Merge pull request #19464 from opf/bug/65535-actioncontroller-urlgenerationerror-in-accountcontroller-consent

robustness on calling account/consent outside of login process

app/controllers/concerns/accounts/user_consent.rb

@@ -30,10 +30,17 @@
 # Intended to be used by the AccountController to implement the user consent
 # check.
 module Accounts::UserConsent
+  extend ActiveSupport::Concern
+
   include ::UserConsentHelper
 
+  included do
+    before_action :require_consenting_user,
+                  only: %i[consent confirm_consent]
+  end
+
   def consent
-    if user_consent_required? && consenting_user&.consent_expired?
+    if user_consent_required? && consenting_user.consent_expired?
       render "account/consent"
     else
       consent_finished
@@ -41,10 +48,8 @@ module Accounts::UserConsent
   end
 
   def confirm_consent
-    user = consenting_user
-
-    if user.present? && consent_param?
-      approve_consent!(user)
+    if consent_param?
+      approve_consent!(consenting_user)
     else
       reject_consent!
     end
@@ -63,8 +68,14 @@ module Accounts::UserConsent
     redirect_to authentication_stage_failure_path :consent
   end
 
+  private
+
+  def require_consenting_user
+    reject_consent! unless consenting_user
+  end
+
   def consenting_user
-    User.find_by id: session[:authenticated_user_id]
+    @consenting_user ||= User.find_by id: session[:authenticated_user_id]
   end
 
   def approve_consent!(user)

spec/features/auth/consent_auth_stage_spec.rb

@@ -270,4 +270,13 @@ RSpec.describe "Authentication Stages" do
       end
     end
   end
+
+  context "when calling the consent page outside of the login process" do
+    it "redirects to the login page" do
+      visit "account/consent"
+
+      expect_flash message: "Consent failed, cannot proceed.", type: :error
+      expect(page).to have_current_path "/login"
+    end
+  end
 end