IdV enrollment complete event

[Sgtpluck]

🎫 Ticket

Link to the relevant ticket:
163

🛠 Summary of changes

This change adds the idv-enrollment-complete event.

This is a new event that was added to fulfill the Enrollment complete milestone requirement.
It is a little tricky since there are several different pathways for users to finish their identity proofing journey, two of which are not part of the user flow.

The places where we activate a profile (thereby indicating that a profile's enrollment is "complete") is:

• EnterPasswordController- where a user encrypts their data with their password
• GpoVerifyForm - where a user submits their mail code
• GetUSPSProofingResultsJob - where a user's IPP job is processed
• ActionAccount::ReviewPass - where a user is cleared as valid after a fraud review

I would love to know if I am missing or misinterpreting any of these steps, or if other work should. (I wish I could just put this event on the Profile model's #active method, but there isn't a way really to inject the tracker into the Profile like that.)

[Sgtpluck]

I added a reproof attribute to handle a milestone of identifying when a user had previously proofed completed idv enrollment.

[eileen-nava]

I left some comments.

I have an overall question about the AttemptsApi's events. When I'm working locally, I frequently run make watch_events in terminal to see what events are being logged. Is there a similar process I could run to see what events are being logged for the AttemptsApi?

[eileen-nava]

Since L494 activates the profile associated with the enrollment, I'm not clear why the conditional on L496 is necessary. Is there a scenario where the profile associated with the enrollment wouldn't be active? Are you concerned about the transaction in activate_after_passing_in_person failing?

[Sgtpluck]

both if it fails, or if an enrollment profile doesn't exist. i don't know what circumstances exist that a profile wouldn't exist on an enrollment, but i am taking my cues from the other code that adds the nil checker (such as enrollment.profile&.activate_after_passing_in_person, above)

[eileen-nava]

This looks good from an IPP perspective.

[gina-yamada]

For IPP, above your wrote where a user's IPP job is processed. Should this log when the user passes? Or should it log when then enrollment is processed (ie: user may have failed or the enrollment with USPS may have expired)?

[Sgtpluck]

@gina-yamada it should log when the profile has been activated.

@eileen-nava interesting suggestion! there is not a way to do that currently from the idp, but i can consider building that in when i have some free time again. meanwhile, the sample sinatra oidc application does have an attempt-api endpoint now that shows tracked events, if you are using the sample oidc application locally.

[mitchellhenke]

Couple small questions, but otherwise looks good to me

[mitchellhenke]

I was going to ask if this could be moved into the conditional, but that wouldn't work because if we ran this check after creating a profile, it would always be true?

[Sgtpluck]

yeah, exactly. i thought about checking to see if there was more than one profile that had the activated_at attribute, but i don't think what was happening was as clear

[mitchellhenke]

Could this be moved below UserAlerts::AlertUserAboutAccountVerified.call? I think it might be preferable to run the other things first (in terms of importance).

[Sgtpluck]

sure, added in a39cefb

[gina-yamada]

@gina-yamada it should log when the profile has been activated.

@eileen-nava interesting suggestion! there is not a way to do that currently from the idp, but i can consider building that in when i have some free time again. meanwhile, the sample sinatra oidc application does have an attempt-api endpoint now that shows tracked events, if you are using the sample oidc application locally.

I didn't check but the only edge case you may need to look into- if a user is flagged for fraud. They can be activated after the investigation concludes. It is not in the usps job but there is a script to activate users-I bet you already handled it.

[Sgtpluck]

@gina-yamada thanks for the heads-up about that edge case! i believe it is handled in the ActionAccount::ReviewPass class, but appreciate you bringing it to my attention in case I had overlooked it!

[gina-yamada]

@gina-yamada thanks for the heads-up about that edge case! i believe it is handled in the ActionAccount::ReviewPass class, but appreciate you bringing it to my attention in case I had overlooked it!

That looks accurate! I should have looked at the code and posted if it was not there. I was replying to comments and then jumped back in. I agree - handled in ReviewPass class. I think you are set. Nice work.