Merged
Conversation
* Clarify JS disabled expectations Identity proofing will require JavaScript enabled * Mention TTS standards, custom ESLint config for awareness, less tying specifically to Airbnb * Include TypeScript expectation in docs * Merge Yarn + Yarn workspaces comment Avoid mentioning package.json as source of truth, since packages are scattered throughout workspaces directories * Avoid abbreviations don't assume they're universally understood * Normalize subject, verb form and tense * Point Yarn links to classic documentation since we use classic Yarn * Add changelog [skip changelog]
**Why**: So that the build passes, and so that we don't have 500 errors. Context: https://github.com/18F/identity-idp/pull/6288/files#r864759689 [skip changelog]
* Remove NewRelic frontend event logging **Why**: Because it's redundant with logging via FrontendLogController and presumably runs up our bill. changelog: Improvements, Analytics, Reduce redundant analytics logging * Simplify addPageAction signature **Why**: For improved usability, and for alignment with other event tracking methods * Fix type signature for addPageAction
* Use stubbed profile for authorization_count_spec **Why:** - For improved compatibility with JS-enabled proofing, where authorization counts rely on an "Agree and continue" redirect back to the SP. With the JavaScript browser, there is no server to redirect to, resulting in an error. - Improved performance, since proofing involves many steps - To limit the concern of the specs to authorization counts, not to the ability to successfully proof changelog: Internal, Automated Testing, Improve performance of automated tests * Only set PII for verified profile mocks * Require PII opt-in for profile stubs too many tests assume it won't be there (probably a problem worth resolving) * Add non-empty vendor for liveness check component As of #6262, we now check component as "blank?". In the real world, the value would be the vendor name, so add a placeholder value for tests. * Update authorization_count_spec.rb * Remove default PII shouldn't have been here - bad cherry-pick? * Avoid concat for user profile creation See: https://github.com/18F/identity-idp/pull/6255/files#r863108404 Co-Authored-By: Zach Margolis <zbmargolis@gmail.com> * Remove unnecessary user save Co-authored-by: Zach Margolis <zachmargolis@users.noreply.github.com> Co-authored-by: Zach Margolis <zbmargolis@gmail.com> Co-authored-by: Zach Margolis <zachmargolis@users.noreply.github.com>
* Move useSandbox to test-helpers package **Why**: For better organization, and so that it's accessible to package specs. * Add support for destructured sandbox clock * Special-case clock tick destructure proxy Since it's the most common method called, and to allow it to be stored as a reference and called later * Convert existing package spec sandboxes to use test helper Much more convenient * Create passthrough proxy for clock implementation * Add basic spec for clean-up behavior * Add changelog changelog: Internal, Automated Testing, Add test helper for JavaScript stubbing sandbox
[skip changelog]
…thod" page (#6261) Separate Voice and SMS option text changelog: Improvements, Content, Separate phone and sms text labels * add option to not show sms voice if phone option is available * remove voice and sms options from options_presenter
* Migrate IDV_PHONE_CONFIRMATION_OTP_RATE_LIMIT_ATTEMPTS * Migrate IDV_PHONE_CONFIRMATION_OTP_RATE_LIMIT_LOCKED_OUT * Migrate IDV_PHONE_CONFIRMATION_OTP_RATE_LIMIT_SENDS * Migrate IDV_PHONE_CONFIRMATION_OTP_RESENT * Migrate IDV_PHONE_CONFIRMATION_OTP_SENT changelog: Internal, Documentation, Document additional analytics events
* add failing spec * Request password if PII is unlocked when resending GPO letter changelog: Bug Fixes, Identity Verification, Request password to unlock PII if it is locked before resending GPO letter
* Implement client session secret store **Why**: As a demonstration of secure client-side storage decrypted with key provided by server per session. changelog: Upcoming Features, Identity Proofing, Add client-side encrypted storage * Collapse readStorage try blocks * Clarify AES cipher key/iv generation To avoid magic number and make it clearer what's happening #6183 (comment) * Simplify cipher assignment logic * Refactor SecretsContextProvider as observable initializer - Avoid waiting to render the app - Manage subscribers automatically via context value change * Rename encode as s2ab Consistency #6183 (comment) * iv per encrypt #6183 (comment) * Make setItem await-able * Reference crypto consistently from window object * Add SecretSessionStorage inline comment docs * Add SecretSessionStorage specs * Merge useSecretValue to context implementation * Remove demo value from SecretValues * Add docs for SecretsContext * Use flow values as secrets * Split VerifyFlow from index Avoid dependency cycle, make room for more index-exported * Destructure storeKey in same way as other data attributes * Use user_session instead of session Route now authenticated * Inline encryption cipher initialization to memoized session assignment See: https://github.com/18F/identity-idp/pull/6183/files#r865355166 Co-Authored-By: Zach Margolis <zbmargolis@gmail.com> Co-authored-by: Zach Margolis <zbmargolis@gmail.com>
* TypeScript-ify Alert component * Components: Assign Alert role by type **Why**: - Alignment to AlertComponent Rails ViewComponent implementation - To avoid assertively announcing alert text for non-urgent alerts changelog: Improvements, Accessibility, Use status role for non-urgent alert content
[skip changelog]
* LG-5929-document-analytics-11 * Patch: analytics events 11 (#6303) * Remove @identity.idp.event_name - As of #6294, having it will cause build breakage since it's an unknown tag * Remove blank lines * Add clearer comments for each event Co-authored-by: Zach Margolis <zachmargolis@users.noreply.github.com>
There is a chance we won't be able to roll out a compliant IAL2 flow with the USPS letter flow in place. This commit adds the ability to remove the letter flow option from strict IAL2 if that does become the case. * changelog: Upcoming Features, Proofing, The ability to disable the option to proof with a letter during IAL2 strict was added
changelog: Analytics, Document authorization, updates
* Translate labels for IdV app step indicator **Why**: So that labels are shown in the user's preferred language. changelog: Upcoming Features, Identity Verification, Add personal key step screen * Create type for step indicator steps See: https://github.com/18F/identity-idp/pull/6310/files#r866030157 Co-Authored-By: Zach Margolis <zbmargolis@gmail.com> Co-authored-by: Zach Margolis <zbmargolis@gmail.com>
changelog: Internal, Maintenance, Remove references to deprecated and renamed session keys
#6282) * LG-6204/LG-6220: capture user pii in a signed JWT and pass to frontend skip changelog * unpack the pii from the user token and make data available to the flow * rename 'UserBundleTokenizer#call' to 'UserBundleTokenizer#token' * cleanup [skip changelog] * update param name in CompleteController#create * parse just the payload of the jwt Co-authored-by: Andrew Duthie <andrew.duthie@gsa.gov> * don't include service provider in jwt until/unless we need it Co-authored-by: Andrew Duthie <andrew.duthie@gsa.gov>
* Show IdV app alert message relevant for current step **Why**: So that the personal key success alert message won't be shown for all steps, as we continue to expand the flow. changelog: Upcoming Features, Identity Verification, Add password confirmation step * Add specs * Extract getStepMessage Avoid clunky switch assignment See: #6311 (comment)
changelog: Bug Fixes, Telephony, Improve error handling when receiving unexpected telephony API responses
* Enable idv_api_enabled_steps in development
**Why**: Since it's reasonably functional
* Handle JavaScript context for click_acknowledge_personal_key
* Revert click_acknowledge_personal_key general behavior
Some tests expect it only to open the modal, not confirm. Update "'idv confirmation step'" shared examples instead
* Update focus element name assertion
Test instead by user-facing label
* Enable JS for GPO disabled verify flow
* Improve compatibility for new personal key verify step
* Use JS driver for OIDC specs IDV scenario
* Don't disambiguate button click labels
Because it will highlight where we're using no-JS on this page, and we should update them all to use JS
* Opt-in more specs visiting personal key to JS
* Confirm personal key for JS-enabled specs
Previously, most of these specs had JS disabled, so it was expected the user would continue to the next step immediately upon clicking personal key "Continue", since we didn't have the modal confirmation in no-JS contexts. But now we're requiring JS for this step, so modal will be shown, and user must enter and confirm their personal key.
* Avoid referencing "_url" when visiting pages
Since they use 'example.com' as host (should they be?)
* Improve personal key helper logic to be generically acceptable
don't rely on specific IDs or CSS classes, check for content instead
* Improve reproof after lockout JS compatibility
(1) don't rely on URL, since domain name is incorrect
(2) don't complete redirect back to SP, since there is no server accepting requests on that port
* Remove JS-specific SAML override
let's see what breaks, cuz its presence is currently breaking some specs
* Check hidden content for SSN on confirmation screen
If run with JS enabled, the text is hidden by default, but can be toggled as visible. The unmasked SSN exists in content as hidden.
* Try using capybara-webmock to mock external requests
Since capybara JS drivers run requests in a real browser, redirected SP requests will 404
* Try skipping response_headers checking for JS-enabled specs
* Slowly devolving to desparation
* Limit ACS_URL override to JavaScript drivers
Where page.server.host is reliably defined
* Update Sp attribute redirect URL test for JS ACS_URL
Since the user would actually be redirected in a real browser
* Use Rack driver for OIDC confirmation via page.driver.post
* Update sign_in.rb
* Update sign_in.rb
* Guard profile encryption for valid user
Presumably we relied previously on PII being false in most cases. A handful of tests create a profile without a valid user attached to it, so now that we're assigning default PII for profiles, we should also only actually encrypt it if there's a valid user
* Re-enable SAML handoff path assertion
* Revert some now-hopefully-unnecessary URL -> path updates
In 259c213 we're now reliably setting default_url_options so that the URL will be generated correctly and we don't have to test path
* Require PII opt-in for profile stubs
too many tests assume it won't be there (probably a problem worth resolving)
* Force JS interactivity for non-interactable elements
Selenium::WebDriver::Error::ElementNotInteractableError:
element not interactable
* Drop CSP check on JS requests
Capybara::NotSupportedByDriverError:
Capybara::Driver::Base#response_headers
shouldn't redirect if invalid CSP target?
* Add changelog
changelog: Upcoming Features, Identity Verification, Add personal key step screen
* Enable personal key steps everywhere but production
So that they're enabled in test
* Fix enabled steps referenced as strings, not symbols
* Enable JS for proofing component feature spec
* Update complete_proofing_steps to confirm personal key
* Refactor specs for personal key enabled by default in test env
* Opt-in review feature spec
* Opt-in strict reproof specs
* Update accessibility spec URL assertions
* Check current path in array
* Expand PII accordion before asserting content
JS browser would not have visibility to content otherwise
* Acknowledge personal key in new JS-enabled specs
* Reuse common helper for cross-feature compat
* Open personal key confirmation modal when JS enabled
* Escape value of xml_doc in SAML test view
Co-authored-by: Zach Margolis <zachmargolis@users.noreply.github.com>
* Allow some delay for phone -> review
When JS is enabled, previous step triggers spinner button, and there may be a brief delay before review step is shown. Avoid spec flakiness by allowing some wait for the review path to be shown.
precedent: https://github.com/18F/identity-idp/blob/e7501424b59f887aa12bd255f69de03502969fa0/spec/features/idv/proofing_components_spec.rb#L25
* More JS
* Revert to personal key enabled in development only
So that tests run against the in-production version, but we re-run personal key pages with both side of the toggle
* Use click_idv_continue for phone step progression
Because it's a spinner button, we need to be able to wait for navigation to complete
Co-authored-by: Zach Margolis <zachmargolis@users.noreply.github.com>
* add failing specs * Do not attempt to display phone if it is invalid changelog: Bug Fixes, Authentication, Fix 500 when phone ID is invalid
**Why:** This needs to be configured as a separate item after upgrading the saml_idp gem. This commit also restricts remote logout requests to the POST HTTP method since that is the only binding we're supporting for that functionality (not HTTP-Redirect) changelog: Improvements, Authentication, Add SAML remote logout endpoint to metadata
* changelog: feature, prevent phone from being the only mfa method when multi-mfa-option feature flag is enabled, LG-6167 * Create partial for mfa selection checkboxes with js validation and sass * update tests Co-authored-by: Zach Margolis <zachmargolis@users.noreply.github.com> Co-authored-by: Andrew Duthie <andrew.duthie@gsa.gov>
* LG-6204: Populate initial values based on IdV app enabled steps **Why**: Because initial values should be limited to whichever step is earliest in the enabled set of steps. changelog: Upcoming Features, Identity Verification, Add password confirmation step * Simplify verify route to specify step as parameter So that we can assert specific steps in specs via URL helpers, e.g. `idv_app_path(step: 'personal_key')` * Limit before_action based on first step * idv_app_root_path -> idv_app_path * Validate step only if present **Why**: So that root URL renders the app * Remove password_confirm from verify steps Because it's not yet implemented as of this branch * Guard possibly-undefined userBundleToken * Remove redundant const STEP_NAMES duplicates same info we should expect from enabled_step_names config * Redirect root path to first step So step name is always in the URL
changelog: Internal, Optimization, Do not create sp_costs for unused cost types
**Why:** Several partners have requested the ability to have users sign in at the maximum level of identity assurance they have obtained without sending multiple requests to determine whether a user has a verified credential or not. The SAML spec does support a `Comparison` attribute for the `<RequestedAuthnContext>` element that can be set to "exact" (the default), "minimum", "maximum", or "better". These determine what authentication context the response should meet relative to the requested AuthnContext in the SAML request. The specific implementation of how those are treated is left up to the responder (in this case, Login.gov). In this commit, we add the capability for Login.gov to send a user back with either an auth-only or verified credential to an SP configured to receive verified attributes when they request the IAL1 AuthnContext with a Comparison attribute set to "minimum". This does not change the behavior when the IAL2 AuthnContext is requested or when the SP is not configured to receive verified attributes. This also includes more comprehensive feature specs for both the overall behavior as well as billing records in the `sp_redirect_logs` table. changelog: Improvements, Authentication, Support IALMAX using the SAML Comparison attribute
changelog: Upcoming feature, multi-factor-authentication, complete sad path flow Co-authored-by: Zach Margolis <zachmargolis@users.noreply.github.com>
Contributor
mdiarra3
force-pushed
the
stages/rc-2022-05-12
branch
from
a29d292 to
7eef166
Compare
Contributor
Author
|
Yea I think I pulled it early in the morning, so it mustve gotten older code. all those are now included. |
aduth
approved these changes
May 11, 2022
**Why:** We require logout requests to be signed but not all SAML clients send signed logout requests by default. Turning this on caused certain SAML clients that weren't previously sending SLO requests to us to start sending SLO requests, so this allows us to ease into this. [skip changelog]
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
10 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
No description provided.