refactor(multirespondent): make MRF Singpass/MyInfo validation step-aware

[kimyungju]

Problem

The MRF Singpass/MyInfo (SPCP) re-verification decision is hardcoded as a step === 1 assumption in two independent backend locations:

• verification.controller.ts: _handleGenerateOtp treats the presence of previousSubmissionId (any step 2+ request) as a signal to skip SPCP/MyInfo.
• multirespondent-submission.middleware.ts: handleNdiResponses gates verified-content generation behind stepNumber === 1.

Both carried // TODO comments pointing at the same future fix. The behaviour is correct for how MRF forms are configured today; the issue is maintainability. The same rule lives in two hand-synced places rather than one named location.

Closes #9513

Solution

Extract the duplicated step rule into a single shared, tested helper isSingpassEnforcedOnStep(form, stepNumber) and have both call sites consume it. This is a behaviour-preserving refactor: for every form configuration that exists today, the validation outcome is unchanged.

Scope is intentionally limited to centralising the step rule. There is no per-step Singpass config in the form schema today, so the helper reads authType and the step number only (authType !== NIL && stepNumber === 1); it does not unify the per-authType policy, which legitimately differs between the two call sites. Enabling Singpass on step 2+ (schema plus enforcement) is left as a follow-up rather than widening this PR, per the issue's Non-goals. The helper's JSDoc documents what that follow-up must wire (including the controller's step-2+ path) so it does not silently fail open.

Breaking Changes

• No - this PR is backwards compatible

Improvements:

• Add isSingpassEnforcedOnStep(form, stepNumber) helper in multirespondent-submission.utils.ts as the single source of truth for the step rule, with unit tests.
• _handleGenerateOtp and handleNdiResponses now call the helper instead of inlining step === 1 / previousSubmissionId assumptions.
• Remove the two stale // TODO comments; replace with a documented extension point for the per-step-config follow-up.

Tests

• pnpm --filter formsg-backend test -- multirespondent-submission.utils.spec: new unit tests for the helper (every authType on step 1 is enforced, NIL is not, steps 0/2/3/10 are not).
• pnpm --filter formsg-backend test -- verification.controller.spec: existing _handleGenerateOtp suite stays green (no behaviour change for SPCP-on-step-1 and no-SPCP forms).
• pnpm --filter formsg-backend test -- multirespondent-submission.middleware.spec: existing handleNdiResponses suite stays green (step-1 enforce, step-2+ skip, NIL no-op).
• All three suites: 132 passed.

Deploy Notes

No new environment variables, scripts, or dependencies.

[Copilot]

Pull request overview

Note

Copilot was unable to run its full agentic suite in this review.

This PR centralises the “Singpass enforcement by MRF step” gating into a shared helper and reuses it in both the OTP generation controller and the MRF NDI middleware, with unit tests added for the new helper.

Changes:

• Introduced isSingpassEnforcedOnStep helper to encapsulate current “step 1 only” Singpass enforcement logic.
• Updated OTP generation flow and NDI response middleware to use the shared step gate.
• Added unit tests covering isSingpassEnforcedOnStep.

Reviewed changes

Copilot reviewed 4 out of 4 changed files in this pull request and generated 2 comments.

File	Description
apps/backend/src/app/modules/verification/verification.controller.ts	Uses the new helper to gate auth verification in the “no previousSubmissionId” path.
apps/backend/src/app/modules/submission/multirespondent-submission/multirespondent-submission.utils.ts	Adds isSingpassEnforcedOnStep helper and documentation.
apps/backend/src/app/modules/submission/multirespondent-submission/multirespondent-submission.middleware.ts	Replaces inline stepNumber === 1 gate with isSingpassEnforcedOnStep.
apps/backend/src/app/modules/submission/multirespondent-submission/tests/multirespondent-submission.utils.spec.ts	Adds tests for isSingpassEnforcedOnStep.