To you!

app/controllers/waste_carriers_engine/address_forms_controller.rb

@@ -3,7 +3,7 @@
 module WasteCarriersEngine
   class AddressFormsController < FormsController
     def skip_to_manual_address
-      find_or_initialize_transient_registration(params[:reg_identifier])
+      find_or_initialize_transient_registration(params[:token])
 
       @transient_registration.skip_to_manual_address! if form_matches_state?
       redirect_to_correct_form

app/controllers/waste_carriers_engine/bank_transfer_forms_controller.rb

@@ -17,11 +17,5 @@ def create
     def set_up_finance_details
       @transient_registration.prepare_for_payment(:bank_transfer, current_user)
     end
-
-    def transient_registration_attributes
-      # TODO: Remvoe when default empty params
-      # Nothing to submit
-      params.fetch(:bank_transfer_form).permit
-    end
   end
 end

app/controllers/waste_carriers_engine/business_type_forms_controller.rb

@@ -13,7 +13,7 @@ def create
     private
 
     def transient_registration_attributes
-      params.fetch(:business_type_form, {}).permit(:business_type, :reg_identifier)
+      params.fetch(:business_type_form, {}).permit(:business_type, :token)
     end
   end
 end

app/controllers/waste_carriers_engine/copy_cards_payment_forms_controller.rb

@@ -1,7 +1,9 @@
 # frozen_string_literal: true
 
 module WasteCarriersEngine
-  class CopyCardsPaymentFormsController < BaseOrderCopyCardsFormsController
+  class CopyCardsPaymentFormsController < FormsController
+    include OrderCopyCardsPermissionChecks
+
     def new
       super(CopyCardsPaymentForm, "copy_cards_payment_form")
     end

app/controllers/waste_carriers_engine/forms_controller.rb

@@ -6,21 +6,22 @@ class FormsController < ApplicationController
 
     before_action :authenticate_user!
     before_action :back_button_cache_buster
+    before_action :validate_token
 
     # Expects a form class name (eg BusinessTypeForm) and a snake_case name for the form (eg business_type_form)
     def new(form_class, form)
-      set_up_form(form_class, form, params[:reg_identifier], true)
+      set_up_form(form_class, form, params[:token], true)
     end
 
     # Expects a form class name (eg BusinessTypeForm) and a snake_case name for the form (eg business_type_form)
     def create(form_class, form)
-      return false unless set_up_form(form_class, form, params[form][:reg_identifier])
+      return false unless set_up_form(form_class, form, params[:token])
 
       submit_form(instance_variable_get("@#{form}"), transient_registration_attributes)
     end
 
     def go_back
-      find_or_initialize_transient_registration(params[:reg_identifier])
+      find_or_initialize_transient_registration(params[:token])
 
       @transient_registration.back! if form_matches_state?
       redirect_to_correct_form
@@ -34,15 +35,19 @@ def transient_registration_attributes
       params.permit
     end
 
-    def find_or_initialize_transient_registration(reg_identifier)
-      @transient_registration = RenewingRegistration.where(reg_identifier: reg_identifier).first ||
-                                RenewingRegistration.new(reg_identifier: reg_identifier)
+    def validate_token
+      return redirect_to(page_path("invalid")) unless find_or_initialize_transient_registration(params[:token])
+    end
+
+    def find_or_initialize_transient_registration(token)
+      @transient_registration ||= TransientRegistration.where(token: token).first
     end
 
     # Expects a form class name (eg BusinessTypeForm), a snake_case name for the form (eg business_type_form),
-    # and the reg_identifier param
-    def set_up_form(form_class, form, reg_identifier, get_request = false)
-      find_or_initialize_transient_registration(reg_identifier)
+    # and the token param
+    def set_up_form(form_class, form, token, get_request = false)
+      find_or_initialize_transient_registration(token)
+
       set_workflow_state if get_request
 
       return false unless setup_checks_pass?
@@ -68,10 +73,10 @@ def redirect_to_correct_form
       redirect_to form_path
     end
 
-    # Get the path based on the workflow state, with reg_identifier as params, ie:
-    # new_state_name_path/:reg_identifier
+    # Get the path based on the workflow state, with token as params, ie:
+    # new_state_name_path/:token
     def form_path
-      send("new_#{@transient_registration.workflow_state}_path".to_sym, @transient_registration.reg_identifier)
+      send("new_#{@transient_registration.workflow_state}_path".to_sym, @transient_registration.token)
     end
 
     def setup_checks_pass?

app/controllers/waste_carriers_engine/person_forms_controller.rb

@@ -11,7 +11,7 @@ def create(form_class, form)
     end
 
     def submit_and_add_another(form_class, form)
-      return unless set_up_form(form_class, form, params[form][:reg_identifier])
+      return unless set_up_form(form_class, form, params[:token])
 
       form_instance_variable = instance_variable_get("@#{form}")
 
@@ -25,7 +25,7 @@ def submit_and_add_another(form_class, form)
     end
 
     def delete_person(form_class, form)
-      return unless set_up_form(form_class, form, params[:reg_identifier])
+      return unless set_up_form(form_class, form, params[:token])
 
       respond_to do |format|
         # Check if there are any matches first, to avoid a Mongoid error

app/controllers/waste_carriers_engine/postcode_forms_controller.rb

@@ -3,7 +3,7 @@
 module WasteCarriersEngine
   class PostcodeFormsController < FormsController
     def skip_to_manual_address
-      find_or_initialize_transient_registration(params[:reg_identifier])
+      find_or_initialize_transient_registration(params[:token])
 
       @transient_registration.skip_to_manual_address! if form_matches_state?
       redirect_to_correct_form

app/controllers/waste_carriers_engine/worldpay_forms_controller.rb

@@ -46,7 +46,7 @@ def prepare_for_payment
     end
 
     def respond_to_acceptable_payment(action)
-      return unless valid_transient_registration?(params[:reg_identifier])
+      return unless valid_transient_registration?(params[:token])
 
       if response_is_valid?(action, params)
         log_and_send_worldpay_response(true, action)
@@ -60,7 +60,7 @@ def respond_to_acceptable_payment(action)
     end
 
     def respond_to_unsuccessful_payment(action)
-      return unless valid_transient_registration?(params[:reg_identifier])
+      return unless valid_transient_registration?(params[:token])
 
       if response_is_valid?(action, params)
         log_and_send_worldpay_response(true, action)
@@ -73,8 +73,8 @@ def respond_to_unsuccessful_payment(action)
       go_back
     end
 
-    def valid_transient_registration?(reg_identifier)
-      find_or_initialize_transient_registration(reg_identifier)
+    def valid_transient_registration?(token)
+      find_or_initialize_transient_registration(token)
       setup_checks_pass?
     end
 

app/forms/waste_carriers_engine/base_form.rb

@@ -9,9 +9,13 @@ class BaseForm
 
     attr_reader :transient_registration
 
-    delegate :reg_identifier, to: :transient_registration
+    delegate :token, :reg_identifier, to: :transient_registration
+
+    # If the record is new, and not yet persisted (which it is when the start
+    # page is first submitted) then we have nothing to validate hence the check
+    validates :token, presence: true, if: -> { transient_registration&.persisted? }
+    validates :reg_identifier, "waste_carriers_engine/reg_identifier": true, if: -> { transient_registration&.persisted? }
 
-    validates :reg_identifier, "waste_carriers_engine/reg_identifier": true
     validate :transient_registration_valid?
 
     define_model_callbacks :initialize

app/forms/waste_carriers_engine/renewal_complete_form.rb

@@ -22,7 +22,7 @@ def initialize(transient_registration)
     private
 
     def build_certificate_link
-      registration = Registration.where(reg_identifier: reg_identifier).first
+      registration = @transient_registration.registration
       return unless registration.present?
 
       id = registration.id

app/forms/waste_carriers_engine/renewal_start_form.rb

@@ -11,5 +11,11 @@ def submit(_params)
 
       super(attributes)
     end
+
+    def find_or_initialize_transient_registration(reg_identifier)
+      # TODO: Downtime at deploy when releaasing token?
+      @transient_registration = RenewingRegistration.where(token: reg_identifier).first ||
+                                RenewingRegistration.new(reg_identifier: reg_identifier)
+    end
   end
 end

app/models/concerns/waste_carriers_engine/can_have_secure_token.rb

@@ -0,0 +1,18 @@
+# frozen_string_literal: true
+
+module WasteCarriersEngine
+  module CanHaveSecureToken
+    extend ActiveSupport::Concern
+    include Mongoid::Document
+
+    included do
+      field :token, type: String
+
+      before_create :generate_unique_secure_token
+
+      def generate_unique_secure_token
+        self.token = SecureRandom.base64(24)
+      end
+    end
+  end
+end

app/models/waste_carriers_engine/transient_registration.rb

@@ -7,6 +7,7 @@ class TransientRegistration
     include CanCheckRegistrationStatus
     include CanFilterConvictionStatus
     include CanHaveRegistrationAttributes
+    include CanHaveSecureToken
     include CanStripWhitespace
 
     store_in collection: "transient_registrations"

app/views/waste_carriers_engine/bank_transfer_forms/new.html.erb

@@ -105,7 +105,7 @@
       </strong>
     </div>
 
-    <%= f.hidden_field :reg_identifier, value: @bank_transfer_form.reg_identifier %>
+    <%= f.hidden_field :token, value: @bank_transfer_form.token %>
     <div class="form-group">
       <%= f.submit t(".next_button"), class: "button" %>
     </div>

app/views/waste_carriers_engine/business_type_forms/new.html.erb

@@ -45,7 +45,7 @@
 
     <p><%= t(".help") %></p>
 
-    <%= f.hidden_field :reg_identifier, value: @business_type_form.reg_identifier %>
+    <%= f.hidden_field :token, value: @business_type_form.token %>
     <div class="form-group">
       <%= f.submit t(".next_button"), class: "button" %>
     </div>

app/views/waste_carriers_engine/cards_forms/new.html.erb

@@ -30,7 +30,7 @@
       </fieldset>
     </div>
 
-    <%= f.hidden_field :reg_identifier, value: @cards_form.reg_identifier %>
+    <%= f.hidden_field :token, value: @cards_form.token %>
 
     <div class="form-group">
       <%= f.submit t(".next_button"), class: "button" %>

app/views/waste_carriers_engine/cbd_type_forms/new.html.erb

@@ -49,7 +49,7 @@
       </details>
     </div>
 
-    <%= f.hidden_field :reg_identifier, value: @cbd_type_form.reg_identifier %>
+    <%= f.hidden_field :token, value: @cbd_type_form.token %>
     <div class="form-group">
       <%= f.submit t(".next_button"), class: "button" %>
     </div>

app/views/waste_carriers_engine/check_your_answers_forms/new.html.erb

@@ -114,7 +114,7 @@
 
       <hr>
 
-      <%= f.hidden_field :reg_identifier, value: @check_your_answers_form.reg_identifier %>
+      <%= f.hidden_field :token, value: @check_your_answers_form.token %>
       <div class="form-group">
         <%= f.submit t(".next_button"), class: "button" %>
       </div>

app/views/waste_carriers_engine/company_address_forms/new.html.erb

@@ -20,7 +20,7 @@
       <%= link_to(t(".manual_address_link"), skip_to_manual_address_company_address_forms_path(@company_address_form.reg_identifier)) %>
     </div>
 
-    <%= f.hidden_field :reg_identifier, value: @company_address_form.reg_identifier %>
+    <%= f.hidden_field :token, value: @company_address_form.token %>
     <div class="form-group">
       <%= f.submit t(".next_button"), class: "button" %>
     </div>

app/views/waste_carriers_engine/company_address_manual_forms/new.html.erb

@@ -25,7 +25,7 @@
       <%= render("waste_carriers_engine/shared/manual_address", form: @company_address_manual_form, f: f, overseas: @company_address_manual_form.business_is_overseas?) %>
     <% end %>
 
-    <%= f.hidden_field :reg_identifier, value: @company_address_manual_form.reg_identifier %>
+    <%= f.hidden_field :token, value: @company_address_manual_form.token %>
 
     <div class="form-group">
       <%= f.submit t(".next_button"), class: "button" %>

app/views/waste_carriers_engine/company_name_forms/new.html.erb

@@ -21,7 +21,7 @@
       </fieldset>
     </div>
 
-    <%= f.hidden_field :reg_identifier, value: @company_name_form.reg_identifier %>
+    <%= f.hidden_field :token, value: @company_name_form.token %>
 
     <div class="form-group">
       <%= f.submit t(".next_button"), class: "button" %>

app/views/waste_carriers_engine/company_postcode_forms/new.html.erb

@@ -25,7 +25,7 @@
       </fieldset>
     </div>
 
-    <%= f.hidden_field :reg_identifier, value: @company_postcode_form.reg_identifier %>
+    <%= f.hidden_field :token, value: @company_postcode_form.token %>
 
     <div class="form-group">
       <%= f.submit t(".next_button"), class: "button" %>

app/views/waste_carriers_engine/construction_demolition_forms/new.html.erb

@@ -40,7 +40,7 @@
       </details>
     </div>
 
-    <%= f.hidden_field :reg_identifier, value: @construction_demolition_form.reg_identifier %>
+    <%= f.hidden_field :token, value: @construction_demolition_form.token %>
 
     <div class="form-group">
       <%= f.submit t(".next_button"), class: "button" %>

app/views/waste_carriers_engine/contact_address_forms/new.html.erb

@@ -20,7 +20,7 @@
       <%= link_to(t(".manual_address_link"), skip_to_manual_address_contact_address_forms_path(@contact_address_form.reg_identifier)) %>
     </div>
 
-    <%= f.hidden_field :reg_identifier, value: @contact_address_form.reg_identifier %>
+    <%= f.hidden_field :token, value: @contact_address_form.token %>
 
     <div class="form-group">
       <%= f.submit t(".next_button"), class: "button" %>

app/views/waste_carriers_engine/contact_address_manual_forms/new.html.erb

@@ -25,7 +25,7 @@
       <%= render("waste_carriers_engine/shared/manual_address", form: @contact_address_manual_form, f: f, overseas: @contact_address_manual_form.business_is_overseas?) %>
     <% end %>
 
-    <%= f.hidden_field :reg_identifier, value: @contact_address_manual_form.reg_identifier %>
+    <%= f.hidden_field :token, value: @contact_address_manual_form.token %>
 
     <div class="form-group">
       <%= f.submit t(".next_button"), class: "button" %>

app/views/waste_carriers_engine/contact_email_forms/new.html.erb

@@ -32,7 +32,7 @@
       </fieldset>
     </div>
 
-    <%= f.hidden_field :reg_identifier, value: @contact_email_form.reg_identifier %>
+    <%= f.hidden_field :token, value: @contact_email_form.token %>
 
     <div class="form-group">
       <%= f.submit t(".next_button"), class: "button" %>

app/views/waste_carriers_engine/contact_name_forms/new.html.erb

@@ -30,7 +30,7 @@
       </fieldset>
     </div>
 
-    <%= f.hidden_field :reg_identifier, value: @contact_name_form.reg_identifier %>
+    <%= f.hidden_field :token, value: @contact_name_form.token %>
 
     <div class="form-group">
       <%= f.submit t(".next_button"), class: "button" %>

app/views/waste_carriers_engine/contact_phone_forms/new.html.erb

@@ -21,7 +21,7 @@
       </fieldset>
     </div>
 
-    <%= f.hidden_field :reg_identifier, value: @contact_phone_form.reg_identifier %>
+    <%= f.hidden_field :token, value: @contact_phone_form.token %>
 
     <div class="form-group">
       <%= f.submit t(".next_button"), class: "button" %>

app/views/waste_carriers_engine/contact_postcode_forms/new.html.erb

@@ -27,8 +27,6 @@
       </fieldset>
     </div>
 
-    <%= f.hidden_field :reg_identifier, value: @contact_postcode_form.reg_identifier %>
-
     <div class="form-group">
       <%= f.submit t(".next_button"), class: "button" %>
     </div>

app/views/waste_carriers_engine/conviction_details_forms/_form.html.erb

@@ -19,7 +19,7 @@
 
   <%= render("waste_carriers_engine/shared/dob", form: @conviction_details_form, f: f) %>
 
-  <%= f.hidden_field :reg_identifier, value: @conviction_details_form.reg_identifier %>
+  <%= f.hidden_field :token, value: @conviction_details_form.token %>
 
   <div class="form-group">
     <%= f.submit t(".add_person_link"), class: "button-link" %>

app/views/waste_carriers_engine/declaration_forms/new.html.erb

@@ -25,7 +25,7 @@
 
     <p><%= link_to t(".privacy_link_text"), page_path("privacy"),  target: "_blank" %></p>
 
-    <%= f.hidden_field :reg_identifier, value: @declaration_form.reg_identifier %>
+    <%= f.hidden_field :token, value: @declaration_form.token %>
 
     <div class="form-group">
       <%= f.submit t(".next_button"), class: "button" %>

app/views/waste_carriers_engine/declare_convictions_forms/new.html.erb

@@ -48,7 +48,7 @@
       </details>
     </div>
 
-    <%= f.hidden_field :reg_identifier, value: @declare_convictions_form.reg_identifier %>
+    <%= f.hidden_field :token, value: @declare_convictions_form.token %>
 
     <div class="form-group">
       <%= f.submit t(".next_button"), class: "button" %>