Merged
Conversation
* LG-7434: Allow cross origin for POST OIDC Logout **Why**: - It is expected that requests will be made by relying parties on external domains - The specification for OpenID Connect RP-Initiated Logout 1.0 requires both HTTP `GET` and `POST` methods to be supported. See: https://openid.net/specs/openid-connect-rpinitiated-1_0.html#RPLogout **How**: - The same OpenID Provider endpoint shall be used, `/openid_connect/logout`, but the request data must be sent as part of the body and use form serialization as required for HTTP `POST` requests (RFC 9110, sec. 9.3.3). - Disables Rail's CSRF token verification for the POST route only - `POST` requests will redirect to the `GET` endpoint on the OpenID Provider's API for consistent behavior and handling. resolves https://gitlab.login.gov/lg-people/lg-people-appdev/protocols/openid-connect/-/issues/3 changelog: Bug Fixes, Security, Fix CORS stopping POST for OIDC RP-Initiated Logout 1.0
changelog: Internal, OIDC, Fix missing action for OIDC test route
We performed an A/B test to determine which of the following so higher rates of OTP confirmation for voice OTPs: 1. 6 character alphanumeric OTPs 2. 10 digit voice OTPs Analysis of the results determined that 10 digit numeric voice OTPs outperform 6 character alphanumeric voice OTPs. This commit makes the state where 10 digit voice OTPs are sent during proofing the state for all users requesting voice OTPs during proofing. This commit also removes the code to support the A/B test. [skip changelog]
In #10722 we added an argument for passing the service provider issuer to the `ResolutionProofingJob` evenutally this will be used for things like computing SP costs, creating `DocAuthLog` records, and determining the UUID prefix in the job. This commit starts passing the issuer to the job but does not start using it. In order to ensure that results are consistent a future commit will start reading the issue once all of the web hosts are passing it to the job. This can only be safely merged once #10722 is fully deployed. [skip changelog]
…10724) We ran an A/B test in late 2023 to measure differences between LexisNexis InstantVerify workflows. That test concluded on 01/03/2024. The code to support it got left behind. This commit removes it. [skip changelog]
changelog: Internal, Configuration, Remove unused configuration keys
* LG-13269: Add Accessibility Statement link to footer changelog: User-Facing Improvements, Footer Links, Add Accessibility Statement link to footer * Reduce spacing at small viewports Avoid collapsing on mobile as much as possible * Remove margin from language picker at mobile * Temporarily exempt missing translation key * Add DoS translations for accessibility statement * Normalize YAML
…10735) changelog: Internal, Database, Remove unused database field
* Document analytics for critical-path sign-in flow changelog: Internal, Analytics, Document analytics for critical-path sign-in flow * Remove unnecessary allowed_extra_analytics * Restore allowed_extra_analytics * Fix typos and readability Co-authored-by: Zach Margolis <zachmargolis@users.noreply.github.com> --------- Co-authored-by: Zach Margolis <zachmargolis@users.noreply.github.com>
* LG-13419: Fix new device notification on reuathentication changelog: Upcoming Features, Aggregated Sign-In Email, Fix new device notification on reuathentication * Add spec coverage for authenticating with PIV * Make set_new_device_session argument non-optional See: #10731 (comment) * Update existing assertions for set_new_device_session
changelog: Internal, Analytics, Remove sp_request_requested_attributes from completion events
- Accidentally forgot to commit as part of #10720 changelog: Internal, Source code, Increase unit test coverage
) * Move log_irs_threatmetrix_fraud_check_event to VerifyInfoConcern Couple changes: 1. Move log_irs_threatmetrix_fraud_check_event to VerifyInfoConcern 2. Move the logging out of `add_proofing_costs`, which we are trying to move out of VerifyInfoConcern [skip changelog] * Restore comment about source of transaction_id * Split log_irs_threatmetrix_fraud_check_event into two methods This method does two separate things: 1. Create a FraudReviewRequest that is used to track a user's fraud review 2. Sends an event to the attempts api So this commit splits it in two.
* Move log_irs_threatmetrix_fraud_check_event to VerifyInfoConcern Couple changes: 1. Move log_irs_threatmetrix_fraud_check_event to VerifyInfoConcern 2. Move the logging out of `add_proofing_costs`, which we are trying to move out of VerifyInfoConcern [skip changelog] * Restore comment about source of transaction_id * Split log_irs_threatmetrix_fraud_check_event into two methods This method does two separate things: 1. Create a FraudReviewRequest that is used to track a user's fraud review 2. Sends an event to the attempts api So this commit splits it in two. * Remove unused AAMVA DocAuthLog tracking This state_tracking_enabled flag was never turned on in prod, and as a result this entire method is not used. [skip changelog] * Add `aamva` to ignored_columns for DocAuthLog We aren't using this column and will want to drop it someday. * Remove references to DocAuthLog.aamva in specs
* Update to newest saml_idp * changelog: Bug Fixes, SAML validation, Fixes namespacing issue on the DigestMethod node
changelog: Internal, Dependencies, Update dependencies to resolve security advisories
* Remove unused Attempts API code changelog: Internal, Code Quality, Remove unused Attempts API code * Revert query changes to exclude IRS Attempts API events See: #10732 (comment) * Inline rate_limit_reached with arguments See: #10732 (comment) Co-authored-by: Zach Margolis <zachmargolis@users.noreply.github.com> * Revert adding ignored_columns for irs_attempts_api_enabled See: #10732 (comment) --------- Co-authored-by: Zach Margolis <zachmargolis@users.noreply.github.com>
* changelog: User-Facing Improvements, Personal key profile recovery, add label for personal key input * remove aria-label
Adds "Fraud review rejected" to report. changelog: Internal, Reporting, Adds users failing fraud review to DIVR
aduth
requested review from
Sgtpluck,
jmhooper,
lmgeorge,
matthinz,
mdiarra3,
n1zyy and
zachmargolis
zachmargolis
approved these changes
Jun 3, 2024
jmhooper
approved these changes
Jun 3, 2024
Contributor
|
since #10734 was reverted, should we remove it from the description? |
Contributor
Author
Yep, good call. 👍 Updated. |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
8 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
User-Facing Improvements
Bug Fixes
Internal
Upcoming Features