Please Call Screen for IPP Threatmetrix review

[JackRyan1989]

🎫 Ticket

Link to the relevant ticket:
LG-11995

🛠 Summary of changes

• Added new IPP specific fraud conditions to the fraud checker and concern
• Referenced those new check in the review page
• Added new boolean var to the please call page template to hide the progress bar for IPP
• Updated specs

📜 Testing Plan

Provide a checklist of steps to confirm the changes.

• Fire up the local server
• Create a new user - make sure to hang on to the mock login info you use to create the account
• Proceed through the IPP flow
• On SSN page use the drop down to select Review
• Proceed through the rest of the flow to the barcode page to create the enrollment
• Code comment out enrollment_outcomes[:enrollments_passed] += 1 from app/jobs/get_usps_proofing_results_job.rb
• Open the rails console: rails c
• Save the latest enrollment you just created: e = InPersonEnrollment.last
• Create a new mock JSON blob: json = UspsInPersonProofing::Mock::Fixtures.request_passed_proofing_results_response
• Save that response as a response: res = JSON.parse(json)
• Update the user's profile: e.profile.update!(fraud_pending_reason: 1)
• Initiate job: GetUspsProofingResultsJob.new.send(:process_enrollment_response, e, res)
• Login again, and attempt to navigate past the /account page
• You should end up on the /please_call page

Test with a failed enrollment:

• Fire up the local server
• Create a new user - make sure to hang on to the mock login info you use to create the account
• Proceed through the IPP flow
• On SSN page use the drop down to select Review
• Proceed through the rest of the flow to the barcode page to create the enrollment
• Code comment out enrollment_outcomes[:enrollments_passed] += 1 from app/jobs/get_usps_proofing_results_job.rb
• Open the rails console: rails c
• Save the latest enrollment you just created: e = InPersonEnrollment.last
• Create a new mock JSON blob: json = UspsInPersonProofing::Mock::Fixtures.request_failed_proofing_results_response
• Save that response as a response: res = JSON.parse(json)
• Update the user's profile: e.profile.update!(fraud_pending_reason: 1)
• Initiate job: GetUspsProofingResultsJob.new.send(:process_enrollment_response, e, res)
• Login again, and attempt to navigate past the /account page
• You should not hit the please call page with a failed enrollment

👀 Screenshots

If relevant, include a screenshot or screen capture of the changes.

Images

[n1zyy]

I need to circle back for a more thorough review after some meetings, but taking a quick look this looks like good stuff. My comments are optional suggestions.

[carmenrosalop]

Shared design feedback on this slack thread https://gsa-tts.slack.com/archives/C03FA4VBN76/p1707240954111969?thread_ts=1707160403.648729&cid=C03FA4VBN76

[svalexander]

this is not a big thing but i'm wondering about naming here. This is checking both that the user went through ipp and that the status is passed. Is there maybe some naming that could capture both? not blocking at all though

[n1zyy]

I had the same thought at first.

Where I landed is that in the particular context of the PleaseCallController, "Is this for IPP?" basically means what is implemented in this method.

That said, since this is assigned to the @in_person variable in the show method, we could still name this something more precise. But I don't feel strongly on this one. (And I don't have an obvious name to suggest.)

But, see my next comment.

[svalexander]

I think we might actually not want to show the screen in this case but maybe @daviddsilvanava or @eryn-sobing can confirm. The reason I think this is that we currently send the "please call" email to users who get a passed status but not to the users who get a failed status. Ticket where we implemented that behavior.

[n1zyy]

Aww shoot, good catch @svalexander. I'm going back to the ticket and finding it's way too vaguely worded. (I wrote it. This is my fault.) This is a tricky gotcha.

I think I would prefer to take discussion of this offline to Slack, but I agree with tagging in David and Eryn and chatting about this tomorrow. It's a question of whether we're consistent with the email we send (I think we should be), or consistent with the behavior in other parts of the app (which I also think we should be, but the two are contradictory here).

[JackRyan1989]

So @svalexander I realized I messed up the description text for this spec. It's actually working as intended. The 'establishing' enrollment does not redirect to please call, but does render the ready to verify text which is indeed what we want to happen.

[svalexander]

oh ok so i interpreted "not passed" as "failed" but it's actually "establishing". Can we update the context to enrollment status equals establishing or something like that to make the spec super clear?

[svalexander]

maybe we should also add a spec where enrollment has a status of failed?

[svalexander]

actually maybe that last statement is not needed? looking at the spec in the please_call_controller_spec on line 78 I think that would satisfy my previous suggestion?

[JackRyan1989]

Line 78 handles threatmetrix rejection whereas the setting I think you're referring to is for the enrollment. The idea behind saying 'not passed' is that a passed enrollment is the only status we're looking for. We don't do anything special with any of the other statuses, so I could put anything else in there and the result would be pretty much the same.

Also, this is for fraud review pending. I could do another test for rejection but as you say that is kinda handled in the please_call_controller_spec.

[svalexander]

ok that makes sense

[n1zyy]

Blargh. I think this is really good code (with one suggestion left for a possible tweak), but I think this needs to wait for us to figure out https://github.com/18F/identity-idp/pull/10033/files#r1480537532 which is a requirements issue. I feel bad I didn't see this ahead of time.

[n1zyy]

I had the same thought at first.

Where I landed is that in the particular context of the PleaseCallController, "Is this for IPP?" basically means what is implemented in this method.

That said, since this is assigned to the @in_person variable in the show method, we could still name this something more precise. But I don't feel strongly on this one. (And I don't have an obvious name to suggest.)

But, see my next comment.

[n1zyy]

Oh, actually... The similarity to the in_person_proofing? method above maybe feels like a bonus reason to just put this on User and whistle innocently while avoiding the thorny question of exactly where the line between user.rb and profile.rb should be.

[JackRyan1989]

Ahhhh. Ok. Yeah I think we can make a good case for checking for enrollment status on the user.

[n1zyy]

Aww shoot, good catch @svalexander. I'm going back to the ticket and finding it's way too vaguely worded. (I wrote it. This is my fault.) This is a tricky gotcha.

I think I would prefer to take discussion of this offline to Slack, but I agree with tagging in David and Eryn and chatting about this tomorrow. It's a question of whether we're consistent with the email we send (I think we should be), or consistent with the behavior in other parts of the app (which I also think we should be, but the two are contradictory here).

[svalexander]

this is a great comment to add for future reference, thank you!

[svalexander]

this is super clear now, thanks for updating this!

[svalexander]

Approving as none of my current suggestions are blocking.

[svalexander]

thanks for this update!

[gina-yamada]

If a SP has not opted in, the user should not have made it to this point but should we also be checking if in_person_proofing is enabled on the SP? Maybe too much but just pondering it.

[JackRyan1989]

This page is rendered asynchronously and always after the user has completed the identity verification flow. If they have not opted in but have completed IdV and been flagged for fraud they should absolutely see this page.

[gina-yamada]

I was hoping to see this test as it is being conditionally rendered. Nice ⭐

[gina-yamada]

I set in_person_proofing_enforce_tmx to true

• Fire up the local server
• Create a new user - make sure to hang on to the mock login info you use to create the account
• Proceed through the IPP flow
• On SSN page use the drop down to select Review
• Proceed through the rest of the flow to the barcode page to create the enrollment
• Code comment out enrollment_outcomes[:enrollments_passed] += 1 from app/jobs/get_usps_proofing_results_job.rb
• Open the rails console: rails c
• Save the latest enrollment you just created: e = InPersonEnrollment.last
• Create a new mock JSON blob: json = UspsInPersonProofing::Mock::Fixtures.request_passed_proofing_results_response
• Save that response as a response: res = JSON.parse(json)
• Update the user's profile: e.profile.update!(fraud_pending_reason: 1)
• Initiate job: GetUspsProofingResultsJob.new.send(:process_enrollment_response, e, res)
• Login again, and attempt to navigate past the /account page
• You should end up on the /please_call page

[gina-yamada]

Failing tests will need to be resolved but I was able to successfully see Please Call screens in all three languages with no progress bar. I did leave a comment last week about an additional check but don't think it is a road blocker.

[gina-yamada]

@JackRyan1989 I was looking at specs for the rollout plan today. I noticed the mocks say the user has 30 days to call. The call by date on the screen is 14 days. See please_call_controller FRAUD_REVIEW_CONTACT_WITHING_DAYS

When I look back at my screenshots above, they are 3 weeks old and would be second week in Feb. If it was 30 days- the date on the screen should be in March but it reads February- proving the display reads only 14 days. Maybe not a big deal but wondering if product needs to approve this change or if we need to make a new ticket to handle IPP differently. Sorry, I missed checking the date entirely.

[JackRyan1989]

Excellent catch @gina-yamada. I can escalate this to product and check. I'll open another pull request to make the change when the time comes.

[gina-yamada]

@JackRyan1989 I was looking at specs for the rollout plan today. I noticed the mocks say the user has 30 days to call. The call by date on the screen is 14 days. See please_call_controller FRAUD_REVIEW_CONTACT_WITHING_DAYS

When I look back at my screenshots above, they are 3 weeks old and would be second week in Feb. If it was 30 days- the date on the screen should be in March but it reads February- proving the display reads only 14 days. Maybe not a big deal but wondering if product needs to approve this change or if we need to make a new ticket to handle IPP differently. Sorry, I missed checking the date entirely.

@JackRyan1989 discovered the 14 days date displayed is accurate and expected behavior. We do not need to change the date or take any further action. See this Slack thread.