Deploy RC 359 to Production

Gemfile.lock

@@ -484,7 +484,7 @@ GEM
       nio4r (~> 2.0)
     raabro (1.4.0)
     racc (1.7.3)
-    rack (3.0.8)
+    rack (3.0.9.1)
     rack-cors (2.0.1)
       rack (>= 2.0.0)
     rack-headers_filter (0.0.1)

app/controllers/accounts/connected_accounts_controller.rb

@@ -8,7 +8,6 @@ class ConnectedAccountsController < ApplicationController
     def show
       @presenter = AccountShowPresenter.new(
         decrypted_pii: nil,
-        personal_key: flash[:personal_key],
         sp_session_request_url: sp_session_request_url_with_updated_params,
         sp_name: decorated_sp_session.sp_name,
         user: current_user,

app/controllers/accounts/history_controller.rb

@@ -8,7 +8,6 @@ class HistoryController < ApplicationController
     def show
       @presenter = AccountShowPresenter.new(
         decrypted_pii: nil,
-        personal_key: flash[:personal_key],
         sp_session_request_url: sp_session_request_url_with_updated_params,
         sp_name: decorated_sp_session.sp_name,
         user: current_user,

app/controllers/accounts/two_factor_authentication_controller.rb

@@ -9,7 +9,6 @@ def show
       session[:account_redirect_path] = account_two_factor_authentication_path
       @presenter = AccountShowPresenter.new(
         decrypted_pii: nil,
-        personal_key: flash[:personal_key],
         sp_session_request_url: sp_session_request_url_with_updated_params,
         sp_name: decorated_sp_session.sp_name,
         user: current_user,

app/controllers/accounts_controller.rb

@@ -11,7 +11,6 @@ def show
     cacher = Pii::Cacher.new(current_user, user_session)
     @presenter = AccountShowPresenter.new(
       decrypted_pii: cacher.fetch(current_user.active_or_pending_profile&.id),
-      personal_key: flash[:personal_key],
       sp_session_request_url: sp_session_request_url_with_updated_params,
       sp_name: decorated_sp_session.sp_name,
       user: current_user,

app/controllers/application_controller.rb

@@ -405,7 +405,7 @@ def service_provider_mfa_policy
       service_provider: sp_from_sp_session,
       auth_methods_session:,
       aal_level_requested: sp_session[:aal_level_requested],
-      piv_cac_requested: sp_session[:piv_cac_requested],
+      piv_cac_requested: resolved_authn_context_result.hspd12?,
       phishing_resistant_requested: resolved_authn_context_result.phishing_resistant?,
     )
   end

app/controllers/concerns/fraud_review_concern.rb

@@ -4,37 +4,30 @@ module FraudReviewConcern
   delegate :fraud_check_failed?,
            :fraud_review_pending?,
            :fraud_rejection?,
-           :ipp_fraud_review_pending?,
            to: :fraud_review_checker
 
   def handle_fraud
-    in_person_handle_pending_fraud_review
     handle_pending_fraud_review
     handle_fraud_rejection
   end
 
   def handle_pending_fraud_review
     # If the user has not passed IPP at a post office, allow them to
     # complete another enrollment by not redirecting to please call
-    return if in_person_can_perform_fraud_review?
+    # or rejection screen
+    return if in_person_prevent_fraud_redirection?
     redirect_to_fraud_review if fraud_review_pending?
   end
 
   def handle_fraud_rejection
+    return if in_person_prevent_fraud_redirection?
     redirect_to_fraud_rejection if fraud_rejection?
   end
 
-  def in_person_handle_pending_fraud_review
-    return unless in_person_can_perform_fraud_review?
-    if fraud_review_pending? && current_user.in_person_enrollment_status == 'passed'
-      redirect_to_fraud_review
-    end
-  end
-
-  def in_person_can_perform_fraud_review?
+  def in_person_prevent_fraud_redirection?
     IdentityConfig.store.in_person_proofing_enforce_tmx &&
-      current_user.in_person_enrollment_status != 'canceled' &&
-      !current_user.in_person_enrollment_status.nil?
+      !current_user.in_person_enrollment_status.nil? &&
+      current_user.in_person_enrollment_status != 'passed'
   end
 
   def redirect_to_fraud_review

app/controllers/concerns/remember_device_concern.rb

@@ -9,7 +9,7 @@ def save_remember_device_preference(remember_device_preference)
     return if remember_device_preference != '1' && remember_device_preference != 'true'
     cookies.encrypted[:remember_device] = {
       value: RememberDeviceCookie.new(user_id: current_user.id, created_at: Time.zone.now).to_json,
-      expires: remember_device_cookie_expiration,
+      expires: IdentityConfig.store.remember_device_expiration_hours_aal_1.hours.from_now,
     }
   end
 
@@ -83,12 +83,4 @@ def handle_valid_remember_device_analytics(cookie_created_at:)
       cookie_age_seconds: (Time.zone.now - cookie_created_at).to_i,
     )
   end
-
-  def remember_device_cookie_expiration
-    if IdentityConfig.store.set_remember_device_session_expiration
-      nil
-    else
-      IdentityConfig.store.remember_device_expiration_hours_aal_1.hours.from_now
-    end
-  end
 end

app/controllers/events_controller.rb

@@ -9,7 +9,6 @@ def show
     analytics.events_visit
     @presenter = AccountShowPresenter.new(
       decrypted_pii: nil,
-      personal_key: nil,
       sp_session_request_url: sp_session_request_url_with_updated_params,
       sp_name: decorated_sp_session.sp_name,
       user: current_user,

app/controllers/saml_idp_controller.rb

@@ -104,15 +104,8 @@ def saml_metadata
     SamlEndpoint.new(params[:path_year]).saml_metadata
   end
 
-  def ialmax_request_with_ial1_acr_and_pii_requested_and_locked?
-    requested_ial == 'ialmax' &&
-      current_user.identity_verified? &&
-      !Pii::Cacher.new(current_user, user_session).exists_in_session?
-  end
-
   def prompt_for_password_if_ial2_request_and_pii_locked
-    return unless pii_requested_but_locked? ||
-                  ialmax_request_with_ial1_acr_and_pii_requested_and_locked?
+    return unless pii_requested_but_locked?
     redirect_to capture_password_url
   end
 

app/controllers/users/passwords_controller.rb

@@ -51,8 +51,13 @@ def handle_valid_password
       # that the user remains authenticated.
       bypass_sign_in current_user
 
-      flash[:personal_key] = @update_user_password_form.personal_key
-      redirect_to account_url, flash: { info: t('notices.password_changed') }
+      flash[:info] = t('notices.password_changed')
+      if @update_user_password_form.personal_key.present?
+        user_session[:personal_key] = @update_user_password_form.personal_key
+        redirect_to manage_personal_key_url
+      else
+        redirect_to account_url
+      end
     end
 
     def send_password_reset_risc_event

app/controllers/users/piv_cac_login_controller.rb

@@ -58,7 +58,7 @@ def piv_cac_login_form
       @piv_cac_login_form ||= UserPivCacLoginForm.new(
         token: params[:token],
         nonce: piv_cac_nonce,
-        piv_cac_required: sp_session[:piv_cac_requested],
+        piv_cac_required: resolved_authn_context_result.hspd12?,
       )
     end
 

app/controllers/users/verify_password_controller.rb

@@ -35,10 +35,10 @@ def confirm_personal_key
     end
 
     def handle_success(result)
-      flash[:personal_key] = result.extra[:personal_key]
+      user_session[:personal_key] = result.extra[:personal_key]
       irs_attempts_api_tracker.idv_personal_key_generated
       reactivate_account_session.clear
-      redirect_to account_url
+      redirect_to manage_personal_key_url
     end
 
     def verify_password_form

app/javascript/packages/document-capture/components/acuant-capture.tsx

@@ -35,11 +35,11 @@ interface ImageAnalyticsPayload {
   /**
    * Image width, or null if unknown
    */
-  width: number | null;
+  width?: number | null;
   /**
    * Image height, or null if unknown
    */
-  height: number | null;
+  height?: number | null;
   /**
    * Mime type, or null if unknown
    */
@@ -65,7 +65,7 @@ interface ImageAnalyticsPayload {
   /**
    * Fingerprint of the image, base64 encoded SHA-256 digest
    */
-  fingerprint: string | null;
+  fingerprint?: string | null;
 
   /**
    *
@@ -512,9 +512,16 @@ function AcuantCapture(
   }
 
   function onSelfieCaptureSuccess({ image }: { image: string }) {
+    const analyticsPayload: ImageAnalyticsPayload = getAddAttemptAnalyticsPayload({
+      mimeType: 'image/jpeg', // Acuant Web SDK currently encodes all images as JPEG
+      source: 'acuant',
+      size: getDecodedBase64ByteSize(image),
+      failedImageResubmission: false,
+    });
+
     trackEvent('idv_sdk_selfie_image_added', { captureAttempts });
 
-    onChangeAndResetError(image);
+    onChangeAndResetError(image, analyticsPayload);
     onResetFailedCaptureAttempts();
     setIsCapturingEnvironment(false);
   }

app/javascript/packages/document-capture/components/document-side-acuant-capture.jsx → app/javascript/packages/document-capture/components/document-side-acuant-capture.tsx

@@ -1,24 +1,25 @@
+import { useContext } from 'react';
 import { t } from '@18f/identity-i18n';
 import { FormError, FormStepsContext } from '@18f/identity-form-steps';
-import { useContext } from 'react';
+import type {
+  FormStepError,
+  OnErrorCallback,
+  RegisterFieldCallback,
+} from '@18f/identity-form-steps';
 import AcuantCapture from './acuant-capture';
 
-/** @typedef {import('@18f/identity-form-steps').FormStepError<*>} FormStepError */
-/** @typedef {import('@18f/identity-form-steps').RegisterFieldCallback} RegisterFieldCallback */
-/** @typedef {import('@18f/identity-form-steps').OnErrorCallback} OnErrorCallback */
-
-/**
- * @typedef DocumentSideAcuantCaptureProps
- *
- * @prop {'front'|'back'|'selfie'} side
- * @prop {RegisterFieldCallback} registerField
- * @prop {Blob|string|null|undefined} value
- * @prop {(nextValues:{[key:string]: Blob|string|null|undefined})=>void} onChange Update values,
- * merging with existing values.
- * @prop {FormStepError[]} errors
- * @prop {OnErrorCallback} onError
- * @prop {string=} className
- */
+interface DocumentSideAcuantCaptureProps {
+  side: 'front' | 'back' | 'selfie';
+  registerField: RegisterFieldCallback;
+  value: Blob | string | null | undefined;
+  /**
+   * Update values, merging with existing values.
+   */
+  onChange: (nextValues: { [key: string]: Blob | string | null | undefined }) => void;
+  errors: FormStepError<{ front: string; back: string; selfie: string }>[];
+  onError: OnErrorCallback;
+  className?: string;
+}
 
 /**
  * An error representing user declined access to camera.
@@ -31,9 +32,6 @@ export class CameraAccessDeclinedError extends FormError {
   }
 }
 
-/**
- * @param {DocumentSideAcuantCaptureProps} props Props object.
- */
 function DocumentSideAcuantCapture({
   side,
   registerField,
@@ -42,7 +40,7 @@ function DocumentSideAcuantCapture({
   errors,
   onError,
   className,
-}) {
+}: DocumentSideAcuantCaptureProps) {
   const error = errors.find(({ field }) => field === side)?.error;
   const { changeStepCanComplete } = useContext(FormStepsContext);
   return (

app/javascript/packages/phone-input/package.json

@@ -4,7 +4,7 @@
   "version": "1.0.0",
   "dependencies": {
     "intl-tel-input": "^17.0.19",
-    "libphonenumber-js": "^1.10.56"
+    "libphonenumber-js": "^1.10.57"
   },
   "sideEffects": [
     "./index.ts"

app/presenters/account_show_presenter.rb

@@ -1,22 +1,16 @@
 class AccountShowPresenter
-  attr_reader :user, :decrypted_pii, :personal_key, :locked_for_session, :pii,
-              :sp_session_request_url, :sp_name
+  attr_reader :user, :decrypted_pii, :locked_for_session, :pii, :sp_session_request_url, :sp_name
 
-  def initialize(decrypted_pii:, personal_key:, sp_session_request_url:, sp_name:, user:,
+  def initialize(decrypted_pii:, sp_session_request_url:, sp_name:, user:,
                  locked_for_session:)
     @decrypted_pii = decrypted_pii
-    @personal_key = personal_key
     @user = user
     @sp_name = sp_name
     @sp_session_request_url = sp_session_request_url
     @locked_for_session = locked_for_session
     @pii = determine_pii
   end
 
-  def show_personal_key_partial?
-    personal_key.present?
-  end
-
   def show_password_reset_partial?
     user.password_reset_profile.present?
   end
@@ -41,7 +35,6 @@ def show_gpo_partial?
   def showing_any_partials?
     show_service_provider_continue_partial? ||
       show_password_reset_partial? ||
-      show_personal_key_partial? ||
       show_gpo_partial?
   end
 

app/services/doc_auth/mock/result_response.rb

@@ -18,6 +18,7 @@ def initialize(uploaded_file, config, selfie_required = false)
           doc_type_supported: id_type_supported?,
           selfie_live: selfie_live?,
           selfie_quality_good: selfie_quality_good?,
+          selfie_status: selfie_status,
           extra: {
             doc_auth_result: doc_auth_result,
             portrait_match_results: portrait_match_results,
@@ -33,12 +34,12 @@ def errors
         @errors ||= begin
           file_data = parsed_data_from_uploaded_file
 
-          if file_data.blank? || attention_with_barcode?
+          if file_data.blank?
             {}
           else
             doc_auth_result = file_data.dig('doc_auth_result')
             image_metrics = file_data.dig('image_metrics')
-            failed = file_data.dig('failed_alerts')
+            failed = failed_file_data(file_data.dig('failed_alerts')&.dup)
             passed = file_data.dig('passed_alerts')
             face_match_result = file_data.dig('portrait_match_results', 'FaceMatchResult')
             classification_info = file_data.dig('classification_info')
@@ -85,7 +86,7 @@ def pii_from_doc
       end
 
       def success?
-        (errors.blank? || attention_with_barcode?) && id_type_supported?
+        doc_auth_success? && (selfie_check_performed? ? selfie_passed? : true)
       end
 
       def attention_with_barcode?
@@ -254,6 +255,13 @@ def create_response_info(
           extra: { liveness_checking_required: liveness_enabled },
         }.compact
       end
+
+      def failed_file_data(failed_alerts_data)
+        if attention_with_barcode?
+          failed_alerts_data&.delete(ATTENTION_WITH_BARCODE_ALERT)
+        end
+        failed_alerts_data
+      end
     end
   end
 end