What do you think about making these analytics changes in a separate PR? They don't seem directly related to adding a USPS confirmation page, and I think this requires more thought about what distinction we want to make here. IdV completion could immediately follow user registration for example.

Gotcha. Makes sense to maintain two separate events. I'll take it out

I believe this logic will need to be moved to the VerifyProfileConcern once #1369 is merged.

Also, this assumes that the initial SP request is still in the session, but in all likelihood, it will not be, since by the time the user receives the letter, the session will have expired, so when they sign back in, session[:sp] will not be present, and redirecting them to sign_up_completed_url will take them to the account page.

In the USPS confirmation flow, we provide the user with a URL that points back to the service provider, so in theory there should be an sp session preset at all times. Obviously the user could elect not to enter the URL and instead go directly to the site. I spoke with Liz about it and she seemed to think it was unlikely the user wouldn't follow the instructions on the letter.

But, we won't know for sure until we test is out with users.

Yeah, on my way in to work, I realized I was wrong about this scenario not being likely. Even if the instructions didn't include a URL, the user could potentially go to the SP directly, then after they sign in on login.gov, they will be prompted to confirm their account, and at that point, the SP info will be in the session.

I think it's still worth it to have tests for both scenarios: one where the SP info is in the session, and one where it is not.

Also, I'm curious how the "URL that points back to the service provider" works. Where can I see an example of that?

Sorry that was worded really badly; but the idea is that the confirmation letter is going to direct the user to go back to the service provider's URL. It should be in the invision docs linked in the github issue

Would the no sp session scenario be better off in a separate PR? To generate the redirect url and service provider name we'll need additional behavior, I guess using the identity model? That is, assuming that we always want to show the user the completion page.

Yes, a separate PR is fine. I'll open an issue to discuss how we want to handle this scenario.

This method doesn't seem to be used anywhere.

Are we explicitly making a distinction between the USPS confirmation code and other security codes? For example, we have otp_incorrect: Security code is incorrect, but here we are changing the language. Is that intentional?

I did change the language intentionally. The new designs, which I'll be linking in a moment, called for it.

Are these being used?

Nope, will remove!

Did you mean sign_up_completed_url?

Did you mean sign_up_completed_path?

Could you explain the reason for modifying the loa3_sp_session method? It looks like you're using the same issuer it was using before. If the reason was to set a request_url in the session in order to test that when you click "continue" on the completions page it takes you back to the SP, may I suggest that we don't need that test since the completions page and controller are already tested? The main thing we're concerned with here is to make sure that USPS confirmation takes the user to the completions page.

This test assumes that the USPS confirmation is performed in a session where SP info is still present, which is not a likely scenario. What do you think about modifying this spec such that the SP session is not present?

Per my above comment, its expected to be a likely scenario. I agree it would be good to have a fallback but am not 100% sure what that would look like right now.

I modified it for test purposes, I'll remove the parameter.

Did you mean to add this here? Perhaps this was an unintentional consequence of the rebase with master? This line doesn't exist in master.

I see now, it did exist in master when I opened the PR, but was moved in 1369 to the profile maker class. I'll remove it!

Since this test is going through SamlIdpController, it should not be necessary to stub the session. In fact, it's discouraged because it might be masking a bug. We want to simulate the user experience as closely as possible.

Interesting, I added this because I could not get the test to pass at all. The value of sp_session was always an empty object.

What do you think about moving this spec to spec/features/saml and using a real SAML request as opposed to stubbing the session? This will ensure a more authentic end to end test.

We would also need to have the same test in spec/features/openid_connect to make sure it works there too.

The spec should be in openid_connect already, on line 280.

I'm slightly confused, the spec already exists in saml, it is the test you commented on ☝️ . Do you want me to completely remove this scenario from flow_spec and just rely on the 'live' tests?

Oh. I didn't realize that. If it's exactly the same test, then yes, we only want the "live" one.

The two specs aren't exactly the same, as the flow_spec example verifies immediately after the profile is created. I don't think that matters much though, as that scenario is guaranteed to never happen in real life.

EDIT: On second though, it is probably worth it to test going through the IdV flow and clicking on 'send letter'. Both the saml and openid specs manually set the deactivation_reason attribute and don't hit that page.

Agreed, but I think we only need one test that uses SAML and goes through everything as a user would.

I recently learned about a neat trick where you can reference an existing translation inside another one. Since "Resend confirmation instructions" is defined in idv.messages.usps.send_again, you can refer to it by add a colon before it, like this:

You can click :idv.messages.usps.send_again to get another one.

Magic!

No way!! I was thinking it was odd that there wasn't anyway to reuse these strings.

I actually can't get this to work. From previous searches I've seen using & as an alias, but I can't find references to prefixing a translation key with a : to share them.

Strange. It worked for me. I tested by running a spec that loads this page and I added a screenshot_and_save_page, and I saw the translated text.

and you put in exactly what you pasted here? I see the string as presented here, with the : prefix, uninterpolated

My bad. I was looking at the wrong page. I just realized this change is not related to this PR. It looks like it's just cleaning up whitespace. It turns out that to use this magic trick, the only thing you can put as the value is the key you are referencing, like this:

confirmation_period_expired: :idv.messages.usps.send_again

So, it doesn't look like we can use it here 😢

oh bummer 😞

I don't understand why OpenID Connect users would not be presented with the completions page. Could you explain that to me please?

@monfresh the openid connect flow takes the user to a different page after they verify their code, which is determined by the after_sign_in_path_for method. Ideally I'd like to just use that everywhere, but I don't want to refactor that method in the context of this PR.

We may also need to update the openid connect flow, as we now have different styles for the 'shared attributes' pages. This flow also bypasses the current completions page.

For reference, here is a screenshot from openid_connect spec on line 280:

As for why users are taken to a different page, I'm not sure! I guess the requirements weren't exactly in sync? We hadn't really nailed down the LOA3 verification flow either. In any case, it is probably worth opening up a ticket to address this.

My understanding is that we are getting rid of this screen, so might as well do it here, at least for this scenario. By "getting rid of it", I mean always redirect to sign_up_completed_url and don't include any logic for OIDC.

Did you mean to stop the test here? Don't we want to test all the way through to seeing the completions page and then continuing to the SP?

I stopped it because the user will never be able to go all the way through the flow when they first register. There is a second test beginning at line 141 that checks that the user is able to return and finish the verification process.

Sure, I get that, but they are still able to do more on the site, right? Once on the verify/confirmations page, they will acknowledge their personal key, and after that, they should be sent to the account page, where they should see a message about needing to confirm their USPS code.

I suggest we merge #1424 (I approved it last night. It just needs to be squashed), then rebase this PR against master so we can properly test the whole flow as the user would experience it.