LG-15362 Bug fix: Limit query for timeframe expired event (#11696)

* changelog: Bug Fixes, Fraud prevention, limit query for timeframe expired event * limit event query to maximum session timeframe * add spec --------- Co-authored-by: Mitchell Henke <mitchell.henke@gsa.gov>
18F · Jan 7, 2025 · 304493b · 304493b
1 parent e62a7b2
commit 304493b
Showing 1 changed file with 8 additions and 3 deletions.
diff --git a/app/controllers/concerns/two_factor_authenticatable_methods.rb b/app/controllers/concerns/two_factor_authenticatable_methods.rb
@@ -106,9 +106,14 @@ def sign_in_notification_timeframe_expired_event
     return @sign_in_notification_timeframe_expired_event if defined?(
       @sign_in_notification_timeframe_expired_event
     )
-    @sign_in_notification_timeframe_expired_event = current_user.events.where(
-      event_type: 'sign_in_notification_timeframe_expired',
-    ).order(created_at: :desc).limit(1).take
+    @sign_in_notification_timeframe_expired_event = current_user.events
+      .where(
+        event_type: 'sign_in_notification_timeframe_expired',
+        created_at: (IdentityConfig.store.session_total_duration_timeout_in_minutes.minutes.ago..),
+      )
+      .order(created_at: :desc)
+      .limit(1)
+      .take
   end
 
   def handle_remember_device_preference(remember_device_preference)