feat: login_hint from sp does not trigger login prompt

cypress/e2e/signin_from_agentconnect_client/fixtures.sql

@@ -2,7 +2,8 @@ INSERT INTO users
   (id, email, email_verified, email_verified_at, encrypted_password, created_at, updated_at, given_name, family_name,
    phone_number, job)
 VALUES
-  (1, '[email protected]', true, CURRENT_TIMESTAMP, '$2a$10$kzY3LINL6..50Fy9shWCcuNlRfYq0ft5lS.KCcJ5PzrhlWfKK4NIO', CURRENT_TIMESTAMP, CURRENT_TIMESTAMP, 'Jean', 'Jean', '0123456789', 'Sbire');
+  (1, '[email protected]', true, CURRENT_TIMESTAMP, '$2a$10$kzY3LINL6..50Fy9shWCcuNlRfYq0ft5lS.KCcJ5PzrhlWfKK4NIO', CURRENT_TIMESTAMP, CURRENT_TIMESTAMP, 'Jean', 'Jean', '0123456789', 'Sbire'),
+  (2, '[email protected]', true, CURRENT_TIMESTAMP, '$2a$10$kzY3LINL6..50Fy9shWCcuNlRfYq0ft5lS.KCcJ5PzrhlWfKK4NIO', CURRENT_TIMESTAMP, CURRENT_TIMESTAMP, 'Jean', 'Jean', '0123456789', 'Sbire');
 
 
 INSERT INTO organizations
@@ -13,7 +14,8 @@ VALUES
 INSERT INTO users_organizations
   (user_id, organization_id, is_external, verification_type, has_been_greeted)
 VALUES
-  (1, 1, false, 'domain', true);
+  (1, 1, false, 'domain', true),
+  (2, 1, false, 'domain', true);
 
 INSERT INTO oidc_clients
   (client_name, client_id, client_secret, redirect_uris,

cypress/e2e/signin_from_agentconnect_client/index.cy.ts

@@ -1,7 +1,7 @@
 //
 
 describe("sign-in from agentconnect client", () => {
-  it("should sign-in", function () {
+  it("should sign-in", () => {
     cy.visit("http://localhost:4001");
     cy.get("button.moncomptepro-button").click();
 
@@ -14,4 +14,31 @@ describe("sign-in from agentconnect client", () => {
     cy.contains("[email protected]");
     cy.contains("21340126800130");
   });
+
+  it("should not prompt for password if a session is already opened", () => {
+    cy.visit("/");
+    cy.login("[email protected]");
+
+    cy.visit("http://localhost:4001");
+    cy.get("button.moncomptepro-button").click();
+
+    cy.contains("moncomptepro-agentconnect-client");
+    cy.contains("[email protected]");
+  })
+
+  it("login_hint should take precedence over existing session", () => {
+    cy.visit("/");
+    cy.login("[email protected]");
+
+    cy.visit("http://localhost:4001");
+    cy.get("button.moncomptepro-button").click();
+
+    cy.get('[name="password"]').type("password123");
+    cy.get('[action="/users/sign-in"]  [type="submit"]')
+      .contains("S’identifier")
+      .click();
+
+    cy.contains("moncomptepro-agentconnect-client");
+    cy.contains("[email protected]");
+  })
 });

cypress/e2e/signin_from_standard_client/index.cy.ts

@@ -56,5 +56,14 @@ describe("sign-in from standard client", () => {
     cy.contains("Commune de lamalou-les-bains - Mairie");
   });
 
-  it("should prompt for organization selection", function () {});
+  it("should not prompt for password if a session is already opened", () => {
+    cy.visit("/");
+    cy.login("[email protected]");
+
+    cy.visit("http://localhost:4000");
+    cy.get("button.moncomptepro-button").click();
+
+    cy.contains("moncomptepro-standard-client");
+    cy.contains("[email protected]");
+  })
 });

src/config/errors.ts

@@ -87,7 +87,7 @@ export class WebauthnAuthenticationFailedError extends Error {}
 
 export class UserNotLoggedInError extends Error {}
 
-export class NoEmailFoundInLoggedOutSessionError extends Error {}
+export class NoEmailFoundInUnauthenticatedSessionError extends Error {}
 
 export class InvalidTotpTokenError extends Error {}
 

src/controllers/interaction.ts

@@ -4,6 +4,7 @@ import { ENABLE_FIXED_ACR } from "../config/env";
 import {
   getSessionStandardizedAuthenticationMethodsReferences,
   getUserFromAuthenticatedSession,
+  isWithinAuthenticatedSession,
   isWithinTwoFactorAuthenticatedSession,
 } from "../managers/session/authenticated";
 import { setEmailInUnauthenticatedSession } from "../managers/session/unauthenticated";
@@ -41,8 +42,18 @@ export const interactionStartControllerFactory =
 
       if (prompt.name === "login" || prompt.name === "choose_organization") {
         if (login_hint) {
-          req.body.login = login_hint;
-          return postStartSignInController(req, res, next);
+          const isAuthenticated = isWithinAuthenticatedSession(req.session);
+          const authenticatedUserEmail = isAuthenticated
+            ? getUserFromAuthenticatedSession(req).email
+            : null;
+          const isDifferentEmail = authenticatedUserEmail !== login_hint;
+
+          if (!isAuthenticated || (isAuthenticated && isDifferentEmail)) {
+            setEmailInUnauthenticatedSession(req, login_hint);
+            req.body.login = login_hint;
+
+            return postStartSignInController(req, res, next);
+          }
         }
 
         return res.redirect(`/interaction/${interactionId}/login`);

src/managers/session/unauthenticated.ts

@@ -1,6 +1,6 @@
 import type { Request } from "express";
 import { isEmpty } from "lodash-es";
-import { NoEmailFoundInLoggedOutSessionError } from "../../config/errors";
+import { NoEmailFoundInUnauthenticatedSessionError } from "../../config/errors";
 import { findByEmail, update } from "../../repositories/user";
 
 export const getEmailFromUnauthenticatedSession = (req: Request) => {
@@ -42,7 +42,7 @@ export const updatePartialUserFromUnauthenticatedSession = async (
   needs_inclusionconnect_welcome_page: boolean;
 }> => {
   if (!req.session.email) {
-    throw new NoEmailFoundInLoggedOutSessionError();
+    throw new NoEmailFoundInUnauthenticatedSessionError();
   }
 
   req.session.needsInclusionconnectWelcomePage =

src/types/express-session.d.ts

@@ -1,4 +1,4 @@
-export interface LoggedOutSessionData {
+export interface UnauthenticatedSessionData {
   email?: string;
   needsInclusionconnectWelcomePage?: boolean;
   interactionId?: string;
@@ -25,7 +25,7 @@ export interface AuthenticatedSessionData {
 }
 
 declare module "express-session" {
-  export interface SessionData extends LoggedOutSessionData {
+  export interface SessionData extends UnauthenticatedSessionData {
     user?: User;
     temporaryEncryptedTotpKey?: string;
     amr?: AmrValue[];