LG-14830 | Send ID type to AAMVA

[n1zyy]

changelog: Internal, Identity Proofing, Send state ID type to AAMVA

🎫 Ticket

Link to the relevant ticket:
LG-14830

🛠 Summary of changes

As part of identity proofing, we classify the uploaded identity document: is it a driver's license or an non-driver ID card?

DLDV has a field for this, DocumentCategoryCode. We have some code in place to send this information, but at the API layer we don't actually do so. Sending this information should, at a minimum, help ID card holders in a few states proof successfully: MS and PA, which are among the country's hardest-to-spell states, only return ID Card results if DocumentCategoryCode is set appropriately.

This work is behind a feature flag for the unlikely case that this change in how we use their API has unexpected side effects.

🧑‍💼 Still to do

• Update test to cover the case where ID type is nil
• Stop hardcoding the value
• Test return types Existing tests already do this

[n1zyy]

I want to run this by Team Joy. I think I hadn't initially grokked exactly what this was doing.

In doc auth, we have state_id_type from another vendor's response and can pass that to AAMVA. This, however, is in the IPP flow, where data parsed from the image of the driver's license is unavailable, because the user is not taking this path. This code was setting it to drivers_license, which is the most common value.

It turns out that, in VerificationRequest, we were never (whether IPP or not) actually sending state_id_type to AAMVA, ever. We passed it down the chain thinking we were, but it was (seemingly inadvertently) left out of the XML template.

I think there are 3 options we could take in this controller here:

1. Continue just claiming the document is a driver's license when we don't know, because it's correct the majority of a time.
2. Ask the user, in the UI, if they are using a Driver's License or (non-driver) ID Card, and send that value.
3. Remove this block and do not send state_id_type to AAMVA when we don't have that information.

I went for option 3 here, which feels most correct. We know it's OK to not send because that's currently what we do for everyone. Option 2 could be added later if Team Joy wants.

[matthinz]

FTR I agree we should not send this information to AAMVA unless the user has actually given it to us (or maybe in some states we can suss out the document type based on the format of the ID number? I don't actually know)

[gina-yamada]

Sorry so late getting to this. I agree, option 3 seems like the best path. I will talk with product about option 2. No need to implement new behavior in your pr

[n1zyy]

This is feature-flagged so we can disable this if for some reason it goes awry.

[matthinz]

👍 We should add a ticket to remove the feature flag if we don't encounter any issues having it enabled.

[n1zyy]

I haven't seen this in the wild in Cloudwatch, but it's listed in other classes as an allowed type, and is something AAMVA supports.

[matthinz]

I only see this mentioned in the mock client? Can we just remove it there and then remove this (maybe leave a comment that AAMVA supports "2" to mean drivers permit?)

[n1zyy]

I was conflicted about this.

I didn't see it in Cloudwatch but wasn't positive if that's because it was very uncommon (most people with permits are probably minors, and people with a permit probably tend to upgrade it to a driver's license within a year or so), or because it's not supported.

My instinct is to keep it in the API client, partly for documentation and partly in case we start sending it some day.

However, I don't feel strongly at all if you think it's best to remove.

[n1zyy]

This caused a lot of grief in tests. AFAICT, the non-mock client does not require the presence of state_id_type. (See, e.g., null/empty-string responses in Cloudwatch.) The mock client shouldn't implement validation that real clients don't have and that does not serve a clear purpose.

[n1zyy]

This was explicitly testing that we shoehorned 'drivers_license' in from the VerifyInfoController, which I ripped out.

[n1zyy]

This is the let(:in_person_path_proofing_results) block. As discussed above, we don't set this for IPP now.

[matthinz]

[lmgeorge]

(suggestion, non-blocking): It would be great if this was stored as a const at the top of the class.
(:wishes fruitlessly that Ruby supported enums:)

[lmgeorge]

(question): Do we want to set this to true and then disable in prod instead?

[lmgeorge]

(suggestion, non-blocking): This is more of a regression testing thing, but it would be good to have an expectation that ensures we aren't sending state_id_type as hash_including cannot assert the absence of a key-value pair.

[n1zyy]

This is a weird case and I'm on the fence. My approach with this was that it is no longer reasonable to require state_id_type's presence, but I'm not sure I'd go as far as requiring its absence here. "The controller no longer overwrites the value with a lie" feels like a kind of weird regression test after I ripped that code out.

[lmgeorge]

Overall, looks good. Have a couple of small suggestions/questions, but don't want that to be a blocker to getting this shipped.

[n1zyy]

"This looks misformatted!," you might argue. I totally agree! But this is what the code generates.

[n1zyy]

I think this is some DOS vs. UNIX line endings cursedness. There is not an extra newline at the end; it's just a plain text file. This came in when I edited the file.

[n1zyy]

"This is disgusting!," you might protest again. And again, I agree.

I am going to file a followup story or five, because:

1. As @lmgeorge pointed out, expecting absolute string equality when comparing XML documents isn't quite right.
2. add_optional_element is somehow leading to ugly mis-indentation.
3. I tried to clean it up with REXML::Formatters::Pretty but somehow made an even bigger mess that complained it wasn't valid XML. And if we're going to format our XML nicely, I want us to be sending it to AAMVA that way, not just cleaning it up for a test.