LG-14231: Users can't access accounts after enrollment expires

[eileen-nava]

🎫 Ticket

LG-14231: Expired enrollments put users in broken account state

🛠 Summary of changes

• The GetUspsProofingResultsJob, when it expires in_person_enrollments, will now also mark the associated profile's in_person_verification_pending_at field as nil and mark the profile as inactive.
• This was meant to fix a bug described below

1. a user does IPP verification online
2. doesn’t go to the post office within the necessary time and their enrollment expires
3. after the enrollment expires, they log into login.gov and can’t access their account due to a 500

Related PR: Bug fix for PR10847 - Verified pending states

📜 Testing Plan

• Login through the oidc sinatra application selecting the Enhanced In-Person Proofing level of service.
• Create a new account
• Complete the in-person enrollment flow reaching the barcode (ready_to_verify page)
• Use the rails console to update the enrollment to have a past-due due date

enrollment = InPersonEnrollment.last
enrollment.days_to_due_date ==> 6
enrollment.update!(enrollment_established_at: enrollment.created_at - 8.days)
enrollment.days_to_due_date => -1
job =GetUspsProofingResultsJob.new 
job.instance_variable_set('@enrollment_outcomes', { enrollments_expired: 0, enrollments_ch
ecked: 0 }) 
job.send(:check_enrollment, enrollment)
enrollment.reload

• Refresh the page and confirm that you don't see a 500.

Then, examine the profile with the below command
enrollment.profile

Confirm that

• the profile is not active
• the profile in_person_verification_pending_at field is nil

[aduth]

How should we handle existing expired in-person enrollments?

Can we add a test for the identity verification view that had been raising exceptions, to include a context case that would fail on main for the expired enrollment?

[aduth]

Seeing that this largely follows from the equivalent GPO behavior, would we have a similar need to track the "expired at" value as is done with GPO?

[eileen-nava]

If we need to see when an in_person_enrollment was expired, we could inspect the in_person_enrollment's status_check_completed_at field. It's set in the GetUspsProofingResultsJob when we expire an enrollment.

[matthinz]

I think for parity with other profile features we should get an ipp_enrollment_expired_at field added to Profile, then use the status_check_completed_at to seed those values.

[matthinz]

(That does not need to block this PR though)

[aduth]

Should this be done in the factory trait for pending in-person enrollments?

[eileen-nava]

We have a ticket for refactoring the in_person_enrollments factory, LG-14237. I agree that this isn't the ideal set-up, but due to the time-sensitive nature of the bug, this was the approach we took.

[aduth]

Might recommend writing tests for this in spec/models/profile_spec.rb

[eileen-nava]

See 554c8f6.

[aduth]

Approving since I think it helps stem future issues, but still curious about existing ones.