updated comments to reflect tests; made logic more readable in needs_identity_verification

src/djangooidc/tests/test_views.py

@@ -99,7 +99,10 @@ class ViewsTest(TestCase):
         ) as mock_create_authn_request:
             login_callback(request)
 
-        # Assert that get_step_up_acr_value was called and session was updated
+        # create_authn_request only gets called when requires_step_up_auth is True
+        # and it changes this acr_value in request.session
+
+        # Assert that acr_value is no longer empty string
         self.assertNotEqual(request.session["acr_value"], "")
         # And create_authn_request was called again
         mock_create_authn_request.assert_called_once()
@@ -120,9 +123,12 @@ class ViewsTest(TestCase):
         ) as mock_create_authn_request:
             login_callback(request)
 
-        # Assert that get_step_up_acr_value was NOT called and session was NOT updated
+        # create_authn_request only gets called when requires_step_up_auth is True
+        # and it changes this acr_value in request.session
+
+        # Assert that acr_value is NOT updated by testing that it is still an empty string
         self.assertEqual(request.session["acr_value"], "")
-        # create_authn_request was not called
+        # Assert create_authn_request was not called
         mock_create_authn_request.assert_not_called()
 
     @patch("djangooidc.views.authenticate")

src/djangooidc/views.py

@@ -92,7 +92,14 @@ def requires_step_up_auth(userinfo):
     acr_value = userinfo.get("ial", "")
     uuid = userinfo.get("sub", "")
     email = userinfo.get("email", "")
-    return User.needs_identity_verification(email, uuid) and acr_value != step_up_acr_value
+    if acr_value != step_up_acr_value:
+        # The acr of this attempt is not at the highest level
+        # so check if the user needs the higher level
+        return User.needs_identity_verification(email, uuid)
+    else:
+        # This attempt already came back at the highest level
+        # so does not require step up
+        return False
 
 
 def logout(request, next_page=None):

src/registrar/models/user.py

@@ -91,7 +91,7 @@ class User(AbstractUser):
 
         # A new incoming user who is being invited to be a domain manager (that is,
         # their email address is in DomainInvitation for an invitation that is not yet "retrieved").
-        if DomainInvitation.objects.filter(email=email, status=DomainInvitation.INVITED):
+        if DomainInvitation.objects.filter(email=email, status=DomainInvitation.INVITED).exists():
             return False
 
         return True

src/registrar/tests/test_models.py

@@ -623,7 +623,6 @@ class TestUser(TestCase):
         TransitionDomain.objects.all().delete()
         User.objects.all().delete()
         UserDomainRole.objects.all().delete()
-        TransitionDomain.objects.get_or_create(username="mayor@igorville.gov", domain_name=self.domain_name)
 
     def test_check_transition_domains_without_domains_on_login(self):
         """A user's on_each_login callback does not check transition domains.