Closed
Conversation
* convert modal layout from slim to erb * convert saml idp metadata template to erb * convert piv cac setup prompt template from slim to erb * convert personal key key template from slim to erb * convert letter expired email template from slim to erb * convert letter reminder email template from slim to erb * convert email add email template from slim to erb * convert add email associated with another account template from slim to erb * convert email new device sign in template from slim to erb * convert email confirm and reverify template from slim to erb * convert email reset password template from slim to erb * convert email password changed template from slim to erb * convert email undeliverable address template from slim to erb * convert email added template from slim to erb * convert email account reset cancel template from slim to erb * convert email account reset complete template from slim to erb * convert email account reset request template from slim to erb * convert email account reset granted template from slim to erb * convert email personal key sign in template from slim to erb * convert email personal key regenerated template from slim to erb * convert email account does not exist template from slim to erb * convert email signup with your email template from slim to erb * remove slim * Update app/views/user_mailer/add_email.html.erb Co-authored-by: Zach Margolis <zachmargolis@users.noreply.github.com> Co-authored-by: Zach Margolis <zachmargolis@users.noreply.github.com>
* Migrate ad hoc alerts to USWDS alert partial **Why**: Consolidate to single, consistent alert styling * Monkey-patch SimpleForm error notification to customize alert **Why**: Only option to customize the rendered markup of alert to support nested alert tags * Remove custom alerts styling **Why**: Unused * Avoid class_eval for SimpleForm monkey-patch **Why**: Autoload interop * Add comment to describe SimpleForm monkey-patch **Why**: So next developer understands what's up * Update test specs for updated alert classes * Simplify SP alert text retrieval **Why**: From `generate_custom_alert`, easier to understand * Restore variable interpolation for SP custom alert **Why**: Broke with refactoring to sp_alert to avoid sp_msg. Since sp_msg was otherwise unused, absorb behavior into custom_alert as single source of (interpolated) message text. * Use path part arguments for Rails.root.join See: #4418 (comment) * Update outdated test specs for login view * Add test assertion for page-level invalid password edit alert **Why**: My own self-assurance that I'm not breaking things * Move SimpleForm monkey-patch into lib/extensions **Why**: Allow base class to be defined for extension in tests
* remove bummr * remove fasterer * remove sinatra * update rotp gem * update deps * update ahoy gem * remove undefined method
**Why**: Because it doesn't work and hasn't in a while
* Updates to IdP README and CONTRIBUTING guidance. * Remove double double in CONTRIBUTING.mg * Update README language for local install. * Update README passphrase image local. * Update README Mailcatcher instructions. * Update README.md Co-authored-by: Zach Margolis <zachmargolis@users.noreply.github.com> * Update README to exclude the proofing vendor. * Update README and remove log event stuff we don not use. * Update README.md Co-authored-by: Mitchell Henke <mitchell.henke@gsa.gov> * Update README gggggggggeolocation. * Update README.md Co-authored-by: Andrew Duthie <andrew.duthie@gsa.gov> * Remove unused content in README. * Change README Ruby v to 2.6 * Change README Redis 5+ * README Upaya * Remove Troubleshooting from README. * Update README.md Co-authored-by: Zach Margolis <zachmargolis@users.noreply.github.com> Co-authored-by: Zach Margolis <zachmargolis@users.noreply.github.com> Co-authored-by: Mitchell Henke <mitchell.henke@gsa.gov> Co-authored-by: Andrew Duthie <andrew.duthie@gsa.gov>
Resolves LG-3363 Adds a validation in production and staging to check if there are any service providers in the database that are not present in the YAML config file. Sends an exception report to New Relic if any are found.
**Why**: Hopefully tests will flake less in CI
**Why**: Since development bundles are currently configured to use `eval-source-map` in development mode, ES5-incompatible syntax can hide in eval strings. Also ensures tested code is closer aligned to that which is run by real users.
…n the attributes (LG-3439) (#4459) * Return the AAL level in the authn context and include the IAL level in the attributes (LG-3439) * default AAL authn context is urn:gov:gsa:ac:classes:sp:PasswordProtectedTransport:duo
* refactor async doc auth * Update spec/forms/idv/api_document_verification_status_form_spec.rb Co-authored-by: Zach Margolis <zachmargolis@users.noreply.github.com> * Update spec/forms/idv/api_document_verification_status_form_spec.rb Co-authored-by: Zach Margolis <zachmargolis@users.noreply.github.com> * fix spec * new relic spec * use correct doc auth method * Update spec/controllers/lambda_callback/document_proof_result_controller_spec.rb Co-authored-by: Zach Margolis <zachmargolis@users.noreply.github.com> * format spec result * rubocop Co-authored-by: Zach Margolis <zachmargolis@users.noreply.github.com>
**How**: Maxlength needs to stay 11 due to cleave bug so just add a listener to the field and limit the length while accounting for dashes.
…pendency (#4485) * LG-3764: Upgrade to identity-style-guide 3.0 **Why**: To use latest USWDS version consistently across all login products and services * LG-3716: Use tree-shaking to deduplicate zxcvbn **Why**: The zxcvbn dependency is large and should not be included in JavaScript bundles where it is not used. Instead, bundles should use the minimum implementations necessary. This is made possible in the latest version 3.0 of identity-style-guide. * Reconcile mobile banner with USWDS 2.9.0 banner revisions * Stretch external icon in flex context **Why**: Otherwise doesn't appear, because it has no implicit height * Add flex container to footer links **Why**: Avoid unpredictable wrapping in Safari by treating each link as its own column * Test files in packs-test for es5-safe script **Why**: CircleCI sets RAILS_ENV=test by default, which compiles assets to public/packs-test * Target USWDS dependencies for Babel compilation **Why**: These include code which can't be run in legacy browsers. Related: https://github.com/uswds/uswds/tree/develop/examples#general
* refactor proofing async storage to not store pii in redis * rename ProofingDocumentCaptureSessionResult to ProofingSessionAsyncResult * load dcs from result_id in lambda callback * Update app/services/idv/phone_step.rb Co-authored-by: Zach Margolis <zachmargolis@users.noreply.github.com> * simplify pii transformation in usps controller * Simplify PII code a tad more * rubocop * Update spec/services/idv/phone_step_spec.rb Co-authored-by: Zach Margolis <zachmargolis@users.noreply.github.com> Co-authored-by: Zach Margolis <zachmargolis@users.noreply.github.com> Co-authored-by: Zach Margolis <zachary.margolis@gsa.gov>
* Configure ESLint to allow empty catch statements **Why**: It should be fine to consider a "try" as in a purely optional sense; if it fails, so be it, no need for ceremony. In fact, the opposite could be argued to be more problematic: Forcing a catch body could encourage all-encompassing try blocks, which are unnecessarily broad in scope and likely to overlook potential error cases. * Render password strength forbidden passwords tag by tag helper **Why**: Allow rails to manage data tag value rendering * Gracefully fall back to undefined for invalid parsed forbidden passwrods **Why:** In case the attribute is not set or improperly formatted, password strength check shouldn't be affected. * Assign forbidden_passwords for handled invalid password **Why**: Expected by view. Consistently prevent user from attempting to use these passwords. * Simplify attribute name to "forbidden" See: #4497 (comment) * Use consistent return type for getForbiddenPasswords See: #4497 (comment) * Add view spec for password strength partial See: https://github.com/18F/identity-idp/pull/4497/files#r538583494 * Assign forbidden passwords from event disavowal controller * Pass forbidden_passwords as partial local **Why**: More obvious when not passed * Account for disavowal password reset form input * Pass locals as argument in password_strength spec * Remove redundant presence * Use correct element ID for event disavowal form password field
* validate iat with some allowed leeway * validate iat is integer * Update spec/forms/openid_connect_token_form_spec.rb Co-authored-by: Zach Margolis <zachmargolis@users.noreply.github.com> Co-authored-by: Zach Margolis <zachmargolis@users.noreply.github.com>
…ed SAML response (LG-3859) (#4503) Co-authored-by: Espartaco Palma <github@esparta.co> * use a guard Co-authored-by: Zach Margolis <zachmargolis@users.noreply.github.com> * Apply suggestions from code review
Bumps [ini](https://github.com/isaacs/ini) from 1.3.5 to 1.3.7. - [Release notes](https://github.com/isaacs/ini/releases) - [Commits](npm/ini@v1.3.5...v1.3.7) Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
**Why**: These steps are not in use anymore Co-authored-by: Zach Margolis <zachmargolis@users.noreply.github.com> Co-authored-by: Andrew Duthie <andrew.duthie@gsa.gov>
…n and DocAuth (#4517) * Refactor SpinnerButton to display as button pulse animation * Display spinner button at doc auth verify step * Normalize doc auth locale file string order * Add spinner button to CAC verify step * Render spinner button as inline block **Why**: Act more like real button, allow natural grow (or overridden width) on container * Handle FormStepsWait response consistently from initial to poll **Why**: Initial response could redirect immediately. Also consolidates error handling consistently. * Send verify poll request as HEAD request **Why**: Not concerned with the response body * Add spec for spinner-button shared partial * Add spec for FormStepsWait * Wait for page navigation in complete_all_doc_auth_steps * Use consistent selector from spinner-button.js * Rename form-steps-wait.js as form-steps-wait-spec.js **Why**: `npm test` won't capture files unless suffixed with "spec" * Revise FormStepsWait constructor to not be side-effecty See: #4517 (comment) * Fix fake timer test lifecycle leakage * Refactor SpinnerButton to use consistent bind call implementation See: a4721ee * Reinstate ESLint no-new rule **Why**: Kinda the motivation behind the discussion here: #4517 (comment)
…ync document upload (#4528) * store whole flow session in analytics if unable to find DCS * log when document capture session key is deleted * do not send pii_from_doc and only send in dev
* Update identity-validations to use main branch * update identity_validations
**Why**: - It is currently broken, displaying as non-visible except by cursor hover or keyboard focus. - It's the only instance of a tooltip in the entire application. - Tooltips are not ideal for longer-form content like the informational text we show in this tooltip - See: https://designsystem.digital.gov/components/tooltip/ - We are not space-constrained on this page and could show informational text as part of the primary content - Fewer dependencies for us to manage - If we were to want tooltips, we should ideally be using USWDS tooltips (see #4529) to consolidate dependencies - Less styles for the user to download (faster load time)
…4538) * Don't allow identity proofing in prod without SP context (LG-3942) * review suggestions
**Why**: Disambiguate from DocAuthBaseStep#document_capture_session
**Why**: As a user, I expect that login.gov has a consistent visual style, and that my page load times are not prolonged by loading redundant CSS. As a developer, I expect that existing references to BassCSS module classes are replaced with equivalent USWDS or ad hoc alternatives, so that we can successfully migrate away from and eliminate our dependency on BassCSS. --- Approach: Replace "align-" classes with USWDS equivalent, based on technical discovery document.
* LG-3756: Upgrade intl-tel-input from 16.0.7 to 17.0 **Why**: As a user, I want login.gov to not have unused or out of date apps, so that I can use the fastest and most secure app possible. See changelog: https://github.com/jackocnr/intl-tel-input/blob/master/CHANGELOG.md Specific upgrade conflicts: - Reliance on specific element IDs, now assigned uniquely by intl-tel-input - Reliance on duplicate list item element IDs, now assigned uniquely by intl-tel-input * Update test spec
**Why**: As a user, I want login.gov to not have unused or out of date apps, so that I can use the fastest and most secure app possible. Lower-risk than bumping major packages, which may warrant updates in individualized pull requests. Excludes `hint.css` as this will be addressed separately, either by using USWDS (#4529) or removing tooltips altogether. Specifics: cleave.js - Changelog: https://github.com/nosir/cleave.js/releases - Testing: Check that auto-formatted fields (SSN, TOTP, etc) continue to work as expected focus-trap - Changelog: https://github.com/focus-trap/focus-trap/blob/master/CHANGELOG.md - Testing: Check that session timeout modal and IAL2 Acuant mobile capture continue to trap focus and work as expected libphonenumber-js - Changelog: https://gitlab.com/catamphetamine/libphonenumber-js/-/blob/master/CHANGELOG.md - Testing: Check that phone number validation when adding a phone number continues to validate numbers correctly
**Why**: As a user, I want login.gov to not have unused or out of date apps, so that I can use the fastest and most secure app possible Upgrades last of dependencies targeted for upgrade: Those which involve major version upgrades, or have been updated since previous pass at version updates. Specifics: clipboard - Changelog: https://github.com/zenorocha/clipboard.js/releases - Of note: Constructor changed. Likely not necessary revision in our code, though reduces likelihood of conflict or confusion. - Testing: Verify "Copy" button on "Add an authentication app" works Not included: - basscss-scss: Planned for removal - source-map-loader: Breaking change involves minimum peer dependency on webpack@5, blocked by yet-unreleased webpacker@6 ("2021-TBD") - See: https://github.com/rails/webpacker/blob/master/CHANGELOG.md
…2) (#4544) * rails 6.1 * fix specs * remove phone configuration decorator to fix N+1 query * fix cache-control spec * fix 400 spec
* Restore pointer cursor to selfie capture overlay "button" **Why**: Upgrading from `identity-style-guide` 2.2.3 to 3.0.0 involves upgrading from `uswds` 2.0.3 to 2.9.0 which involves upgrading from `normalize.css` 3.0.3 to 8.0.1. In `normalize.css` 4.1.0, opinionated button cursor styles were removed, and must be manually applied where desired. See: - necolas/normalize.css#563 - https://github.com/necolas/normalize.css/blob/master/CHANGELOG.md#410-april-11-2016 - uswds/uswds#3215 * Order CSS properties * Order CSS properties, for real
* add failing spec * ensure decrypted_pii is set when rendering verify password
* update nokogiri * add nokogiri to gemfile
Contributor
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
7 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
No description provided.