Merge pull request #1770 from 18F/jmhooper-session-decrypt-error

Raise on session decryption errors

app/services/session_encryptor_error_handler.rb

@@ -0,0 +1,5 @@
+class SessionEncryptorErrorHandler
+  def self.call(error, _sid)
+    raise error
+  end
+end

config/initializers/session_store.rb

@@ -14,6 +14,7 @@
     key_prefix: "#{Figaro.env.domain_name}:session:",
     url: Figaro.env.redis_url,
   },
+  on_session_load_error: SessionEncryptorErrorHandler,
   serializer: SessionEncryptor.new,
 }
 

spec/features/session/decryption_spec.rb

@@ -0,0 +1,20 @@
+require 'rails_helper'
+
+feature 'Session decryption' do
+  context 'when there is a session decryption error' do
+    it 'should raise an error and log the user out' do
+      sign_in_and_2fa_user
+
+      session_encryptor = Rails.application.config.session_options[:serializer]
+      allow(session_encryptor).to receive(:load).and_raise(Pii::EncryptionError)
+
+      expect { visit account_path }.to raise_error(Pii::EncryptionError)
+
+      allow(session_encryptor).to receive(:load).and_call_original
+      visit account_path
+
+      # Should redirect to root since the user has been logged out
+      expect(current_path).to eq(root_path)
+    end
+  end
+end

spec/features/users/sign_in_spec.rb

@@ -239,6 +239,7 @@
     it 'redirects to root_path with user-friendly error message, not a 500 error' do
       allow(FeatureManagement).to receive(:use_kms?).and_return(true)
       stub_aws_kms_client_invalid_ciphertext
+      allow(SessionEncryptorErrorHandler).to receive(:call)
 
       user = create(:user)
       signin(user.email, 'invalid')