feat: update session to handle one or more returned claims

benefits/core/session.py

@@ -26,7 +26,7 @@
 _ENROLLMENT_EXP = "enrollment_expiry"
 _FLOW = "flow"
 _LANG = "lang"
-_OAUTH_CLAIM = "oauth_claim"
+_OAUTH_CLAIMS = "oauth_claims"
 _OAUTH_TOKEN = "oauth_token"
 _ORIGIN = "origin"
 _START = "start"
@@ -60,7 +60,7 @@ def context_dict(request):
         _ENROLLMENT_TOKEN_EXP: enrollment_token_expiry(request),
         _LANG: language(request),
         _OAUTH_TOKEN: oauth_token(request),
-        _OAUTH_CLAIM: oauth_claim(request),
+        _OAUTH_CLAIMS: oauth_claims(request),
         _ORIGIN: origin(request),
         _START: start(request),
         _UID: uid(request),
@@ -148,17 +148,17 @@ def logged_in(request):
 
 def logout(request):
     """Reset the session claims and tokens."""
-    update(request, oauth_claim=False, oauth_token=False, enrollment_token=False)
+    update(request, oauth_claims=[], oauth_token=False, enrollment_token=False)
 
 
 def oauth_token(request):
     """Get the oauth token from the request's session, or None"""
     return request.session.get(_OAUTH_TOKEN)
 
 
-def oauth_claim(request):
+def oauth_claims(request):
     """Get the oauth claim from the request's session, or None"""
-    return request.session.get(_OAUTH_CLAIM)
+    return request.session.get(_OAUTH_CLAIMS)
 
 
 def origin(request):
@@ -177,7 +177,7 @@ def reset(request):
     request.session[_ENROLLMENT_TOKEN] = None
     request.session[_ENROLLMENT_TOKEN_EXP] = None
     request.session[_OAUTH_TOKEN] = None
-    request.session[_OAUTH_CLAIM] = None
+    request.session[_OAUTH_CLAIMS] = None
 
     if _UID not in request.session or not request.session[_UID]:
         logger.debug("Reset session time and uid")
@@ -236,7 +236,7 @@ def update(
     enrollment_token=None,
     enrollment_token_exp=None,
     oauth_token=None,
-    oauth_claim=None,
+    oauth_claims=None,
     origin=None,
 ):
     """Update the request's session with non-null values."""
@@ -260,8 +260,8 @@ def update(
         request.session[_ENROLLMENT_TOKEN_EXP] = enrollment_token_exp
     if oauth_token is not None:
         request.session[_OAUTH_TOKEN] = oauth_token
-    if oauth_claim is not None:
-        request.session[_OAUTH_CLAIM] = oauth_claim
+    if oauth_claims is not None:
+        request.session[_OAUTH_CLAIMS] = oauth_claims
     if origin is not None:
         request.session[_ORIGIN] = origin
     if flow is not None and isinstance(flow, models.EnrollmentFlow):

benefits/eligibility/views.py

@@ -85,7 +85,7 @@ def confirm(request):
     if request.method == "GET" and flow.uses_claims_verification:
         analytics.started_eligibility(request, flow)
 
-        is_verified = verify.eligibility_from_oauth(flow, session.oauth_claim(request), agency)
+        is_verified = verify.eligibility_from_oauth(flow, session.oauth_claims(request), agency)
 
         if is_verified:
             return verified(request)

tests/pytest/core/test_session.py

@@ -199,16 +199,16 @@ def test_logged_in_True(app_request):
 
 @pytest.mark.django_db
 def test_logout(app_request):
-    session.update(app_request, oauth_claim="oauth_claim", oauth_token="oauth_token", enrollment_token="enrollment_token")
+    session.update(app_request, oauth_claims=["oauth_claim"], oauth_token="oauth_token", enrollment_token="enrollment_token")
     assert session.logged_in(app_request)
-    assert session.oauth_claim(app_request)
+    assert session.oauth_claims(app_request)
 
     session.logout(app_request)
 
     assert not session.logged_in(app_request)
     assert not session.enrollment_token(app_request)
     assert not session.oauth_token(app_request)
-    assert not session.oauth_claim(app_request)
+    assert not session.oauth_claims(app_request)
 
 
 @pytest.mark.django_db
@@ -269,12 +269,12 @@ def test_reset_enrollment(app_request):
 @pytest.mark.django_db
 def test_reset_oauth(app_request):
     app_request.session[session._OAUTH_TOKEN] = "oauthtoken456"
-    app_request.session[session._OAUTH_CLAIM] = "claim"
+    app_request.session[session._OAUTH_CLAIMS] = ["claim"]
 
     session.reset(app_request)
 
     assert session.oauth_token(app_request) is None
-    assert session.oauth_claim(app_request) is None
+    assert session.oauth_claims(app_request) is None
 
 
 @pytest.mark.django_db

tests/pytest/oauth/test_views.py

@@ -213,11 +213,18 @@ def test_authorize_empty_token(
 
 
 @pytest.mark.django_db
-@pytest.mark.usefixtures("mocked_session_flow_uses_claims_verification")
-def test_authorize_success(mocked_oauth_client_or_error_redirect__client, mocked_analytics_module, app_request):
+def test_authorize_success(
+    mocked_session_flow_uses_claims_verification,
+    mocked_oauth_client_or_error_redirect__client,
+    mocked_analytics_module,
+    app_request,
+):
     mocked_oauth_client = mocked_oauth_client_or_error_redirect__client.return_value
     mocked_oauth_client.authorize_access_token.return_value = {"id_token": "token"}
 
+    flow = mocked_session_flow_uses_claims_verification.return_value
+    flow.claims_extra_claims = ""
+
     result = authorize(app_request)
 
     mocked_oauth_client.authorize_access_token.assert_called_with(app_request)
@@ -234,14 +241,14 @@ def test_authorize_success_with_claim_true(
     app_request, mocked_session_flow_uses_claims_verification, mocked_oauth_client_or_error_redirect__client
 ):
     flow = mocked_session_flow_uses_claims_verification.return_value
-    flow.claims_claim = "claim"
+    flow.claims_extra_claims = ""
     mocked_oauth_client = mocked_oauth_client_or_error_redirect__client.return_value
     mocked_oauth_client.authorize_access_token.return_value = {"id_token": "token", "userinfo": {"claim": "1"}}
 
     result = authorize(app_request)
 
     mocked_oauth_client.authorize_access_token.assert_called_with(app_request)
-    assert session.oauth_claim(app_request) == "claim"
+    assert session.oauth_claims(app_request) == ["claim"]
     assert result.status_code == 302
     assert result.url == reverse(routes.ELIGIBILITY_CONFIRM)
 
@@ -252,14 +259,14 @@ def test_authorize_success_with_claim_false(
     app_request, mocked_session_flow_uses_claims_verification, mocked_oauth_client_or_error_redirect__client
 ):
     flow = mocked_session_flow_uses_claims_verification.return_value
-    flow.claims_claim = "claim"
+    flow.claims_extra_claims = ""
     mocked_oauth_client = mocked_oauth_client_or_error_redirect__client.return_value
     mocked_oauth_client.authorize_access_token.return_value = {"id_token": "token", "userinfo": {"claim": "0"}}
 
     result = authorize(app_request)
 
     mocked_oauth_client.authorize_access_token.assert_called_with(app_request)
-    assert session.oauth_claim(app_request) is None
+    assert session.oauth_claims(app_request) == []
     assert result.status_code == 302
     assert result.url == reverse(routes.ELIGIBILITY_CONFIRM)
 
@@ -272,15 +279,15 @@ def test_authorize_success_with_claim_error(
     mocked_analytics_module,
 ):
     flow = mocked_session_flow_uses_claims_verification.return_value
-    flow.claims_claim = "claim"
+    flow.claims_extra_claims = ""
     mocked_oauth_client = mocked_oauth_client_or_error_redirect__client.return_value
     mocked_oauth_client.authorize_access_token.return_value = {"id_token": "token", "userinfo": {"claim": "10"}}
 
     result = authorize(app_request)
 
     mocked_oauth_client.authorize_access_token.assert_called_with(app_request)
     mocked_analytics_module.finished_sign_in.assert_called_with(app_request, error=10)
-    assert session.oauth_claim(app_request) is None
+    assert session.oauth_claims(app_request) == []
     assert result.status_code == 302
     assert result.url == reverse(routes.ELIGIBILITY_CONFIRM)
 
@@ -301,14 +308,15 @@ def test_authorize_success_without_claim_in_response(
     access_token_response,
 ):
     flow = mocked_session_flow_uses_claims_verification.return_value
-    flow.claims_claim = "claim"
+    flow.claims_eligibility_claim = "claim"
+    flow.claims_extra_claims = ""
     mocked_oauth_client = mocked_oauth_client_or_error_redirect__client.return_value
     mocked_oauth_client.authorize_access_token.return_value = access_token_response
 
     result = authorize(app_request)
 
     mocked_oauth_client.authorize_access_token.assert_called_with(app_request)
-    assert session.oauth_claim(app_request) is None
+    assert session.oauth_claims(app_request) == []
     assert result.status_code == 302
     assert result.url == reverse(routes.ELIGIBILITY_CONFIRM)
 
@@ -374,7 +382,7 @@ def test_logout(app_request, mocker, mocked_oauth_client_or_error_redirect__clie
     assert not session.logged_in(app_request)
     assert session.enrollment_token(app_request) is False
     assert session.oauth_token(app_request) is False
-    assert session.oauth_claim(app_request) is False
+    assert session.oauth_claims(app_request) == []
 
 
 @pytest.mark.django_db