Deploy RC 453 to Production

Gemfile.lock

@@ -461,7 +461,7 @@ GEM
     net-ssh (6.1.0)
     newrelic_rpm (9.7.0)
     nio4r (2.7.4)
-    nokogiri (1.18.2)
+    nokogiri (1.18.3)
       mini_portile2 (~> 2.8.2)
       racc (~> 1.4)
     numbers_and_words (0.11.12)

app/components/captcha_submit_button_component.html.erb

@@ -1,3 +1,9 @@
+<% content_for :early_head do %>
+  <% if recaptcha_script_src.present? %>
+    <%= content_tag(:script, '', src: recaptcha_script_src, async: true) %>
+  <% end %>
+<% end %>
+
 <%= content_tag(
       :'lg-captcha-submit-button',
       **tag_options,
@@ -34,7 +40,5 @@
         wide: true,
         **button_options,
       ).with_content(content) %>
-  <% if recaptcha_script_src.present? %>
-    <%= content_tag(:script, '', src: recaptcha_script_src, async: true) %>
-  <% end %>
+
 <% end %>

app/components/tab_navigation_component.scss

@@ -16,6 +16,7 @@
     @include u-padding(1.5);
     border-radius: 1.375rem;
     width: 100%;
+    text-align: center;
   }
 
   .usa-button--unstyled {

app/controllers/concerns/fraud_review_concern.rb

@@ -32,7 +32,7 @@ def handle_fraud_rejection
   # bypassing the typical flow of showing the Please Call or Fraud Rejection screens.
   def in_person_prevent_fraud_redirection?
     IdentityConfig.store.in_person_proofing_enforce_tmx &&
-      current_user.ipp_enrollment_status_not_passed? &&
+      current_user.ipp_enrollment_status_not_passed_or_in_fraud_review? &&
       (fraud_review_pending? || fraud_rejection?)
   end
 

app/controllers/concerns/idv/document_capture_concern.rb

@@ -34,6 +34,7 @@ def error_hash(message)
         message: message || I18n.t('doc_auth.errors.general.network_error'),
         socure: stored_result&.errors&.dig(:socure),
         pii_validation: stored_result&.errors&.dig(:pii_validation),
+        unaccepted_id_type: stored_result&.errors&.dig(:unaccepted_id_type),
       }
     end
 

app/controllers/concerns/idv/socure_errors_concern.rb

@@ -12,7 +12,9 @@ def remaining_attempts
     end
 
     def error_code_for(result)
-      if result.errors[:socure]
+      if result.errors[:unaccepted_id_type]
+        :unaccepted_id_type
+      elsif result.errors[:socure]
         result.errors.dig(:socure, :reason_codes).first
       elsif result.errors[:network]
         :network

app/controllers/concerns/mfa_deletion_concern.rb

@@ -4,7 +4,7 @@ module MfaDeletionConcern
   include RememberDeviceConcern
 
   def handle_successful_mfa_deletion(event_type:)
-    create_user_event(event_type) if event_type
+    create_user_event(event_type)
     revoke_remember_device(current_user)
     event = PushNotification::RecoveryInformationChangedEvent.new(user: current_user)
     PushNotification::HttpPush.deliver(event)

app/controllers/concerns/rate_limit_concern.rb

@@ -36,9 +36,8 @@ def final_submission_passed?
     return false if doc_session_uuid.blank?
 
     document_capture_session = DocumentCaptureSession.find_by(uuid: doc_session_uuid)
-    return false if document_capture_session.nil?
 
-    document_capture_session.last_doc_auth_result == 'Passed'
+    !!document_capture_session&.load_result&.success?
   end
 
   def confirm_not_rate_limited_for_phone_and_letter_address_verification

app/controllers/concerns/verify_profile_concern.rb

@@ -27,7 +27,7 @@ def pending_profile_policy
   # bypassing the typical flow of showing the Please Call or Fraud Rejection screens.
   def user_failed_ipp_with_fraud_review_pending?
     IdentityConfig.store.in_person_proofing_enforce_tmx &&
-      current_user.ipp_enrollment_status_not_passed? &&
+      current_user.ipp_enrollment_status_not_passed_or_in_fraud_review? &&
       current_user.fraud_review_pending?
   end
 end

app/controllers/idv/hybrid_mobile/socure/document_capture_controller.rb

@@ -11,14 +11,18 @@ class DocumentCaptureController < ApplicationController
         include SocureErrorsConcern
 
         check_or_render_not_found -> { IdentityConfig.store.socure_docv_enabled }
+        before_action :check_valid_document_capture_session
         before_action :validate_step_not_completed, only: [:show]
-        before_action :check_valid_document_capture_session, except: [:update]
         before_action -> do
           redirect_to_correct_vendor(Idp::Constants::Vendors::SOCURE, in_hybrid_mobile: true)
         end, only: :show
         before_action :fetch_test_verification_data, only: [:update]
 
         def show
+          if rate_limiter.limited?
+            redirect_to idv_hybrid_mobile_capture_complete_url
+          end
+
           session[:socure_docv_wait_polling_started_at] = nil
 
           Funnel::DocAuth::RegisterStep.new(document_capture_user.id, sp_session[:issuer])
@@ -74,15 +78,19 @@ def update
             **result.to_h.merge(analytics_arguments),
           )
 
-          if result.success?
+          if result.success? || rate_limiter.limited?
             redirect_to idv_hybrid_mobile_capture_complete_url
           else
             redirect_to idv_hybrid_mobile_socure_document_capture_errors_url
           end
         end
 
         def errors
-          @presenter = socure_errors_presenter(handle_stored_result)
+          result = handle_stored_result(
+            user: document_capture_user,
+            store_in_session: false,
+          )
+          @presenter = socure_errors_presenter(result)
         end
 
         private
@@ -103,7 +111,8 @@ def socure_errors_presenter(result)
         end
 
         def wait_for_result?
-          return false if stored_result.present?
+          document_capture_session.reload unless document_capture_session.result_id
+          return false if document_capture_session.load_result.present?
 
           # If the stored_result is nil, the job fetching the results has not completed.
           analytics.idv_doc_auth_document_capture_polling_wait_visited(**analytics_arguments)
@@ -141,6 +150,13 @@ def analytics_arguments
             pii_like_keypaths: [[:pii]],
           }
         end
+
+        def rate_limiter
+          @rate_limiter ||= RateLimiter.new(
+            user: document_capture_user,
+            rate_limit_type: :idv_doc_auth,
+          )
+        end
       end
     end
   end

app/controllers/idv/hybrid_mobile/socure/errors_controller.rb

@@ -10,10 +10,16 @@ class ErrorsController < ApplicationController
         include StepIndicatorConcern
         include SocureErrorsConcern
 
+        before_action :check_valid_document_capture_session
+
         def show
           error_code = error_params[:error_code]
           if error_code.nil?
-            error_code = error_code_for(handle_stored_result)
+            result = handle_stored_result(
+              user: document_capture_session.user,
+              store_in_session: false,
+            )
+            error_code = error_code_for(result)
           end
           track_event(error_code: error_code)
           @presenter = socure_errors_presenter(error_code)
@@ -39,7 +45,7 @@ def error_params
         end
 
         def rate_limiter
-          RateLimiter.new(user: document_capture_session&.user, rate_limit_type: :idv_doc_auth)
+          RateLimiter.new(user: document_capture_session.user, rate_limit_type: :idv_doc_auth)
         end
 
         def remaining_submit_attempts
@@ -67,7 +73,7 @@ def socure_errors_presenter(error_code)
         end
 
         def service_provider
-          @service_provider ||= ServiceProvider.find_by(issuer: document_capture_session&.issuer)
+          @service_provider ||= ServiceProvider.find_by(issuer: document_capture_session.issuer)
         end
       end
     end

app/controllers/idv/please_call_controller.rb

@@ -15,12 +15,12 @@ def show
       analytics.idv_please_call_visited
       pending_at = current_user.fraud_review_pending_profile.fraud_review_pending_at
       @call_by_date = pending_at + FRAUD_REVIEW_CONTACT_WITHIN_DAYS
-      @in_person = ipp_enabled_and_enrollment_passed?
+      @in_person = ipp_enabled_and_enrollment_passed_or_in_fraud_review?
     end
 
-    def ipp_enabled_and_enrollment_passed?
+    def ipp_enabled_and_enrollment_passed_or_in_fraud_review?
       return unless in_person_tmx_enabled?
-      in_person_proofing_enabled? && ipp_enrollment_passed?
+      in_person_proofing_enabled? && (ipp_enrollment_passed? || ipp_enrollment_in_fraud_review?)
     end
 
     private
@@ -43,5 +43,9 @@ def in_person_tmx_enabled?
     def ipp_enrollment_passed?
       current_user&.in_person_enrollment_status == 'passed'
     end
+
+    def ipp_enrollment_in_fraud_review?
+      current_user&.in_person_enrollment_status == 'in_fraud_review'
+    end
   end
 end

app/controllers/idv/socure/document_capture_controller.rb

@@ -109,7 +109,8 @@ def self.step_info
       private
 
       def wait_for_result?
-        return false if stored_result.present?
+        document_capture_session.reload unless document_capture_session.result_id
+        return false if document_capture_session.load_result.present?
 
         # If the stored_result is nil, the job fetching the results has not completed.
         analytics.idv_doc_auth_document_capture_polling_wait_visited(**analytics_arguments)

app/controllers/idv/socure/errors_controller.rb

@@ -69,7 +69,9 @@ def socure_errors_presenter(error_code)
       end
 
       def error_code_for(result)
-        if result.errors[:socure]
+        if result.errors[:unaccepted_id_type]
+          :unaccepted_id_type
+        elsif result.errors[:socure]
           result.errors.dig(:socure, :reason_codes).first
         elsif result.errors[:network]
           :network

app/controllers/idv/welcome_controller.rb

@@ -62,8 +62,9 @@ def create_document_capture_session
 
     def cancel_previous_in_person_enrollments
       return unless IdentityConfig.store.in_person_proofing_enabled
-      UspsInPersonProofing::EnrollmentHelper
-        .cancel_establishing_and_pending_enrollments(current_user)
+      UspsInPersonProofing::EnrollmentHelper.cancel_establishing_and_in_progress_enrollments(
+        current_user,
+      )
     end
   end
 end

app/controllers/users/backup_code_setup_controller.rb

@@ -59,7 +59,7 @@ def refreshed
 
     def delete
       current_user.backup_code_configurations.destroy_all
-      handle_successful_mfa_deletion(event_type: nil)
+      handle_successful_mfa_deletion(event_type: :backup_codes_removed)
       flash[:success] = t('notices.backup_codes_deleted')
       if in_multi_mfa_selection_flow?
         redirect_to authentication_methods_setup_path

app/forms/backup_code_verification_form.rb

@@ -24,7 +24,6 @@ def submit(params)
       success: valid?,
       errors:,
       extra: extra_analytics_attributes,
-      serialize_error_details_only: true,
     )
   end
 

app/forms/frontend_error_form.rb

@@ -13,7 +13,7 @@ def submit(filename:, error_id:)
     @filename = filename
     @error_id = error_id
 
-    FormResponse.new(success: valid?, errors:, serialize_error_details_only: true)
+    FormResponse.new(success: valid?, errors:)
   end
 
   private

app/forms/otp_verification_form.rb

@@ -25,7 +25,6 @@ def submit
       success: success,
       errors: errors,
       extra: extra_analytics_attributes,
-      serialize_error_details_only: true,
     )
   end
 

app/forms/recaptcha_form.rb

@@ -54,11 +54,11 @@ def submit(recaptcha_token)
     @recaptcha_result = recaptcha_result if recaptcha_token.present? && !exempt?
 
     log_analytics(result: @recaptcha_result) if @recaptcha_result
-    response = FormResponse.new(success: valid?, errors:, serialize_error_details_only: true)
+    response = FormResponse.new(success: valid?, errors:)
     [response, @recaptcha_result&.assessment_id]
   rescue Faraday::Error => error
     log_analytics(error:)
-    response = FormResponse.new(success: true, serialize_error_details_only: true)
+    response = FormResponse.new(success: true)
     [response, nil]
   end
 

app/forms/reset_password_form.rb

@@ -70,12 +70,12 @@ def mark_profile_as_password_reset
 
   def password_reset_profile
     FeatureManagement.pending_in_person_password_reset_enabled? ?
-      find_pending_in_person_or_active_profile :
+      find_in_progress_in_person_or_active_profile :
       active_profile
   end
 
-  def find_pending_in_person_or_active_profile
-    user.pending_in_person_enrollment&.profile || active_profile
+  def find_in_progress_in_person_or_active_profile
+    user.current_in_progress_in_person_enrollment_profile || active_profile
   end
 
   # It is possible for an account that is resetting their password to be "invalid".
@@ -104,7 +104,9 @@ def extra_analytics_attributes
 
   def pending_profile_invalidated?
     if FeatureManagement.pending_in_person_password_reset_enabled?
-      pending_profile.present? && !pending_profile.in_person_verification_pending?
+      pending_profile.present? &&
+        !pending_profile.in_person_verification_pending? &&
+        !pending_profile.fraud_deactivation_reason?
     else
       pending_profile.present?
     end

app/forms/select_email_form.rb

@@ -26,7 +26,6 @@ def submit(params)
       success:,
       errors:,
       extra: extra_analytics_attributes,
-      serialize_error_details_only: true,
     )
   end
 

app/forms/sign_in_recaptcha_form.rb

@@ -28,7 +28,7 @@ def submit(recaptcha_token:)
     @recaptcha_token = recaptcha_token
 
     success = valid?
-    FormResponse.new(success:, errors:, serialize_error_details_only: true)
+    FormResponse.new(success:, errors:)
   end
 
   def exempt?

app/forms/two_factor_authentication/auth_app_delete_form.rb

@@ -24,7 +24,6 @@ def submit
         success:,
         errors:,
         extra: extra_analytics_attributes,
-        serialize_error_details_only: true,
       )
     end
 

app/forms/two_factor_authentication/auth_app_update_form.rb

@@ -30,7 +30,6 @@ def submit(name:)
         success:,
         errors:,
         extra: extra_analytics_attributes,
-        serialize_error_details_only: true,
       )
     end
 

app/forms/two_factor_authentication/piv_cac_delete_form.rb

@@ -24,7 +24,6 @@ def submit
         success:,
         errors:,
         extra: extra_analytics_attributes,
-        serialize_error_details_only: true,
       )
     end
 

app/forms/two_factor_authentication/piv_cac_update_form.rb

@@ -30,7 +30,6 @@ def submit(name:)
         success:,
         errors:,
         extra: extra_analytics_attributes,
-        serialize_error_details_only: true,
       )
     end
 

app/forms/two_factor_authentication/webauthn_delete_form.rb

@@ -27,7 +27,6 @@ def submit
         success:,
         errors:,
         extra: extra_analytics_attributes,
-        serialize_error_details_only: true,
       )
     end
 

app/forms/two_factor_authentication/webauthn_update_form.rb

@@ -30,7 +30,6 @@ def submit(name:)
         success:,
         errors:,
         extra: extra_analytics_attributes,
-        serialize_error_details_only: true,
       )
     end