[DPC-4220] Add max failed attempts to invite verification

dpc-portal/app/components/page/invitations/bad_invitation_component.html.erb

@@ -2,7 +2,7 @@
   <h1><%= t(@status) %></h1>
   <div>
     <p>
-      <%=raw t(key=@text, org_name: @org_name) %>
+      <%=raw t(key=@text, org_name: @org_name, ao_display_name: @ao_display_name) %>
     </p>
   </div>
   <% 'have to put the case statement here, as do not have route helper in ViewComponent'

dpc-portal/app/components/page/invitations/bad_invitation_component.rb

@@ -8,6 +8,7 @@ def initialize(invitation, reason)
         super
         @invitation = invitation
         @org_name = invitation&.provider_organization&.name
+        @ao_display_name = "#{invitation&.invited_given_name} #{invitation&.invited_family_name}"
         @reason = if AoVerificationService::SERVER_ERRORS.include?(reason)
                     :server_error
                   else

dpc-portal/app/controllers/invitations_controller.rb

@@ -39,15 +39,25 @@ def code
   end
 
   def verify_code
-    unless params[:verification_code] == @invitation.verification_code
-      @invitation.errors.add(:verification_code, :bad_code, message: 'tbd')
-      return render(Page::Invitations::OtpComponent.new(@organization, @invitation), status: :bad_request)
-    end
+    return handle_failed_attempt unless params[:verification_code] == @invitation.verification_code
 
+    @invitation.reset_attempts
     session["invitation_status_#{@invitation.id}"] = 'code_verified'
     render(Page::Invitations::InvitationLoginComponent.new(@invitation))
   end
 
+  def handle_failed_attempt
+    @invitation.increment_failed_attempts
+    if @invitation.attempts_remaining.zero?
+      return render(Page::Invitations::BadInvitationComponent.new(@invitation, 'max_tries_exceeded'),
+                    status: :forbidden)
+    end
+
+    flash[:alert] = "Incorrect invite code. You have #{@invitation.attempts_remaining} remaining attempts."
+    @invitation.errors.add(:verification_code, :bad_code, message: 'Incorrect invite code.')
+    render(Page::Invitations::OtpComponent.new(@organization, @invitation), status: :bad_request)
+  end
+
   def confirm_cd
     unless session["invitation_status_#{@invitation.id}"] == 'code_verified'
       return redirect_to code_organization_invitation_url(@organization, @invitation)

dpc-portal/app/models/invitation.rb

@@ -19,12 +19,25 @@ class Invitation < ApplicationRecord
 
   STEPS = ['Sign in or create a Login.gov account', 'Confirm your identity', 'Confirm organization registration',
            'Finished'].freeze
+  MAX_ATTEMPTS = 5
 
   def phone_raw=(nbr)
     @phone_raw = nbr
     self.invited_phone = @phone_raw.tr('^0-9', '')
   end
 
+  def increment_failed_attempts
+    update(failed_attempts: failed_attempts + 1) unless failed_attempts == MAX_ATTEMPTS
+  end
+
+  def reset_attempts
+    update(failed_attempts: 0)
+  end
+
+  def attempts_remaining
+    MAX_ATTEMPTS - failed_attempts
+  end
+
   def show_attributes
     { full_name: "#{invited_given_name} #{invited_family_name}",
       email: invited_email,
@@ -81,6 +94,7 @@ def unacceptable_reason # rubocop:disable Metrics/CyclomaticComplexity,Metrics/P
     return 'invalid' if cancelled?
     return 'accepted' if accepted?
     return 'ao_renewed' if renewed? && authorized_official?
+    return 'max_tries_exceeded' if attempts_remaining.zero?
 
     if expired? && authorized_official?
       'ao_expired'

dpc-portal/config/locales/en.yml

@@ -14,7 +14,8 @@ en:
     ao_med_sanctions_text: You are listed as an excluded individual by the Office of Inspector General (OIG), which prohibits you from acting as this organization’s Authorized Official. For more information, contact the <a href="https://oig.hhs.gov/about-oig/contact-us/#exclusions">OIG Exclusions Branch</a>.
     org_med_sanctions_status: Your organization is in the Medicare Exclusions Database.
     org_med_sanctions_text: Your organization is listed as an excluded entity by the Office of Inspector General (OIG), which prohibits it from accessing beneficiary claims data. For more information, contact the <a href="https://oig.hhs.gov/about-oig/contact-us/#exclusions">OIG Exclusions Branch</a>.
-
+    max_tries_exceeded_status: Your access is locked due to too many attempts.
+    max_tries_exceeded_text: "You have made too many attempts. Please request a new invite from %{ao_display_name}."
     no_approved_enrollment_status: Your organization is not currently approved by Medicare.
     no_approved_enrollment_text: Your organization must have an approved enrollment status with Medicare to access beneficiary claims data. Your organization may need to <a href="https://www.cms.gov/medicare/enrollment-renewal/providers-suppliers/chain-ownership-system-pecos/manage-your-enrollment">manage its enrollment</a> in PECOS, the Medicare enrollment system.
     bad_npi_status: Your organization is not currently approved by Medicare.

dpc-portal/db/migrate/20240906182122_add_failed_attempts_to_invitations.rb

@@ -0,0 +1,5 @@
+class AddFailedAttemptsToInvitations < ActiveRecord::Migration[7.1]
+  def change
+    add_column :invitations, :failed_attempts, :integer, default: 0, null: false
+  end
+end

dpc-portal/db/schema.rb

@@ -10,7 +10,7 @@
 #
 # It's strongly recommended that you check this file into your version control system.
 
-ActiveRecord::Schema[7.1].define(version: 2024_08_08_140452) do
+ActiveRecord::Schema[7.1].define(version: 2024_09_06_182122) do
   # These are extensions that must be enabled in order to support this database
   enable_extension "plpgsql"
 
@@ -81,6 +81,7 @@
     t.datetime "created_at", null: false
     t.datetime "updated_at", null: false
     t.integer "status"
+    t.integer "failed_attempts", default: 0, null: false
   end
 
   create_table "provider_organizations", force: :cascade do |t|

dpc-portal/spec/components/page/invitations/otp_component_spec.rb

@@ -51,9 +51,12 @@
       end
 
       context 'Errors' do
-        let(:error_msg) { 'Some error message' }
+        let(:error_msg) { 'Incorrect invite code. You have 4 remaining attempts.' }
 
-        before { cd_invite.errors.add(:verification_code, :is_bad, message: error_msg) }
+        before do
+          cd_invite.increment_failed_attempts
+          cd_invite.errors.add(:verification_code, :is_bad, message: error_msg)
+        end
         it 'should have errored verification_code stanza' do
           verification_code = <<~HTML
             <div class="margin-bottom-4">

dpc-portal/spec/models/invitation_spec.rb

@@ -480,6 +480,10 @@
       invitation = create(:invitation, :ao, created_at: 49.hours.ago, status: :renewed)
       expect(invitation.unacceptable_reason).to eq 'ao_renewed'
     end
+    it 'should be max_tries_exceeded if 5 failed attempts' do
+      invitation = create(:invitation, :ao, failed_attempts: 5)
+      expect(invitation.unacceptable_reason).to eq 'max_tries_exceeded'
+    end
   end
 
   describe :renew do

dpc-portal/spec/requests/invitations_spec.rb

@@ -481,6 +481,20 @@
         post "/organizations/#{org.id}/invitations/#{ao_invite.id}/verify_code", params: success_params
         expect(response).to redirect_to(organization_invitation_path(org, ao_invite))
       end
+      it 'should be rendered invalid after 5 failed attempts' do
+        expect(cd_invite.reload.failed_attempts).to eq 0
+        4.times.each do |i|
+          post "/organizations/#{org.id}/invitations/#{cd_invite.id}/verify_code", params: fail_params
+          expect(response).to be_bad_request
+          expect(flash[:alert]).to eq("Incorrect invite code. You have #{4 - i} remaining attempts.")
+          expect(cd_invite.reload.failed_attempts).to eq i + 1
+        end
+        post "/organizations/#{org.id}/invitations/#{cd_invite.id}/verify_code", params: fail_params
+        expect(response).to be_forbidden
+        expect(response.body).to include(I18n.t('verification.max_tries_exceeded_text', ao_display_name: 'Bob Hodges'))
+        expect(cd_invite.reload.failed_attempts).to eq 5
+        expect(cd_invite.unacceptable_reason).to eq 'max_tries_exceeded'
+      end
     end
   end