Merge pull request #11614 from 18F/stages/rc-2024-12-10

Deploy RC 437 to Production

Gemfile

@@ -105,7 +105,7 @@ group :development, :test do
   gem 'brakeman', require: false
   gem 'bullet', '~> 7.0'
   gem 'capybara-webmock', git: 'https://github.com/hashrocket/capybara-webmock.git', ref: 'd3f3b7c'
-  gem 'erb_lint', '~> 0.5.0', require: false
+  gem 'erb_lint', '~> 0.7.0', require: false
   gem 'i18n-tasks', '~> 1.0'
   gem 'knapsack'
   gem 'listen'

Gemfile.lock

@@ -305,12 +305,12 @@ GEM
       htmlentities (~> 4.3.3)
       launchy (~> 2.1)
       mail (~> 2.7)
-    erb_lint (0.5.0)
+    erb_lint (0.7.0)
       activesupport
       better_html (>= 2.0.1)
       parser (>= 2.7.1.4)
       rainbow
-      rubocop
+      rubocop (>= 1)
       smart_properties
     errbase (0.2.1)
     erubi (1.13.0)
@@ -779,7 +779,7 @@ DEPENDENCIES
   devise (~> 4.8)
   dotiw (>= 4.0.1)
   email_spec
-  erb_lint (~> 0.5.0)
+  erb_lint (~> 0.7.0)
   factory_bot_rails (>= 6.2.0)
   faker
   faraday (~> 2)

Makefile

@@ -63,7 +63,7 @@ check: lint test ## Runs lint tests and spec tests
 
 lint: ## Runs all lint tests
 	# Ruby
-	@echo "--- erb-lint ---"
+	@echo "--- erb_lint ---"
 	make lint_erb
 	@echo "--- rubocop ---"
 	mkdir -p tmp
@@ -112,7 +112,7 @@ audit: ## Checks packages for vulnerabilities
 	yarn audit --groups dependencies; test $$? -le 7
 
 lint_erb: ## Lints ERB files
-	bundle exec erblint app/views app/components
+	bundle exec erb_lint app/views app/components
 
 lint_yaml: normalize_yaml ## Lints YAML files
 	(! git diff --name-only | grep "^config/.*\.yml") || (echo "Error: Run 'make normalize_yaml' to normalize YAML"; exit 1)
@@ -181,8 +181,8 @@ lint_spec_file_name:
 lintfix: ## Try to automatically fix any Ruby, ERB, JavaScript, YAML, or CSS lint errors
 	@echo "--- rubocop fix ---"
 	bundle exec rubocop -a
-	@echo "--- erblint fix ---"
-	bundle exec erblint app/views app/components -a
+	@echo "--- erb_lint fix ---"
+	bundle exec erb_lint app/views app/components -a
 	@echo "--- eslint fix ---"
 	yarn lint --fix
 	@echo "--- stylelint fix ---"

app/controllers/concerns/ial2_profile_concern.rb

@@ -23,7 +23,7 @@ def cache_profile_and_handle_errors(raw_password, profile)
       cacher.save(raw_password, profile)
     rescue Encryption::EncryptionError => err
       if profile
-        profile.deactivate(:encryption_error)
+        profile.deactivate_due_to_encryption_error
         analytics.profile_encryption_invalid(error: err.message)
       end
     end

app/controllers/concerns/idv/document_capture_concern.rb

@@ -81,6 +81,38 @@ def redirect_to_correct_vendor(vendor, in_hybrid_mobile)
       redirect_to correct_path
     end
 
+    def fetch_test_verification_data
+      return unless IdentityConfig.store.socure_docv_verification_data_test_mode
+
+      docv_transaction_token_override = params.permit(:docv_token)[:docv_token]
+      return unless IdentityConfig.store.socure_docv_verification_data_test_mode_tokens.
+        include?(docv_transaction_token_override)
+
+      SocureDocvResultsJob.perform_now(
+        document_capture_session_uuid:,
+        docv_transaction_token_override:,
+        async: true,
+      )
+    end
+
+    def track_document_request_event(document_request:, document_response:, timer:)
+      document_request_body = JSON.parse(document_request.body, symbolize_names: true)[:config]
+      response_hash = document_response.to_h
+      log_extras = {
+        reference_id: response_hash[:referenceId],
+        vendor: 'Socure',
+        vendor_request_time_in_ms: timer.results['vendor_request'],
+        success: @url.present?,
+        document_type: document_request_body[:documentType],
+        docv_transaction_token: response_hash.dig(:data, :docvTransactionToken),
+      }
+      analytics_hash = log_extras.merge(analytics_arguments).
+        merge(document_request_body).except(
+          :documentType, # requested document type
+        ).merge(response_body: document_response.to_h)
+      analytics.idv_socure_document_request_submitted(**analytics_hash)
+    end
+
     private
 
     def track_document_issuing_state(user, state)

app/controllers/idv/account_verified_cta_visited_controller.rb

@@ -22,7 +22,8 @@ def redirect_url
       if issuer.blank?
         root_url
       else
-        sp_return_url_resolver&.return_to_sp_url
+        sp_return_url_resolver&.post_idv_follow_up_url ||
+          sp_return_url_resolver&.return_to_sp_url
       end
     end
 

app/controllers/idv/by_mail/sp_follow_up_controller.rb

@@ -0,0 +1,49 @@
+# frozen_string_literal: true
+
+module Idv
+  module ByMail
+    class SpFollowUpController < ApplicationController
+      include Idv::AvailabilityConcern
+
+      before_action :confirm_two_factor_authenticated
+      before_action :confirm_needs_sp_follow_up
+
+      def new
+        analytics.track_event(:idv_by_mail_sp_follow_up_visited, **analytics_params)
+        @presenter = Idv::ByMail::SpFollowUpPresenter.new(current_user:)
+      end
+
+      def show
+        analytics.track_event(:idv_by_mail_sp_follow_up_submitted, **analytics_params)
+
+        sp_return_url_resolver = SpReturnUrlResolver.new(
+          service_provider: current_user.active_profile.initiating_service_provider,
+        )
+        redirect_url = sp_return_url_resolver.post_idv_follow_up_url ||
+                       sp_return_url_resolver.return_to_sp_url
+        redirect_to(redirect_url, allow_other_host: true)
+      end
+
+      def cancel
+        analytics.track_event(:idv_by_mail_sp_follow_up_cancelled, **analytics_params)
+        redirect_to account_url
+      end
+
+      private
+
+      def analytics_params
+        initiating_service_provider = current_user.active_profile.initiating_service_provider
+        {
+          initiating_service_provider: initiating_service_provider.issuer,
+        }
+      end
+
+      def confirm_needs_sp_follow_up
+        return if current_user.identity_verified? &&
+                  current_user.active_profile.initiating_service_provider.present? &&
+                  !current_sp.present?
+        redirect_to account_url
+      end
+    end
+  end
+end

app/controllers/idv/enter_password_controller.rb

@@ -127,7 +127,7 @@ def confirm_current_password
     end
 
     def init_profile
-      idv_session.create_profile_from_applicant_with_password(
+      profile = idv_session.create_profile_from_applicant_with_password(
         password,
         is_enhanced_ipp: resolved_authn_context_result.enhanced_ipp?,
         proofing_components: ProofingComponents.new(
@@ -137,12 +137,13 @@ def init_profile
           user_session:,
         ).to_h,
       )
-      if idv_session.verify_by_mail?
+
+      if profile.gpo_verification_pending?
         current_user.send_email_to_all_addresses(:verify_by_mail_letter_requested)
         log_letter_enqueued_analytics(resend: false)
       end
 
-      if idv_session.profile.active?
+      if profile.active?
         create_user_event(:account_verified)
         UserAlerts::AlertUserAboutAccountVerified.call(
           profile: idv_session.profile,

app/controllers/idv/how_to_verify_controller.rb

@@ -5,6 +5,7 @@ class HowToVerifyController < ApplicationController
     include Idv::AvailabilityConcern
     include IdvStepConcern
     include RenderConditionConcern
+    include DocAuthVendorConcern
 
     before_action :confirm_step_allowed
     before_action :set_how_to_verify_presenter
@@ -86,8 +87,16 @@ def how_to_verify_form_params
     end
 
     def set_how_to_verify_presenter
+      @mobile_required = mobile_required?
       @selfie_required = idv_session.selfie_check_required
-      @presenter = Idv::HowToVerifyPresenter.new(selfie_check_required: @selfie_required)
+      @presenter = Idv::HowToVerifyPresenter.new(
+        mobile_required: @mobile_required,
+        selfie_check_required: @selfie_required,
+      )
+    end
+
+    def mobile_required?
+      idv_session.selfie_check_required || doc_auth_vendor == Idp::Constants::Vendors::SOCURE
     end
   end
 end

app/controllers/idv/hybrid_mobile/socure/document_capture_controller.rb

@@ -14,6 +14,7 @@ class DocumentCaptureController < ApplicationController
         before_action :check_valid_document_capture_session, except: [:update]
         before_action -> { redirect_to_correct_vendor(Idp::Constants::Vendors::SOCURE, true) },
                       only: :show
+        before_action :fetch_test_verification_data, only: [:update]
 
         def show
           Funnel::DocAuth::RegisterStep.new(document_capture_user.id, sp_session[:issuer]).
@@ -24,12 +25,16 @@ def show
             redirect_url: idv_hybrid_mobile_socure_document_capture_update_url,
             language: I18n.locale,
           )
-          document_response = document_request.fetch
+          timer = JobHelpers::Timer.new
+          document_response = timer.time('vendor_request') do
+            document_request.fetch
+          end
 
-          @document_request = document_request
-          @document_response = document_response
           @url = document_response.dig(:data, :url)
 
+          track_document_request_event(document_request:, document_response:, timer:)
+
+          # placeholder until we get an error page for url not being present
           if @url.nil?
             redirect_to idv_hybrid_mobile_socure_document_capture_errors_url
             return
@@ -47,9 +52,6 @@ def show
             :url,
           )
           document_capture_session.save
-          # useful for analytics
-          @msg = document_response[:msg]
-          @reference_id = document_response[:referenceId]
         end
 
         def update

app/controllers/idv/personal_key_controller.rb

@@ -72,6 +72,8 @@ def next_step
         idv_please_call_url
       elsif session[:sp]
         sign_up_completed_url
+      elsif idv_session.address_verification_mechanism == 'gpo'
+        idv_sp_follow_up_path
       else
         after_sign_in_path_for(current_user)
       end

app/controllers/idv/socure/document_capture_controller.rb

@@ -14,6 +14,7 @@ class DocumentCaptureController < ApplicationController
       before_action :confirm_step_allowed
       before_action -> { redirect_to_correct_vendor(Idp::Constants::Vendors::SOCURE, false) },
                     only: :show
+      before_action :fetch_test_verification_data, only: [:update]
 
       # reconsider and maybe remove these when implementing the real
       # update handler
@@ -34,13 +35,15 @@ def show
           redirect_url: idv_socure_document_capture_update_url,
           language: I18n.locale,
         )
+        timer = JobHelpers::Timer.new
+        document_response = timer.time('vendor_request') do
+          document_request.fetch
+        end
 
-        document_response = document_request.fetch
-
-        @document_request = document_request
-        @document_response = document_response
         @url = document_response.dig(:data, :url)
 
+        track_document_request_event(document_request:, document_response:, timer:)
+
         # placeholder until we get an error page for url not being present
         if @url.nil?
           redirect_to idv_socure_document_capture_errors_url
@@ -60,10 +63,6 @@ def show
           :url,
         )
         document_capture_session.save
-
-        # useful for analytics
-        @msg = document_response[:msg]
-        @reference_id = document_response[:referenceId]
       end
 
       def update

app/controllers/users/webauthn_platform_recommended_controller.rb

@@ -39,7 +39,7 @@ def dismiss_redirect_path
       if opted_to_add?
         webauthn_setup_path(platform: true)
       elsif in_account_creation_flow?
-        next_setup_path
+        next_setup_path || after_mfa_setup_path
       else
         after_sign_in_path_for(current_user)
       end

app/jobs/socure_docv_results_job.rb

@@ -3,12 +3,13 @@
 class SocureDocvResultsJob < ApplicationJob
   queue_as :high_socure_docv
 
-  attr_reader :document_capture_session_uuid, :async
+  attr_reader :document_capture_session_uuid, :async, :docv_transaction_token_override
 
   # @param [String] document_capture_session_uuid
-  def perform(document_capture_session_uuid:, async: true)
+  def perform(document_capture_session_uuid:, async: true, docv_transaction_token_override: nil)
     @document_capture_session_uuid = document_capture_session_uuid
     @async = async
+    @docv_transaction_token_override = docv_transaction_token_override
 
     raise "DocumentCaptureSession not found: #{document_capture_session_uuid}" unless
       document_capture_session
@@ -51,6 +52,7 @@ def log_verification_request(docv_result_response:, vendor_request_time_in_ms:)
   def socure_document_verification_result
     DocAuth::Socure::Requests::DocvResultRequest.new(
       document_capture_session_uuid:,
+      docv_transaction_token_override:,
     ).fetch
   end
 

app/models/profile.rb

@@ -191,6 +191,20 @@ def deactivate(reason)
     update!(active: false, deactivation_reason: reason)
   end
 
+  # Update the profile's deactivation reason to "encryption_error". As a
+  # side-effect, when the profile has an associated pending in-person
+  # enrollment it will be updated to have a status of "cancelled".
+  def deactivate_due_to_encryption_error
+    update!(
+      active: false,
+      deactivation_reason: :encryption_error,
+    )
+
+    if in_person_enrollment&.pending?
+      in_person_enrollment.cancelled!
+    end
+  end
+
   def fraud_deactivation_reason?
     fraud_review_pending? || fraud_rejection?
   end

app/presenters/idv/account_verified_email_presenter.rb

@@ -16,7 +16,7 @@ def service_provider
     end
 
     def show_cta?
-      !service_provider || service_provider_homepage_url.present?
+      !service_provider || service_provider_post_idv_follow_up_url.present?
     end
 
     def sign_in_url
@@ -32,11 +32,11 @@ def sign_in_url
     end
 
     def displayed_sign_in_url
-      service_provider_homepage_url || root_url
+      service_provider_post_idv_follow_up_url || root_url
     end
 
-    def service_provider_homepage_url
-      sp_return_url_resolver.homepage_url if service_provider
+    def service_provider_post_idv_follow_up_url
+      sp_return_url_resolver.post_idv_follow_up_url if service_provider
     end
 
     def sp_name