Skip start page, redirect users to ID

Skips the start page by emulating the same request made by
the start button in the appropriate controller action.
Redirects users to the location returned by the OmniAuth request phase call to the identity service.
Checks that this redirect location is a valid identity service URL.
Renders the existing start page if Faraday encounters an error when making
the call.

app/controllers/qualifications/starts_controller.rb

@@ -2,8 +2,47 @@ module Qualifications
   class StartsController < QualificationsInterfaceController
     skip_before_action :authenticate_user!
     skip_before_action :handle_expired_token!
+    around_action :skip_omniauth_request_validation_phase, only: :show
 
     def show
+      @identity_service_response = Faraday.post(identity_service_auth_url)
+      redirect_to_identity_service and return if redirect_present?
+    rescue Faraday::Error
+      render :show
+    end
+
+  private
+
+    attr_reader :identity_service_response
+
+    # Check that the response headers contain a redirect to the identity service
+    def redirect_present?
+      identity_service_response.status == 302 &&
+        identity_service_response.headers["location"]&.starts_with?(identity_api_domain)
+    end
+
+    def redirect_to_identity_service
+      redirect_to(identity_service_response.headers["location"], allow_other_host: true)
+    end
+
+    def identity_service_auth_url
+      %(#{ENV["HOSTING_DOMAIN"]}/qualifications/users/auth/identity?trn_token=#{params[:trn_token]})
+    end
+
+    # OmniAuth will default to validating the request using CSRF protection
+    # which is necessary when the request is sent from a browser.
+    # In this case, the request is sent from an action with limited parameters
+    # so CSRF protection is not necessary.
+    def skip_omniauth_request_validation_phase
+      request_validation_phase = OmniAuth.config.request_validation_phase
+      OmniAuth.config.request_validation_phase = nil
+      yield
+    ensure
+      OmniAuth.config.request_validation_phase = request_validation_phase
+    end
+
+    def identity_api_domain
+      ENV["IDENTITY_API_DOMAIN"]
     end
   end
 end

spec/rails_helper.rb

@@ -14,7 +14,7 @@
 require "dfe/analytics/testing"
 require "dfe/analytics/rspec/matchers"
 
-WebMock.disable_net_connect!(allow_localhost: true)
+WebMock.disable_net_connect!(allow_localhost: true, allow: "http://qualifications.localhost")
 
 Capybara.register_driver(:cuprite) do |app|
   Capybara::Cuprite::Driver.new(app, timeout: 10, process_timeout: 30, window_size: [1200, 800])

spec/system/qualifications/skip_start_spec.rb

@@ -0,0 +1,39 @@
+require "rails_helper"
+
+RSpec.feature "Skipping the qualifications start page", type: :system do
+  include CommonSteps
+
+  scenario "when a user visits the start page path", test: :with_stubbed_auth do
+    given_the_service_is_open
+    and_omniauth_request_phase_provides_a_valid_redirect
+
+    when_i_visit_the_qualifications_start_page
+    then_i_am_redirected_to_the_identity_service
+  end
+
+  private
+
+  def and_omniauth_request_phase_provides_a_valid_redirect
+    allow_any_instance_of(Qualifications::StartsController)
+      .to receive(:identity_api_domain).and_return("http://www.example.com")
+
+    stub_request(:post, identity_service_auth_url)
+      .to_return(status: 302, headers: { "location" => fake_identity_service_location })
+  end
+
+  def when_i_visit_the_qualifications_start_page
+    visit qualifications_start_path
+  end
+
+  def then_i_am_redirected_to_the_identity_service
+    expect(page).to have_current_path(fake_identity_service_location)
+  end
+
+  def identity_service_auth_url
+    %(#{ENV["HOSTING_DOMAIN"]}/qualifications/users/auth/identity?trn_token=)
+  end
+
+  def fake_identity_service_location
+    "http://www.example.com/fake-identity-service"
+  end
+end