Deploy RC 383 to Production

app/assets/stylesheets/_uswds.scss

@@ -14,4 +14,3 @@
 @forward 'usa-skipnav';
 @forward 'usa-tag';
 @forward 'uswds-form-controls';
-@forward 'uswds-utilities';

app/assets/stylesheets/application.css.scss

@@ -3,4 +3,5 @@
 @forward 'uswds';
 @forward 'design-system-waiting-room';
 @forward 'components';
+@forward 'uswds-utilities';
 @forward 'utilities';

app/assets/stylesheets/components/_profile-section.scss

@@ -1,17 +1,5 @@
 @use 'uswds-core' as *;
-@use '../variables/app' as *;
 
 .profile-info-box {
-  border: 0;
-  border-radius: 0;
-  margin-bottom: 0;
-  overflow: hidden;
   padding: units(4);
 }
-
-@include at-media('mobile') {
-  .profile-info-box {
-    border-radius: $border-radius-md;
-    margin-bottom: units(4);
-  }
-}

app/assets/stylesheets/variables/_app.scss

@@ -14,7 +14,6 @@ $sm-h4: 1rem !default;
 $sm-h5: 0.875rem !default;
 $sm-h6: 0.75rem !default;
 
-$border-radius-md: 6px !default;
 $border-radius-xl: 16px !default;
 
 $container-skinny-width: 620px !default;

app/controllers/concerns/saml_idp_auth_concern.rb

@@ -66,7 +66,7 @@ def result
       service_provider: saml_request_service_provider,
       authn_context: requested_authn_contexts,
       authn_context_comparison: saml_request.requested_authn_context_comparison,
-      nameid_format: name_id_format,
+      nameid_format: saml_request.name_id_format,
     )
   end
 
@@ -78,8 +78,8 @@ def validate_and_create_saml_request_object
     @saml_request_validator = SamlRequestValidator.new(blank_cert: true)
   end
 
-  def name_id_format
-    @name_id_format ||= specified_name_id_format || default_name_id_format
+  def response_name_id_format
+    @response_name_id_format ||= specified_name_id_format || default_name_id_format
   end
 
   def specified_name_id_format
@@ -93,9 +93,6 @@ def recognized_name_id_format?
   end
 
   def default_name_id_format
-    if saml_request_service_provider&.email_nameid_format_allowed
-      return Saml::Idp::Constants::NAME_ID_FORMAT_EMAIL
-    end
     Saml::Idp::Constants::NAME_ID_FORMAT_PERSISTENT
   end
 
@@ -170,7 +167,7 @@ def attribute_asserter(principal)
     AttributeAsserter.new(
       user: principal,
       service_provider: saml_request_service_provider,
-      name_id_format: name_id_format,
+      name_id_format: response_name_id_format,
       authn_request: saml_request,
       decrypted_pii: decrypted_pii,
       user_session: user_session,
@@ -190,7 +187,7 @@ def build_asserted_attributes(principal)
   def saml_response
     encode_response(
       current_user,
-      name_id_format: name_id_format,
+      name_id_format: response_name_id_format,
       authn_context_classref: response_authn_context,
       reference_id: active_identity.session_uuid,
       encryption: encryption_opts,

app/controllers/idv/how_to_verify_controller.rb

@@ -12,19 +12,15 @@ class HowToVerifyController < ApplicationController
     check_or_render_not_found -> { self.class.enabled? }
 
     def show
-      @selection = if idv_session.skip_doc_auth == false
-                     Idv::HowToVerifyForm::REMOTE
-      elsif idv_session.skip_doc_auth == true
-        Idv::HowToVerifyForm::IPP
-      end
-
       analytics.idv_doc_auth_how_to_verify_visited(**analytics_arguments)
-      @idv_how_to_verify_form = Idv::HowToVerifyForm.new(selection: @selection)
+      @idv_how_to_verify_form = Idv::HowToVerifyForm.new
     end
 
     def update
       clear_future_steps!
-      result = Idv::HowToVerifyForm.new.submit(how_to_verify_form_params)
+      @idv_how_to_verify_form = Idv::HowToVerifyForm.new
+      result = @idv_how_to_verify_form.submit(how_to_verify_form_params)
+
       if how_to_verify_form_params[:selection] == []
         sendable_form_params = {}
       else
@@ -48,10 +44,8 @@ def update
           idv_session.skip_doc_auth_from_how_to_verify = true
           redirect_to idv_document_capture_url
         end
-
       else
-        flash[:error] = result.first_error_message
-        redirect_to idv_how_to_verify_url
+        render :show, locals: { error: result.first_error_message }
       end
     end
 

app/controllers/two_factor_authentication/backup_code_verification_controller.rb

@@ -22,9 +22,7 @@ def show
     def create
       @backup_code_form = BackupCodeVerificationForm.new(current_user)
       result = @backup_code_form.submit(backup_code_params)
-      analytics.track_mfa_submit_event(
-        result.to_h.merge(new_device: new_device?),
-      )
+      analytics.multi_factor_auth(**result.to_h.merge(new_device: new_device?))
       irs_attempts_api_tracker.mfa_login_backup_code(success: result.success?)
       handle_result(result)
     end

app/controllers/two_factor_authentication/otp_verification_controller.rb

@@ -136,7 +136,7 @@ def post_analytics(result)
       properties = result.to_h.merge(analytics_properties, new_device: new_device?)
       analytics.multi_factor_auth_setup(**properties) if context == 'confirmation'
 
-      analytics.track_mfa_submit_event(properties)
+      analytics.multi_factor_auth(**properties)
 
       if UserSessionContext.reauthentication_context?(context)
         irs_attempts_api_tracker.mfa_login_phone_otp_submitted(

app/controllers/two_factor_authentication/personal_key_verification_controller.rb

@@ -32,7 +32,10 @@ def track_analytics(result)
         new_device: new_device?,
       )
 
-      analytics.track_mfa_submit_event(analytics_hash)
+      analytics.multi_factor_auth(
+        **analytics_hash,
+        pii_like_keypaths: [[:errors, :personal_key], [:error_details, :personal_key]],
+      )
     end
 
     def check_personal_key_enabled

app/controllers/two_factor_authentication/piv_cac_verification_controller.rb

@@ -30,9 +30,7 @@ def redirect_to_piv_cac_service
 
     def process_token
       result = piv_cac_verification_form.submit
-      analytics.track_mfa_submit_event(
-        result.to_h.merge(analytics_properties),
-      )
+      analytics.multi_factor_auth(**result.to_h.merge(analytics_properties))
       irs_attempts_api_tracker.mfa_login_piv_cac(
         success: result.success?,
         subject_dn: piv_cac_verification_form.x509_dn,

app/controllers/two_factor_authentication/totp_verification_controller.rb

@@ -21,7 +21,7 @@ def show
 
     def create
       result = TotpVerificationForm.new(current_user, params.require(:code).strip).submit
-      analytics.track_mfa_submit_event(result.to_h.merge(new_device: new_device?))
+      analytics.multi_factor_auth(**result.to_h.merge(new_device: new_device?))
       irs_attempts_api_tracker.mfa_login_totp(success: result.success?)
 
       if result.success?

app/controllers/two_factor_authentication/webauthn_verification_controller.rb

@@ -18,7 +18,7 @@ def show
 
     def confirm
       result = form.submit
-      analytics.track_mfa_submit_event(
+      analytics.multi_factor_auth(
         **result.to_h,
         **analytics_properties,
         multi_factor_auth_method_created_at:

app/controllers/users/backup_code_setup_controller.rb

@@ -80,16 +80,7 @@ def confirm_backup_codes; end
     private
 
     def validate_multi_mfa_selection
-      if IdentityConfig.store.backup_code_confirm_setup_screen_enabled
-        redirect_to backup_code_confirm_setup_url unless in_multi_mfa_selection_flow?
-      else
-        redirect_to root_url unless internal_referrer?
-      end
-    end
-
-    def internal_referrer?
-      UserSessionContext.reauthentication_context?(context) ||
-        session[:account_redirect_path] || in_multi_mfa_selection_flow?
+      redirect_to backup_code_confirm_setup_url unless in_multi_mfa_selection_flow?
     end
 
     def analytics_properties_for_visit

app/controllers/users/two_factor_authentication_controller.rb

@@ -321,9 +321,14 @@ def send_user_otp(method)
     end
 
     def otp_length
-      bucket = AbTests::IDV_TEN_DIGIT_OTP.bucket(current_user.uuid)
-      length = bucket == :ten_digit_otp ? 'ten' : 'six'
-      I18n.t("telephony.format_length.#{length}")
+      configured_length = TwoFactorAuthenticatable::DIRECT_OTP_LENGTH
+      if configured_length == 6
+        I18n.t('telephony.format_length.six')
+      elsif configured_length == 10
+        I18n.t('telephony.format_length.ten')
+      else
+        raise "Missing translation for OTP length: #{configured_length}"
+      end
     end
 
     def user_selected_default_number

app/forms/idv/how_to_verify_form.rb

@@ -9,8 +9,13 @@ class HowToVerifyForm
 
     attr_reader :selection
 
-    validates :selection,
-              presence: { message: proc { I18n.t('errors.doc_auth.how_to_verify_form') } }
+    validates :selection, presence: {
+      message: proc { I18n.t('errors.doc_auth.how_to_verify_form') },
+    }
+    validates :selection, inclusion: {
+      in: [REMOTE, IPP],
+      message: proc { I18n.t('errors.doc_auth.how_to_verify_form') },
+    }
 
     def initialize(selection: nil)
       @selection = selection

app/javascript/packages/phone-input/package.json

@@ -4,7 +4,7 @@
   "version": "1.0.0",
   "dependencies": {
     "intl-tel-input": "^17.0.19",
-    "libphonenumber-js": "^1.11.1"
+    "libphonenumber-js": "^1.11.2"
   },
   "sideEffects": [
     "./index.ts"

app/models/user.rb

@@ -428,10 +428,6 @@ def has_devices?
     !recent_devices.empty?
   end
 
-  def new_device?(cookie_uuid:)
-    !cookie_uuid || !devices.exists?(cookie_uuid:)
-  end
-
   def authenticated_device?(cookie_uuid:)
     return false if cookie_uuid.blank?
     devices.joins(:events).exists?(cookie_uuid:, events: { event_type: :sign_in_after_2fa })

app/services/analytics.rb

@@ -52,13 +52,6 @@ def first_event_this_session?
     session[:first_event]
   end
 
-  def track_mfa_submit_event(attributes)
-    multi_factor_auth(
-      **attributes,
-      pii_like_keypaths: [[:errors, :personal_key], [:error_details, :personal_key]],
-    )
-  end
-
   def request_attributes
     attributes = {
       user_ip: request.remote_ip,

app/services/analytics_events.rb

@@ -3730,6 +3730,7 @@ def logout_initiated(
 
   # @param [Boolean] success Whether authentication was successful
   # @param [Hash] errors Authentication error reasons, if unsuccessful
+  # @param [Hash] error_details Details for error that occurred in unsuccessful submission
   # @param [String] context
   # @param [Boolean] new_device
   # @param [String] multi_factor_auth_method
@@ -3748,6 +3749,7 @@ def logout_initiated(
   def multi_factor_auth(
     success:,
     errors: nil,
+    error_details: nil,
     context: nil,
     new_device: nil,
     multi_factor_auth_method: nil,
@@ -3767,24 +3769,27 @@ def multi_factor_auth(
   )
     track_event(
       'Multi-Factor Authentication',
-      success: success,
-      errors: errors,
-      context: context,
-      new_device: new_device,
-      multi_factor_auth_method: multi_factor_auth_method,
-      multi_factor_auth_method_created_at: multi_factor_auth_method_created_at,
-      auth_app_configuration_id: auth_app_configuration_id,
-      piv_cac_configuration_id: piv_cac_configuration_id,
-      key_id: key_id,
-      webauthn_configuration_id: webauthn_configuration_id,
-      confirmation_for_add_phone: confirmation_for_add_phone,
-      phone_configuration_id: phone_configuration_id,
-      pii_like_keypaths: pii_like_keypaths,
-      area_code: area_code,
-      country_code: country_code,
-      phone_fingerprint: phone_fingerprint,
-      frontend_error:,
-      **extra,
+      {
+        success: success,
+        errors: errors,
+        error_details: error_details,
+        context: context,
+        new_device: new_device,
+        multi_factor_auth_method: multi_factor_auth_method,
+        multi_factor_auth_method_created_at: multi_factor_auth_method_created_at,
+        auth_app_configuration_id: auth_app_configuration_id,
+        piv_cac_configuration_id: piv_cac_configuration_id,
+        key_id: key_id,
+        webauthn_configuration_id: webauthn_configuration_id,
+        confirmation_for_add_phone: confirmation_for_add_phone,
+        phone_configuration_id: phone_configuration_id,
+        pii_like_keypaths: pii_like_keypaths,
+        area_code: area_code,
+        country_code: country_code,
+        phone_fingerprint: phone_fingerprint,
+        frontend_error:,
+        **extra,
+      }.compact,
     )
   end
 

app/services/reporting/total_user_count_report.rb

@@ -60,13 +60,13 @@ def total_user_count
 
     def verified_user_count
       Reports::BaseReport.transaction_with_timeout do
-        Profile.where(active: true).where('activated_at <= ?', end_date).count
+        Profile.where(active: true).where('verified_at <= ?', end_date).count
       end
     end
 
     def new_verified_user_count
       Reports::BaseReport.transaction_with_timeout do
-        Profile.where(active: true).where(activated_at: current_month).count
+        Profile.where(active: true).where(verified_at: current_month).count
       end
     end
 
@@ -79,7 +79,7 @@ def annual_total_user_count
     def annual_verified_user_count
       Reports::BaseReport.transaction_with_timeout do
         Profile.where(active: true).
-          where(activated_at: annual_start_date..annual_end_date).
+          where(verified_at: annual_start_date..annual_end_date).
           count
       end
     end