18F · mdiarra3 · Jan 30, 2025 · Jan 7, 2025 · Jan 8, 2025 · Jan 8, 2025
diff --git a/app/controllers/accounts/connected_accounts/selected_email_controller.rb b/app/controllers/accounts/connected_accounts/selected_email_controller.rb
@@ -14,13 +14,13 @@ def edit
         @select_email_form = build_select_email_form
         @can_add_email = EmailPolicy.new(current_user).can_add_email?
         analytics.sp_select_email_visited
-        @email_id = @identity.email_address_id || last_email
+        @email_id = @identity.email_address_id || last_email_id
       end
 
       def update
         @select_email_form = build_select_email_form
 
-        result = @select_email_form.submit(form_params)
+        result = @select_email_form.submit(selected_email_id: selected_email_id)
 
         analytics.sp_select_email_submitted(**result)
 
@@ -52,7 +52,13 @@ def identity
         @identity = current_user.identities.find_by(id: params[:identity_id])
       end
 
-      def last_email
+      def selected_email_id
+        if identity.sp_only_single_email_requested?
+          form_params[:selected_email_id]
+        end
+      end
+
+      def last_email_id
         current_user.last_sign_in_email_address.id
       end
     end

diff --git a/app/controllers/openid_connect/authorization_controller.rb b/app/controllers/openid_connect/authorization_controller.rb
@@ -94,7 +94,7 @@ def email_address_id
         return user_session[:selected_email_id_for_linked_identity]
 if user_session[:selected_email_id_for_linked_identity].nil? 
   user_session[:selected_email_id_for_linked_identity] = current_user 
     .last_sign_in_email_address.id 
 end 
 if user_session[:selected_email_id_for_linked_identity].nil? 
   user_session[:selected_email_id_for_linked_identity] = current_user 
     .last_sign_in_email_address.id 
 end 
       end
       identity = current_user.identities.find_by(service_provider: sp_session[:issuer])
-      identity&.email_address_id
+      identity&.email_address_for_sharing&.id
     end
 
     def ial_context

diff --git a/app/controllers/sign_up/select_email_controller.rb b/app/controllers/sign_up/select_email_controller.rb
@@ -25,7 +25,7 @@ def create
       analytics.sp_select_email_submitted(**result, needs_completion_screen_reason:)
 
       if result.success?
-        user_session[:selected_email_id_for_linked_identity] = form_params[:selected_email_id]
+        user_session[:selected_email_id_for_linked_identity] = selected_email_id
         redirect_to sign_up_completed_path
       else
         flash[:error] = result.first_error_message
@@ -55,6 +55,13 @@ def last_email
       end
     end
 
+    def selected_email_id
+      if decorated_sp_session&.requested_attributes&.include?('email') &&
+         !decorated_sp_session&.requested_attributes&.include?('all_emails')
+        form_params[:selected_email_id]
+      end
+    end
+
     def verify_needs_completions_screen
       redirect_to account_url unless needs_completion_screen_reason
     end

diff --git a/app/models/service_provider_identity.rb b/app/models/service_provider_identity.rb
@@ -57,6 +57,11 @@ def friendly_name
     sp_metadata[:friendly_name]
   end
 
+  def sp_only_single_email_requested?
+    verified_attributes&.include?('email') &&
+      !verified_attributes.include?('all_emails')
+  end
+
   def service_provider_id
     service_provider_record&.id
   end
@@ -66,9 +71,15 @@ def happened_at
   end
 
   def email_address_for_sharing
-    if IdentityConfig.store.feature_select_email_to_share_enabled && email_address
+    if use_stored_email_address?
       return email_address
     end
     user.last_sign_in_email_address
   end
+
+  def use_stored_email_address?
+    IdentityConfig.store.feature_select_email_to_share_enabled &&
+      email_address &&
+      sp_only_single_email_requested?
+  end
 end
diff --git a/spec/controllers/accounts/connected_accounts/selected_email_controller_spec.rb b/spec/controllers/accounts/connected_accounts/selected_email_controller_spec.rb
@@ -89,8 +89,18 @@
 
   describe '#update' do
     let(:identity_id) { user.identities.take.id }
-    let(:selected_email) { user.confirmed_email_addresses.sample }
-    let(:params) { { identity_id:, select_email_form: { selected_email_id: selected_email.id } } }
+    let(:verified_attributes) { %w[email] }
+    let(:selected_email_id) { user.confirmed_email_addresses.sample.id }
+    let(:params) { { identity_id:, select_email_form: { selected_email_id: selected_email_id } } }
+    let(:sp) { create(:service_provider) }
+    before do
+      identity = ServiceProviderIdentity.find(identity_id)
+      identity.user_id = user&.id
+      identity.service_provider = sp.issuer
+      identity.verified_attributes = verified_attributes
+      identity.save!
+    end
+
     subject(:response) { patch :update, params: }
 
     it 'redirects to connected accounts path with the appropriate flash message' do
@@ -106,10 +116,32 @@
       expect(@analytics).to have_logged_event(
         :sp_select_email_submitted,
         success: true,
-        selected_email_id: selected_email.id,
+        selected_email_id: selected_email_id,
       )
     end
 
+    context ' with all_emails and emails requested' do
+      let(:verified_attributes) { %w[email all_emails] }
+
+      it 'returns nil' do
+        response
+
+        identity.reload
+        expect(identity.email_address_id).to eq(nil)
+      end
+    end
+
+    context ' with all_emails requested' do
+      let(:verified_attributes) { %w[all_emails] }
+
+      it 'returns nil' do
+        response
+
+        identity.reload
+        expect(identity.email_address_id).to eq(nil)
+      end
+    end
+
     context 'with invalid submission' do
       let(:params) { super().merge(select_email_form: { selected_email_id: '' }) }
 
@@ -133,7 +165,7 @@
 
     context 'signed out' do
       let(:other_user) { create(:user, identities: [create(:service_provider_identity, :active)]) }
-      let(:selected_email) { other_user.confirmed_email_addresses.sample }
+      let(:selected_email_id) { other_user.confirmed_email_addresses.sample.id }
       let(:identity_id) { other_user.identities.take.id }
       let(:user) { nil }
 

diff --git a/spec/controllers/sign_up/select_email_controller_spec.rb b/spec/controllers/sign_up/select_email_controller_spec.rb
@@ -2,11 +2,15 @@
 
 RSpec.describe SignUp::SelectEmailController do
   let(:user) { create(:user, :with_multiple_emails) }
-  let(:sp) { create(:service_provider) }
+  let(:sp) do
+    create(:service_provider)
+  end
+  let(:sp_session) { { requested_attributes: %w[email] } }
 
   before do
     stub_sign_in(user)
     allow(controller).to receive(:current_sp).and_return(sp)
+    allow(controller).to receive(:sp_session).and_return(sp_session)
     allow(controller).to receive(:needs_completion_screen_reason).and_return(:new_attributes)
   end
 
@@ -75,8 +79,8 @@
   end
 
   describe '#create' do
-    let(:selected_email) { user.confirmed_email_addresses.sample }
-    let(:params) { { select_email_form: { selected_email_id: selected_email.id } } }
+    let(:selected_email_id) { user.confirmed_email_addresses.sample.id }
+    let(:params) { { select_email_form: { selected_email_id: selected_email_id } } }
 
     subject(:response) { post :create, params: params }
 
@@ -85,7 +89,7 @@
 
       expect(
         controller.user_session[:selected_email_id_for_linked_identity],
-      ).to eq(selected_email.id.to_s)
+      ).to eq(selected_email_id.to_s)
     end
 
     it 'logs analytics event' do
@@ -97,13 +101,36 @@
         :sp_select_email_submitted,
         success: true,
         needs_completion_screen_reason: :new_attributes,
-        selected_email_id: selected_email.id,
+        selected_email_id: selected_email_id,
       )
     end
 
+    context ' with all_email and emails requested for SP' do
+      let(:sp_session) { { requested_attributes: %w[email all_emails] } }
+
+      it 'returns nil' do
+        response
+
+        expect(
+          controller.user_session[:selected_email_id_for_linked_identity],
+        ).to eq(nil)
+      end
+    end
+
+    context ' with all_emails requested for SP' do
+      let(:sp_session) { { requested_attributes: %w[all_emails] } }
+      it 'returns nil' do
+        response
+
+        expect(
+          controller.user_session[:selected_email_id_for_linked_identity],
+        ).to eq(nil)
+      end
+    end
+
     context 'with a corrupted email selected_email_id form' do
       let(:other_user) { create(:user) }
-      let(:selected_email) { other_user.confirmed_email_addresses.sample }
+      let(:selected_email_id) { other_user.confirmed_email_addresses.sample.id }
 
       it 'rejects email not belonging to the user' do
         expect(response).to redirect_to(sign_up_select_email_path)
@@ -122,7 +149,7 @@
           success: false,
           error_details: { selected_email_id: { not_found: true } },
           needs_completion_screen_reason: :new_attributes,
-          selected_email_id: selected_email.id,
+          selected_email_id: selected_email_id,
         )
       end
     end

diff --git a/spec/features/account_connected_apps_spec.rb b/spec/features/account_connected_apps_spec.rb
@@ -3,6 +3,8 @@
 RSpec.describe 'Account connected applications' do
   include NavigationHelper
 
+  let(:verified_attributes) { %w[email] }
+
   let(:user) do
     create(
       :user,
@@ -18,6 +20,7 @@
       user: user,
       created_at: Time.zone.now - 80.days,
       service_provider: 'http://localhost:3000',
+      verified_attributes: verified_attributes,
     )
   end
   let(:identity_without_link) do

diff --git a/spec/models/service_provider_identity_spec.rb b/spec/models/service_provider_identity_spec.rb
@@ -200,9 +200,18 @@
         last_sign_in_at: 1.hour.ago,
       )
     end
+    let(:verified_attributes) { %w[email] }
+
+    let(:service_provider) { create(:service_provider) }
 
     let(:identity) do
-      create(:service_provider_identity, user: user, session_uuid: SecureRandom.uuid)
+      create(
+        :service_provider_identity,
+        user: user,
+        session_uuid: SecureRandom.uuid,
+        service_provider: service_provider.issuer,
+        verified_attributes: verified_attributes,
+      )
     end
 
     context 'when email sharing feature is enabled' do
@@ -211,7 +220,7 @@
           .and_return(true)
       end
 
-      context 'when an email address for sharing has been set' do
+      context 'when an email address is set and service provider has email attribute' do
         before do
           identity.email_address = shared_email_address
         end
@@ -221,7 +230,31 @@
         end
       end
 
-      context 'when an email address for sharing has not been set' do
+      context 'when service provider has both email and all_emails attribute' do
+        let(:verified_attributes) { %w[email all_emails] }
+
+        before do
+          identity.email_address = shared_email_address
+        end
+
+        it 'returns the last sign in email' do
+          expect(identity.email_address_for_sharing).to eq(last_login_email_address)
+        end
+      end
+
+      context 'when service provider has no email attributes' do
+        let(:verified_attributes) { %w[first_name last_name] }
+
+        before do
+          identity.email_address = shared_email_address
+        end
+
+        it 'returns the last sign in email' do
+          expect(identity.email_address_for_sharing).to eq(last_login_email_address)
+        end
+      end
+
+      context 'when an email address for sharing has not been set and email is set' do
         before do
           identity.email_address = nil
         end