18F · zachmargolis · Sep 29, 2021 · Sep 27, 2021 · Sep 27, 2021 · Sep 27, 2021
diff --git a/app/controllers/idv/gpo_controller.rb b/app/controllers/idv/gpo_controller.rb
@@ -133,7 +133,13 @@ def profile_params
     end
 
     def form_response(result, success)
-      FormResponse.new(success: success, errors: result[:errors])
+      FormResponse.new(
+        success: success,
+        errors: result[:errors],
+        extra: {
+          pii_like_keypaths: [[:errors, :zipcode]],
+        },
+      )
     end
 
     def idv_throttle_params

diff --git a/app/controllers/idv/phone_controller.rb b/app/controllers/idv/phone_controller.rb
@@ -102,7 +102,15 @@ def failure_url(reason)
 
     def async_state_done(async_state)
       form_result = step.async_state_done(async_state)
-      analytics.track_event(Analytics::IDV_PHONE_CONFIRMATION_VENDOR, form_result.to_h)
+      analytics.track_event(
+        Analytics::IDV_PHONE_CONFIRMATION_VENDOR,
+        form_result.to_h.merge(
+          pii_like_keypaths: [
+            [:errors, :phone],
+            [:context, :stages, :address],
+          ],
+        ),
+      )
       redirect_to_next_step and return if async_state.result[:success]
       handle_proofing_failure
     end

diff --git a/app/controllers/users/webauthn_setup_controller.rb b/app/controllers/users/webauthn_setup_controller.rb
@@ -85,6 +85,7 @@ def track_delete(success)
         Analytics::WEBAUTHN_DELETED,
         success: success,
         mfa_method_counts: counts_hash,
+        pii_like_keypaths: [[:mfa_method_counts, :phone]],
       )
     end
 

diff --git a/app/forms/backup_code_setup_form.rb b/app/forms/backup_code_setup_form.rb
@@ -17,6 +17,9 @@ def submit
   attr_accessor :user
 
   def extra_analytics_attributes
-    { mfa_method_counts: MfaContext.new(user).enabled_two_factor_configuration_counts_hash }
+    {
+      mfa_method_counts: MfaContext.new(user).enabled_two_factor_configuration_counts_hash,
+      pii_like_keypaths: [[:mfa_method_counts, :phone]],
+    }
   end
 end
diff --git a/app/forms/idv/address_form.rb b/app/forms/idv/address_form.rb
@@ -18,7 +18,11 @@ def initialize(user)
     def submit(params)
       consume_params(params)
 
-      FormResponse.new(success: valid?, errors: errors)
+      FormResponse.new(
+        success: valid?,
+        errors: errors,
+        extra: { pii_like_keypaths: [[:errors, :zipcode ], [:error_details, :zipcode]] },
+      )
     end
 
     private

diff --git a/app/forms/idv/api_image_upload_form.rb b/app/forms/idv/api_image_upload_form.rb
@@ -100,6 +100,7 @@ def extra_attributes
       @extra_attributes ||= {
         remaining_attempts: remaining_attempts,
         user_id: user_uuid,
+        pii_like_keypaths: [[:pii]],
       }
     end
 

diff --git a/app/forms/idv/doc_pii_form.rb b/app/forms/idv/doc_pii_form.rb
@@ -17,6 +17,9 @@ def submit
       Idv::DocAuthFormResponse.new(
         success: valid?,
         errors: errors,
+        extra: {
+          pii_like_keypaths: [[:pii]], # see errors.add(:pii)
+        },
       )
     end
 

diff --git a/app/forms/idv/phone_form.rb b/app/forms/idv/phone_form.rb
@@ -52,6 +52,7 @@ def extra_analytics_attributes
       {
         country_code: parsed_phone.country,
         area_code: parsed_phone.area_code,
+        pii_like_keypaths: [[:errors, :phone], [:error_details, :phone]], # see errors.add(:phone)
       }
     end
 

diff --git a/app/forms/idv/ssn_format_form.rb b/app/forms/idv/ssn_format_form.rb
@@ -18,7 +18,11 @@ def initialize(user)
     def submit(params)
       consume_params(params)
 
-      FormResponse.new(success: valid?, errors: errors)
+      FormResponse.new(
+        success: valid?,
+        errors: errors,
+        extra: { pii_like_keypaths: [[:errors, :ssn ], [:error_details, :ssn]] },
+      )
     end
 
     private

diff --git a/app/forms/new_phone_form.rb b/app/forms/new_phone_form.rb
@@ -65,6 +65,7 @@ def extra_analytics_attributes
       carrier: @phone_info&.carrier,
       country_code: parsed_phone.country,
       area_code: parsed_phone.area_code,
+      pii_like_keypaths: [[:errors, :phone], [:error_details, :phone]],
     }.tap do |extra|
       extra[:redacted_phone] = @redacted_phone if @redacted_phone
     end

diff --git a/app/forms/otp_delivery_selection_form.rb b/app/forms/otp_delivery_selection_form.rb
@@ -44,6 +44,7 @@ def extra_analytics_attributes
       country_code: parsed_phone.country,
       area_code: parsed_phone.area_code,
       context: context,
+      pii_like_keypaths: [[:errors, :phone], [:error_details, :phone]],
     }
   end
 

diff --git a/app/forms/two_factor_authentication/phone_deletion_form.rb b/app/forms/two_factor_authentication/phone_deletion_form.rb
@@ -27,6 +27,7 @@ def extra_analytics_attributes
         configuration_id: configuration&.id,
         configuration_owner: configuration&.user&.uuid,
         mfa_method_counts: MfaContext.new(user.reload).enabled_two_factor_configuration_counts_hash,
+        pii_like_keypaths: [[:mfa_method_counts, :phone]],
       }
     end
 

diff --git a/app/forms/verify_account_form.rb b/app/forms/verify_account_form.rb
@@ -21,7 +21,13 @@ def submit
     else
       reset_sensitive_fields
     end
-    FormResponse.new(success: result, errors: errors)
+    FormResponse.new(
+      success: result,
+      errors: errors,
+      extra: {
+        pii_like_keypaths: [[:errors, :otp], [:error_details, :otp]],
+      },
+    )
   end
 
   protected

diff --git a/app/forms/webauthn_setup_form.rb b/app/forms/webauthn_setup_form.rb
@@ -83,6 +83,7 @@ def extra_analytics_attributes
     {
       mfa_method_counts: MfaContext.new(user).enabled_two_factor_configuration_counts_hash,
       multi_factor_auth_method: 'webauthn',
+      pii_like_keypaths: [[:mfa_method_counts, :phone]],
     }
   end
 end
diff --git a/app/services/account_reset/delete_account.rb b/app/services/account_reset/delete_account.rb
@@ -63,6 +63,7 @@ def extra_analytics_attributes
         email: user.email_addresses.take&.email,
         account_age_in_days: account_age,
         mfa_method_counts: mfa_method_counts,
+        pii_like_keypaths: [[:mfa_method_counts, :phone]],
       }
     end
   end

diff --git a/app/services/analytics.rb b/app/services/analytics.rb
@@ -8,6 +8,7 @@ def initialize(user:, request:, sp:, session:, ahoy: nil)
   end
 
   def track_event(event, attributes = {})
+    attributes.delete(:pii_like_keypaths)
     update_session_events_and_paths_visited_for_analytics(event) if attributes[:success] != false
     analytics_hash = {
       event_properties: attributes.except(:user_id),

diff --git a/app/services/idv/steps/document_capture_step.rb b/app/services/idv/steps/document_capture_step.rb
@@ -44,6 +44,9 @@ def post_images_and_handle_result
           doc_auth_form_result = DocAuth::Response.new(
             success: false,
             errors: doc_pii_form_result.errors,
+            extra: {
+              pii_like_keypaths: [[:pii]],
+            },
           )
           doc_auth_form_result = doc_auth_form_result.merge(response)
           return handle_document_verification_failure(doc_auth_form_result)

diff --git a/app/services/idv/steps/verify_base_step.rb b/app/services/idv/steps/verify_base_step.rb
@@ -43,13 +43,13 @@ def skip_legacy_steps
         idv_session['resolution_successful'] = 'phone'
       end
 
-      def idv_result_to_form_response(idv_result:, state: nil)
+      def idv_result_to_form_response(idv_result:, state: nil, extra: {})
         state_id = idv_result.dig(:context, :stages, :state_id)
         state_id[:state] = state if state && state_id
         FormResponse.new(
           success: idv_success(idv_result),
           errors: idv_errors(idv_result),
-          extra: { proofing_results: idv_extra(idv_result) },
+          extra: extra.merge(proofing_results: idv_extra(idv_result)),
         )
       end
 

diff --git a/app/services/idv/steps/verify_wait_step_show.rb b/app/services/idv/steps/verify_wait_step_show.rb
@@ -31,7 +31,9 @@ def async_state_done(current_async_state)
         form_response = idv_result_to_form_response(
           idv_result: current_async_state.result,
           state: flow_session[:pii_from_doc][:state],
+          extra: { pii_like_keypaths: [[:errors, :ssn]] },
         )
+
         if form_response.success?
           response = check_ssn(flow_session[:pii_from_doc]) if form_response.success?
           form_response = form_response.merge(response)

diff --git a/spec/controllers/account_reset/delete_account_controller_spec.rb b/spec/controllers/account_reset/delete_account_controller_spec.rb
@@ -19,6 +19,7 @@
         success: true,
         errors: {},
         mfa_method_counts: { backup_codes: 10, webauthn: 2, phone: 2 },
+        pii_like_keypaths: [[:mfa_method_counts, :phone]],
         account_age_in_days: 0,
       }
       expect(@analytics).
@@ -39,6 +40,7 @@
         errors: { token: [t('errors.account_reset.granted_token_invalid')] },
         error_details: { token: [t('errors.account_reset.granted_token_invalid')] },
         mfa_method_counts: {},
+        pii_like_keypaths: [[:mfa_method_counts, :phone]],
         account_age_in_days: 0,
       }
       expect(@analytics).
@@ -59,6 +61,7 @@
         errors: { token: [t('errors.account_reset.granted_token_missing')] },
         error_details: { token: [:blank] },
         mfa_method_counts: {},
+        pii_like_keypaths: [[:mfa_method_counts, :phone]],
         account_age_in_days: 0,
       }
       expect(@analytics).to receive(:track_event).
@@ -83,6 +86,7 @@
         errors: { token: [t('errors.account_reset.granted_token_expired')] },
         error_details: { token: [t('errors.account_reset.granted_token_expired')] },
         mfa_method_counts: {},
+        pii_like_keypaths: [[:mfa_method_counts, :phone]],
         account_age_in_days: 2,
       }
       expect(@analytics).to receive(:track_event).

diff --git a/spec/controllers/idv/doc_auth_controller_spec.rb b/spec/controllers/idv/doc_auth_controller_spec.rb
@@ -124,7 +124,14 @@
       mock_next_step(:back_image)
       allow_any_instance_of(Flow::BaseFlow).to \
         receive(:flow_session).and_return(pii_from_doc: {})
-      result = { success: true, errors: {}, step: 'ssn', flow_path: 'standard', step_count: 1 }
+      result = {
+        success: true,
+        errors: {},
+        step: 'ssn',
+        flow_path: 'standard',
+        step_count: 1,
+        pii_like_keypaths: [[:errors, :ssn], [:error_details, :ssn]],
+      }
 
       put :update, params: {step: 'ssn', doc_auth: { step: 'ssn', ssn: '111-11-1111' } }
 
@@ -140,7 +147,13 @@
       mock_next_step(:back_image)
       allow_any_instance_of(Flow::BaseFlow).to \
         receive(:flow_session).and_return(pii_from_doc: {})
-      result = { success: true, errors: {}, step: 'ssn', step_count: 1 }
+      result = {
+        success: true,
+        errors: {},
+        step: 'ssn',
+        step_count: 1,
+        pii_like_keypaths: [[:errors, :ssn], [:error_details, :ssn]],
+      }
 
       put :update, params: {step: 'ssn', doc_auth: { step: 'ssn', ssn: '666-66-6666' } }
       put :update, params: {step: 'ssn', doc_auth: { step: 'ssn', ssn: '111-11-1111' } }
@@ -391,6 +404,7 @@
           step: 'verify_document_status',
           flow_path: 'standard',
           step_count: 1,
+          pii_like_keypaths: [[:pii]],
         }
       )
       expect(@analytics).to have_received(:track_event).with(
@@ -402,6 +416,7 @@
           step: 'verify_document_status',
           flow_path: 'standard',
           step_count: 1,
+          pii_like_keypaths: [[:pii]],
         }
       )
     end
-Original file line number
+Diff line change
@@ Expand Up / @@ -52,6 +52,7 @@ def extra_analytics_attributes @@
           {
             country_code: parsed_phone.country,
             area_code: parsed_phone.area_code,
+            pii_like_keypaths: [[:errors, :phone], [:error_details, :phone]], # see errors.add(:phone)
           }
         end
@@ Expand Down @@