Skip to content

Add feature test for JS-enabled document capture async upload#4407

Merged
aduth merged 6 commits intomasterfrom
aduth-document-capture-async-feature-test
Nov 16, 2020
Merged

Add feature test for JS-enabled document capture async upload#4407
aduth merged 6 commits intomasterfrom
aduth-document-capture-async-feature-test

Conversation

@aduth
Copy link
Contributor

@aduth aduth commented Nov 13, 2020

Related: #4401 (comment)

Why: So we have some integration tests running through document capture in a real headless browser.

Implementation Notes:

The biggest hurdle here was overcoming "Failed to fetch" errors in the browser, related to the fact that without the changes here, the presigned URLs were generated with a host of example.com, which window.fetch would not connect with, since the test runs on localhost with a randomly-generated port. There may have been many alternative approaches here (e.g. avoiding example.com and instead setting a fixed host/port for tests), but in this case I addressed it by overriding the default URL options for the URL helper in tests using the JavaScript test driver.

zachmargolis
zachmargolis approved these changes Nov 13, 2020
View reviewed changes
Copy link
Contributor

@zachmargolis zachmargolis left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM! thanks for adding this!

zachmargolis
zachmargolis reviewed Nov 13, 2020
View reviewed changes
@aduth aduth force-pushed the aduth-document-capture-async-feature-test branch from 5e8e6cc to ddc7e0f Compare November 13, 2020 22:16
@aduth
Remove underscore prefix from VendorDocumentVerificationJob arguments
32948bd 
**Why**: While yet-unused in the implementation itself, it's part of the public API, so don't name as if it were an unused argujment. They'll become used in the future.
@aduth
Copy link
Contributor Author

aduth commented Nov 16, 2020

I can't find the comment here, but I received a notification about removing the underscore prefixes from the VendorDocumentVerificationJob arguments. I think it makes sense. I'm assuming at some point those arguments are intended to be used, once the implementation is fleshed out? In either case, from a "public API" point-of-view, if those arguments are expected to be passed, I think it makes sense to treat them as used. Updated in 32948bd.

@aduth
Stub default URL options in JS test lifecycle
4fea752 
**Why**: Avoid lingering effects after test case has finished
@aduth aduth force-pushed the aduth-document-capture-async-feature-test branch from 5bae43b to 4fea752 Compare November 16, 2020 13:54
@aduth
Allow explicit nil idv_result to mock_document_capture_result
5f880ba 
**Why**: Used to test in-progress result
@aduth
Copy link
Contributor Author

aduth commented Nov 16, 2020

I was finally able to work out what had caused the failures in the build environment: Because we were overriding default_url_options on the Rails application, the changes were causing lingering effects after the test case finished. In 4fea752, I changed to use a mock return value instead.

@aduth aduth merged commit a95fd33 into master Nov 16, 2020
@aduth aduth deleted the aduth-document-capture-async-feature-test branch November 16, 2020 15:55
@aduth aduth mentioned this pull request Nov 18, 2020
Merged
aduth added a commit that referenced this pull request Nov 20, 2020
@aduth
LG-3697: Define connect-src S3 presigned URLs by full path
299feba 
**Why**: So that the browser will allow connect to upload images to S3.

The work in #4409 assumes that a wildcard `*` can be used in the path fragment of a `connect-src` source list, which is not correct ([see specification](https://www.w3.org/TR/CSP3/#match-paths)). Thus, connection attempts would still be rejected.

This largely reverts the prior effort, instead appending to the CSP header in the view itself. This may not be ideal, though it has a few upsides:

- Closer association to where the CSP URLs are relevant (as opposed to application-wide configuration)
- [There is prior art](https://github.com/18F/identity-idp/blob/86981809d5e2d4a19e31b2ad89149b6737674402/app/views/shared/_recaptcha.html.erb#L2-L3)

Alternatives explored:

- Append at [point in code](https://github.com/18F/identity-idp/blob/86981809d5e2d4a19e31b2ad89149b6737674402/app/services/idv/steps/document_capture_step.rb#L18-L33) where URLs are assigned into view variables. This felt like an unexpected side-effect of what should be expected to be a pure function.
- Some other pre-render hook of the document capture step. Unfortunately most existing behavior of a step appears to be tailored for a step's submission, not its initial rendering.

Possible follow-on: Ideally the feature tests added in #4407 could exercise these headers. Unfortunately, it's made challenging by the fact that our fake endpoints are served by the local server, which is allowed by default in the CSP headers. This would also be contingent upon LG-3785.
aduth added a commit that referenced this pull request Nov 20, 2020
@aduth
LG-3697: Define connect-src S3 presigned URLs by full path (#4429)
611bc9d 
**Why**: So that the browser will allow connect to upload images to S3.

The work in #4409 assumes that a wildcard `*` can be used in the path fragment of a `connect-src` source list, which is not correct ([see specification](https://www.w3.org/TR/CSP3/#match-paths)). Thus, connection attempts would still be rejected.

This largely reverts the prior effort, instead appending to the CSP header in the view itself. This may not be ideal, though it has a few upsides:

- Closer association to where the CSP URLs are relevant (as opposed to application-wide configuration)
- [There is prior art](https://github.com/18F/identity-idp/blob/86981809d5e2d4a19e31b2ad89149b6737674402/app/views/shared/_recaptcha.html.erb#L2-L3)

Alternatives explored:

- Append at [point in code](https://github.com/18F/identity-idp/blob/86981809d5e2d4a19e31b2ad89149b6737674402/app/services/idv/steps/document_capture_step.rb#L18-L33) where URLs are assigned into view variables. This felt like an unexpected side-effect of what should be expected to be a pure function.
- Some other pre-render hook of the document capture step. Unfortunately most existing behavior of a step appears to be tailored for a step's submission, not its initial rendering.

Possible follow-on: Ideally the feature tests added in #4407 could exercise these headers. Unfortunately, it's made challenging by the fact that our fake endpoints are served by the local server, which is allowed by default in the CSP headers. This would also be contingent upon LG-3785.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

1 more reviewer

@zachmargolis zachmargolis zachmargolis approved these changes

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@aduth @zachmargolis