Merge pull request #11154 from 18F/stages/rc-2024-08-27-patch-1

* Revert "Merge pull request #11152 from 18F/stages/rc-2024-08-27-revert"

This reverts commit 90d418c, reversing
changes made to a951867.

* Allow for extra arguments to `idv_doc_auth_verify_polling_wait_visited` event (#11153)

The `idv_doc_auth_verify_polling_wait_visited` gets logged when a polling event occurs on the verify info step. This event does not have any extra attributes that it needs to log. As a result we left off the extra arguments when adding it.

Leaving off the extra arguments led to an issue with the `AnalyticsEventsEnhancer`. This adds attributes to the events that are prefixed with `idv_` when they are called. A result of this was a `ArgumentError` for this event since it did not have the extra arguments for these attributes.

[skip changelog]

.rubocop.yml

@@ -1081,6 +1081,9 @@ Style/ClassEqualityComparison:
 Style/ClassMethods:
   Enabled: true
 
+Style/CollectionMethods:
+  Enabled: true
+
 Style/ColonMethodCall:
   Enabled: true
 

Gemfile.lock

@@ -579,7 +579,7 @@ GEM
       actionpack (>= 5.0)
       railties (>= 5.0)
     retries (0.0.5)
-    rexml (3.3.4)
+    rexml (3.3.6)
       strscan
     rotp (6.3.0)
     rouge (4.2.0)

app/controllers/concerns/idv/verify_info_concern.rb

@@ -135,13 +135,15 @@ def process_async_state(current_async_state)
       end
 
       if current_async_state.in_progress?
+        analytics.idv_doc_auth_verify_polling_wait_visited
         render 'shared/wait'
         return
       end
 
       return if confirm_not_rate_limited_after_doc_auth
 
       if current_async_state.none?
+        analytics.idv_doc_auth_verify_visited(**analytics_arguments)
         render :show
       elsif current_async_state.missing?
         analytics.idv_proofing_resolution_result_missing

app/controllers/idv/in_person/verify_info_controller.rb

@@ -10,14 +10,14 @@ class VerifyInfoController < ApplicationController
       include VerifyInfoConcern
 
       before_action :confirm_not_rate_limited_after_doc_auth, except: [:show]
+      before_action :confirm_pii_data_present
       before_action :confirm_ssn_step_complete
 
       def show
         @step_indicator_steps = step_indicator_steps
         @ssn = idv_session.ssn
         @pii = pii
 
-        analytics.idv_doc_auth_verify_visited(**analytics_arguments)
         Funnel::DocAuth::RegisterStep.new(current_user.id, sp_session[:issuer]).
           call('verify', :view, true) # specify in_person?
 
@@ -74,7 +74,8 @@ def prev_url
       end
 
       def pii
-        user_session.dig('idv/in_person', :pii_from_user).merge(ssn: idv_session.ssn)
+        pii_from_user = user_session.dig('idv/in_person', :pii_from_user) || {}
+        pii_from_user.merge(ssn: idv_session.ssn)
       end
 
       # override IdvSessionConcern
@@ -95,6 +96,12 @@ def confirm_ssn_step_complete
         return if pii.present? && idv_session.ssn.present?
         redirect_to prev_url
       end
+
+      def confirm_pii_data_present
+        unless user_session.dig('idv/in_person').present?
+          redirect_to idv_path
+        end
+      end
     end
   end
 end

app/controllers/idv/verify_info_controller.rb

@@ -16,7 +16,6 @@ def show
       @ssn = idv_session.ssn
       @pii = pii
 
-      analytics.idv_doc_auth_verify_visited(**analytics_arguments)
       Funnel::DocAuth::RegisterStep.new(current_user.id, sp_session[:issuer]).
         call('verify', :view, true)
 

app/controllers/socure_webhook_controller.rb

@@ -4,6 +4,37 @@ class SocureWebhookController < ApplicationController
   skip_before_action :verify_authenticity_token
 
   def create
-    render json: { message: 'Got here.' }
+    if token_valid?
+      render json: { message: 'Secret token is valid.' }
+    else
+      render status: :unauthorized, json: { message: 'Invalid secret token.' }
+    end
+  end
+
+  private
+
+  def token_valid?
+    authorization_header = request.headers['Authorization']&.split&.last
+
+    return false if authorization_header.nil?
+
+    verify_current_key(authorization_header: authorization_header) ||
+      verify_queue(authorization_header: authorization_header)
+  end
+
+  def verify_current_key(authorization_header:)
+    ActiveSupport::SecurityUtils.secure_compare(
+      authorization_header,
+      IdentityConfig.store.socure_webhook_secret_key,
+    )
+  end
+
+  def verify_queue(authorization_header:)
+    IdentityConfig.store.socure_webhook_secret_key_queue.any? do |key|
+      ActiveSupport::SecurityUtils.secure_compare(
+        authorization_header,
+        key,
+      )
+    end
   end
 end

app/javascript/packages/document-capture/components/acuant-capture.tsx

@@ -432,17 +432,17 @@ function AcuantCapture(
   }
 
   /**
-   * Given a click source, returns a higher-order function that, when called, will log an event
+   * Given a clickSource, returns a higher-order function that, when called, will log an event
    * before calling the original function.
    */
-  function withLoggedClick(source: string, metadata: { isDrop: boolean } = { isDrop: false }) {
+  function withLoggedClick(clickSource: string, metadata: { isDrop: boolean } = { isDrop: false }) {
     return <T extends (...args: any[]) => any>(fn: T) =>
       (...args: Parameters<T>) => {
         if (!isSuppressingClickLogging.current) {
           trackEvent(
             name === 'selfie' ? 'idv_selfie_image_clicked' : `IdV: ${name} image clicked`,
             {
-              source,
+              click_source: clickSource,
               ...metadata,
               liveness_checking_required: isSelfieCaptureEnabled,
               captureAttempts,
@@ -810,7 +810,7 @@ function AcuantCapture(
               <span className="padding-left-1 padding-right-1">{children}</span>
             ),
             'lg-upload': ({ children }) => (
-              <Button isUnstyled onClick={withLoggedClick('upload')(forceUpload)}>
+              <Button isUnstyled onClick={withLoggedClick('button')(forceUpload)}>
                 {children}
               </Button>
             ),

app/javascript/packs/ssn-field.ts

@@ -1,49 +1,42 @@
 import Cleave from 'cleave.js';
 
-function formatSSNFieldAndLimitLength() {
-  const inputs = document.querySelectorAll<HTMLInputElement>('input.ssn-toggle[type="password"]');
-
-  if (inputs) {
-    inputs.forEach((input) => {
-      const toggle = document.querySelector<HTMLInputElement>(`[aria-controls="${input.id}"]`)!;
-
-      let cleave: Cleave | undefined;
-
-      function sync() {
-        const { value } = input;
-        cleave?.destroy();
-        if (toggle.checked) {
-          cleave = new Cleave(input, {
-            numericOnly: true,
-            blocks: [3, 2, 4],
-            delimiter: '-',
-          });
-        } else {
-          const nextValue = value.replace(/-/g, '');
-          if (nextValue !== value) {
-            input.value = nextValue;
-          }
-        }
-        const didFormat = input.value !== value;
-        if (didFormat) {
-          input.checkValidity();
-        }
+const inputs = document.querySelectorAll<HTMLInputElement>('input.ssn-toggle[type="password"]');
+inputs.forEach((input) => {
+  const toggle = document.querySelector<HTMLInputElement>(`[aria-controls="${input.id}"]`)!;
+
+  let cleave: Cleave | undefined;
+
+  function sync() {
+    const { value } = input;
+    cleave?.destroy();
+    if (toggle.checked) {
+      cleave = new Cleave(input, {
+        numericOnly: true,
+        blocks: [3, 2, 4],
+        delimiter: '-',
+      });
+    } else {
+      const nextValue = value.replace(/-/g, '');
+      if (nextValue !== value) {
+        input.value = nextValue;
       }
+    }
+    const didFormat = input.value !== value;
+    if (didFormat) {
+      input.checkValidity();
+    }
+  }
 
-      sync();
-      toggle.addEventListener('change', sync);
-
-      function limitLength(this: HTMLInputElement) {
-        const maxLength = 9 + (this.value.match(/-/g) || []).length;
-        if (this.value.length > maxLength) {
-          this.value = this.value.slice(0, maxLength);
-          this.checkValidity();
-        }
-      }
+  sync();
+  toggle.addEventListener('change', sync);
 
-      input.addEventListener('input', limitLength.bind(input));
-    });
+  function limitLength(this: HTMLInputElement) {
+    const maxLength = 9 + (this.value.match(/-/g) || []).length;
+    if (this.value.length > maxLength) {
+      this.value = this.value.slice(0, maxLength);
+      this.checkValidity();
+    }
   }
-}
 
-document.addEventListener('DOMContentLoaded', formatSSNFieldAndLimitLength);
+  input.addEventListener('input', limitLength.bind(input));
+});

app/javascript/packs/state-guidance.ts

@@ -57,8 +57,6 @@ function onIdentityDocJurisdictionSelection() {
 
 document.getElementById('idv_form_state')?.addEventListener('change', onStateSelectionChange);
 
-document.addEventListener('DOMContentLoaded', () => {
-  onStateSelectionChange();
-  onIdentityDocStateSelection();
-  onIdentityDocJurisdictionSelection();
-});
+onStateSelectionChange();
+onIdentityDocStateSelection();
+onIdentityDocJurisdictionSelection();

app/jobs/reports/monthly_gpo_letter_requests_report.rb

@@ -24,7 +24,7 @@ def perform(_date, start_time: first_of_this_month, end_time: end_of_today)
     private
 
     def calculate_totals(daily_results)
-      daily_results.inject(0) { |sum, rec| sum + rec['letter_requests_count'].to_i }
+      daily_results.reduce(0) { |sum, rec| sum + rec['letter_requests_count'].to_i }
     end
   end
 end

app/jobs/reports/monthly_key_metrics_report.rb

@@ -106,9 +106,7 @@ def total_user_count_report
     end
 
     def active_users_count_report
-      @active_users_count_report ||= Reporting::ActiveUsersCountReport.new(
-        report_date,
-      )
+      @active_users_count_report ||= Reporting::ActiveUsersCountReport.new(report_date)
     end
 
     def agency_and_sp_report