Use #last_sign_in_email_address where appropriate

app/controllers/idv/forgot_password_controller.rb

@@ -15,7 +15,7 @@ def new
     def update
       analytics.idv_forgot_password_confirmed
       request_id = sp_session[:request_id]
-      email = current_user.confirmed_email_addresses.first.email
+      email = current_user.last_sign_in_email_address.email
       reset_password(email, request_id)
     end
 

app/jobs/resolution_proofing_job.rb

@@ -130,7 +130,7 @@ def make_vendor_proofing_requests(
   end
 
   def user_email_for_proofing(user)
-    user.confirmed_email_addresses.first.email
+    user.last_sign_in_email_address.email
   end
 
   def log_threatmetrix_info(threatmetrix_result, user)

app/models/user.rb

@@ -65,7 +65,7 @@ class User < ApplicationRecord
   attr_accessor :asserted_attributes, :email
 
   def confirmed_email_addresses
-    email_addresses.confirmed.order('last_sign_in_at DESC NULLS LAST')
+    email_addresses.confirmed
   end
 
   def fully_registered?

app/views/users/webauthn_setup/new.html.erb

@@ -27,7 +27,7 @@
       },
     ) do |f| %>
   <%= hidden_field_tag :user_id, current_user.id, id: 'user_id' %>
-  <%= hidden_field_tag :user_email, current_user.confirmed_email_addresses.first.email, id: 'user_email' %>
+  <%= hidden_field_tag :user_email, current_user.last_sign_in_email_address.email, id: 'user_email' %>
   <%= hidden_field_tag :user_challenge, user_session[:webauthn_challenge].to_json, id: 'user_challenge' %>
   <%= hidden_field_tag :exclude_credentials, @exclude_credentials&.join(','), id: 'exclude_credentials' %>
   <%= hidden_field_tag :webauthn_id, '', id: 'webauthn_id' %>

spec/controllers/idv/by_mail/enter_code_controller_spec.rb

@@ -289,7 +289,7 @@
           it 'does not send the "Please Call" email' do
             action
             expect_email_not_delivered(
-              to: user.confirmed_email_addresses.first.email,
+              to: user.last_sign_in_email_address.email,
               subject: t('user_mailer.idv_please_call.subject', app_name: APP_NAME),
             )
           end
@@ -335,7 +335,7 @@
           it 'sends the "Please Call" email' do
             action
             expect_delivered_email(
-              to: user.confirmed_email_addresses.first.email,
+              to: user.last_sign_in_email_address.email,
               subject: t('user_mailer.idv_please_call.subject', app_name: APP_NAME),
             )
           end

spec/controllers/idv/enter_password_controller_spec.rb

@@ -416,7 +416,7 @@ def show
         it 'sends the idv_please_call email' do
           put :create, params: { user: { password: ControllerHelper::VALID_PASSWORD } }
           expect_delivered_email(
-            to: user.confirmed_email_addresses.first.email,
+            to: user.last_sign_in_email_address.email,
             subject: t('user_mailer.idv_please_call.subject', app_name: APP_NAME),
           )
         end

spec/features/multiple_emails/email_management_spec.rb

@@ -40,7 +40,7 @@
   context 'allows deletion of email address' do
     it 'does not allow last confirmed email to be deleted' do
       user = create(:user, :fully_registered, email: '[email protected] ')
-      confirmed_email = user.confirmed_email_addresses.first
+      confirmed_email = user.last_sign_in_email_address
       unconfirmed_email = create(:email_address, user: user, confirmed_at: nil)
       user.email_addresses.reload
 
@@ -56,7 +56,7 @@
 
     it 'Allows delete when more than one confirmed email exists' do
       user = create(:user, :fully_registered, email: '[email protected] ')
-      confirmed_email1 = user.confirmed_email_addresses.first
+      confirmed_email1 = user.last_sign_in_email_address
       confirmed_email2 = create(
         :email_address, user: user,
                         confirmed_at: Time.zone.now
@@ -74,7 +74,7 @@
 
     it 'sends notification to all confirmed emails when email address is deleted' do
       user = create(:user, :fully_registered, email: '[email protected] ')
-      confirmed_email1 = user.confirmed_email_addresses.first
+      confirmed_email1 = user.last_sign_in_email_address
       confirmed_email2 = create(:email_address, user: user, confirmed_at: Time.zone.now)
 
       sign_in_and_2fa_user(user)

spec/features/sp_cost_tracking_spec.rb

@@ -45,7 +45,7 @@
     user.active_profile.update!(verified_at: 60.days.ago)
 
     visit_idp_from_sp_with_ial2(:oidc, verified_within: '45d')
-    fill_in_credentials_and_submit(user.confirmed_email_addresses.first.email, password)
+    fill_in_credentials_and_submit(user.last_sign_in_email_address.email, password)
     fill_in_code_with_last_totp(user)
     click_submit_default
     complete_all_doc_auth_steps_before_password_step

spec/features/two_factor_authentication/sign_in_spec.rb

@@ -92,7 +92,7 @@
 
       scenario 'allows a user to recreate their account after account reset' do
         sign_in_before_2fa(user)
-        email = user.confirmed_email_addresses.first.email
+        email = user.last_sign_in_email_address.email
 
         expect(page).to have_content(t('two_factor_authentication.opt_in.title'))
 

spec/features/users/sign_in_spec.rb

@@ -406,15 +406,15 @@
         create(:user, :fully_registered, email: email, password: password)
 
         user = User.find_with_email(email)
-        encrypted_email = user.confirmed_email_addresses.first.encrypted_email
+        encrypted_email = user.last_sign_in_email_address.encrypted_email
 
         rotate_attribute_encryption_key_with_invalid_queue
 
         expect { signin(email, password) }
           .to raise_error Encryption::EncryptionError, 'unable to decrypt attribute with any key'
 
         user = user.reload
-        expect(user.confirmed_email_addresses.first.encrypted_email).to eq encrypted_email
+        expect(user.last_sign_in_email_address.encrypted_email).to eq encrypted_email
       end
     end
 
@@ -426,14 +426,14 @@
         create(:user, :fully_registered, email: email, password: password)
 
         user = User.find_with_email(email)
-        encrypted_email = user.confirmed_email_addresses.first.encrypted_email
+        encrypted_email = user.last_sign_in_email_address.encrypted_email
 
         rotate_attribute_encryption_key_with_invalid_queue
 
         sign_in_user_with_piv(user)
 
         user = user.reload
-        expect(user.confirmed_email_addresses.first.encrypted_email).to eq encrypted_email
+        expect(user.last_sign_in_email_address.encrypted_email).to eq encrypted_email
       end
     end
   end

spec/jobs/get_usps_proofing_results_job_spec.rb

@@ -130,7 +130,7 @@
           )
           allow(UserMailer).to receive(:with).with(
             user: enrollment.user,
-            email_address: enrollment.user.confirmed_email_addresses.first,
+            email_address: enrollment.user.last_sign_in_email_address,
           ).and_return(user_mailer)
           allow(mail_deliverer).to receive(:deliver_later)
           allow(InPerson::SendProofingNotificationJob).to receive(:set).and_return(
@@ -366,7 +366,7 @@
                       )
                       allow(UserMailer).to receive(:with).with(
                         user: enrollment.user,
-                        email_address: enrollment.user.confirmed_email_addresses.first,
+                        email_address: enrollment.user.last_sign_in_email_address,
                       ).and_raise(StandardError)
                       subject.perform(current_time)
                     end

spec/services/user_alerts/alert_user_about_account_verified_spec.rb

@@ -36,7 +36,7 @@
         described_class.call(profile: profile)
 
         expect_delivered_email(
-          to: [user.confirmed_email_addresses.first.email],
+          to: [user.last_sign_in_email_address.email],
           subject: t('user_mailer.account_verified.subject', app_name: APP_NAME),
           body: [
             'http://www.example.com/redirect/return_to_sp/account_verified_cta',
@@ -71,7 +71,7 @@
         described_class.call(profile: profile)
 
         expect_delivered_email(
-          to: [user.confirmed_email_addresses.first.email],
+          to: [user.last_sign_in_email_address.email],
           subject: t('user_mailer.account_verified.subject', app_name: APP_NAME),
           body: ['http://example.com'],
         )

spec/support/features/session_helper.rb

@@ -537,7 +537,7 @@ def skip_second_mfa_prompt
     end
 
     def sign_in_via_branded_page(user)
-      fill_in_credentials_and_submit(user.confirmed_email_addresses.first.email, user.password)
+      fill_in_credentials_and_submit(user.last_sign_in_email_address.email, user.password)
       fill_in_code_with_last_phone_otp
       click_submit_default
     end

spec/support/idv_examples/sp_handoff.rb

@@ -145,7 +145,7 @@ def expect_successful_oidc_handoff
       expect(decoded_id_token[:aud]).to eq(@client_id)
       expect(decoded_id_token[:acr]).to eq(Saml::Idp::Constants::IAL_VERIFIED_ACR)
       expect(decoded_id_token[:iss]).to eq(root_url)
-      expect(decoded_id_token[:email]).to eq(user.confirmed_email_addresses.first.email)
+      expect(decoded_id_token[:email]).to eq(user.last_sign_in_email_address.email)
       expect(decoded_id_token[:given_name]).to eq('FAKEY')
       expect(decoded_id_token[:social_security_number]).to eq(DocAuthHelper::GOOD_SSN)
 
@@ -159,7 +159,7 @@ def expect_successful_oidc_handoff
       userinfo_response = JSON.parse(page.body).with_indifferent_access
       expect(userinfo_response[:sub]).to eq(sub)
       expect(AgencyIdentity.where(user_id: user.id, agency_id: 2).first.uuid).to eq(sub)
-      expect(userinfo_response[:email]).to eq(user.confirmed_email_addresses.first.email)
+      expect(userinfo_response[:email]).to eq(user.last_sign_in_email_address.email)
       expect(userinfo_response[:given_name]).to eq('FAKEY')
       expect(userinfo_response[:social_security_number]).to eq(DocAuthHelper::GOOD_SSN)
     end

spec/support/shared_examples/phone/rate_limiting.rb

@@ -89,7 +89,7 @@ def expect_user_to_be_rate_limitted
 
     visit root_path
     signin(
-      user.confirmed_email_addresses.first.email,
+      user.last_sign_in_email_address.email,
       user.password || Features::SessionHelper::VALID_PASSWORD,
     )
 
@@ -101,7 +101,7 @@ def expect_rate_limiting_to_expire
       visit root_path
 
       signin(
-        user.confirmed_email_addresses.first.email,
+        user.last_sign_in_email_address.email,
         user.password || Features::SessionHelper::VALID_PASSWORD,
       )
 

spec/support/shared_examples/sign_in.rb

@@ -130,12 +130,12 @@
 
     old_personal_key = PersonalKeyGenerator.new(user).generate!
     visit_idp_from_sp_with_ial1(sp)
-    trigger_reset_password_and_click_email_link(user.confirmed_email_addresses.first.email)
+    trigger_reset_password_and_click_email_link(user.last_sign_in_email_address.email)
     fill_in t('forms.passwords.edit.labels.password'), with: new_password
     fill_in t('components.password_confirmation.confirm_label'),
             with: new_password
     click_button t('forms.passwords.edit.buttons.submit')
-    fill_in_credentials_and_submit(user.confirmed_email_addresses.first.email, new_password)
+    fill_in_credentials_and_submit(user.last_sign_in_email_address.email, new_password)
     choose_another_security_option('personal_key')
     enter_personal_key(personal_key: old_personal_key)
     click_submit_default
@@ -392,7 +392,7 @@ def ial1_sign_in_with_personal_key_goes_to_sp(sp)
   Capybara.reset_sessions!
 
   visit_idp_from_sp_with_ial1(sp)
-  fill_in_credentials_and_submit(user.confirmed_email_addresses.first.email, 'Val!d Pass w0rd')
+  fill_in_credentials_and_submit(user.last_sign_in_email_address.email, 'Val!d Pass w0rd')
   choose_another_security_option('personal_key')
   enter_personal_key(personal_key: old_personal_key)
   click_submit_default