFromOidcInteraction);
+      req.body.login = hintFromOidcInteraction;
+      return postStartSignInController(req, res, next);
+    }
+
     const schema = z.object({
       did_you_mean: z.string().trim().min(1).optional(),
     });
 
     const { did_you_mean: didYouMean } = await schema.parseAsync(req.query);
 
-    const loginHint = getEmailFromUnauthenticatedSession(req);
+    const hintFromSession = getEmailFromUnauthenticatedSession(req);
 
     const hasEmailError =
       (await getNotificationLabelFromRequest(req)) === "invalid_email";
@@ -49,7 +59,7 @@ export const getStartSignInController = async (
       notifications: !hasEmailError && (await getNotificationsFromRequest(req)),
       hasEmailError,
       didYouMean,
-      loginHint,
+      loginHint: hintFromSession,
       csrfToken: csrfToken(req),
       displayTestEnvWarning: DISPLAY_TEST_ENV_WARNING,
     });

src/managers/session/unauthenticated.ts

@@ -3,6 +3,21 @@ import { isEmpty } from "lodash-es";
 import { NoEmailFoundInUnauthenticatedSessionError } from "../../config/errors";
 import { findByEmail, update } from "../../repositories/user";
 
+export const getAndRemoveLoginHintFromUnauthenticatedSession = (
+  req: Request,
+) => {
+  const loginHint = req.session.loginHint;
+  delete req.session.loginHint;
+  return loginHint;
+};
+export const setLoginHintInUnauthenticatedSession = (
+  req: Request,
+  loginHint: string,
+) => {
+  req.session.loginHint = loginHint;
+
+  return loginHint;
+};
 export const getEmailFromUnauthenticatedSession = (req: Request) => {
   return req.session.email;
 };

src/types/express-session.d.ts

@@ -1,5 +1,6 @@
 export interface UnauthenticatedSessionData {
   email?: string;
+  loginHint?: string;
   needsInclusionconnectWelcomePage?: boolean;
   interactionId?: string;
   mustReturnOneOrganizationInPayload?: boolean;