Rescue errors parsing voice OTP encrypted code

**Why**: If someone tries to make a request with a bogus encrypted code, it should not cause the app to blow up with a 500 error.
18F · Mar 3, 2018 · 01c50e6 · 01c50e6
1 parent 9dc9f1f
commit 01c50e6
Show file tree

Hide file tree

Showing 2 changed files with 13 additions and 0 deletions.
diff --git a/app/controllers/voice/otp_controller.rb b/app/controllers/voice/otp_controller.rb
@@ -24,6 +24,8 @@ def code
       return if encrypted_code.blank?
 
       cipher.decrypt(encrypted_code)
+    rescue StandardError
+      nil
     end
 
     def message

diff --git a/spec/controllers/voice/otp_controller_spec.rb b/spec/controllers/voice/otp_controller_spec.rb
@@ -22,6 +22,17 @@
       end
     end
 
+    context 'with an invalid encrypted_code in the URL' do
+      let(:encrypted_code) { '%25' }
+
+      it 'renders a blank 400' do
+        action
+
+        expect(response).to be_bad_request
+        expect(response.body).to be_empty
+      end
+    end
+
     context 'with an encrypted_code in the URL' do
       render_views