LG-7014 Device Profiling on the SSN page#6694
Conversation
Basic tests around inclusion / non-inclusion of the TM <script> tag.
Get _most_ of them passing
changelog: Upcoming Features, Device Profiling, Add ThreatMetrix device profiling to ssn page
app/services/idv/steps/ssn_step.rb
Outdated
| def threatmetrix_session_id | ||
| SecureRandom.uuid | ||
| end |
There was a problem hiding this comment.
Can we guard it with a feature flag here as well so that we don't put a session ID on the page if the flag is off?
app/views/idv/shared/_ssn.html.erb
Outdated
| <div class="tablet:grid-col-8"> | ||
| <% if IdentityConfig.store.proofing_device_profiling_collecting_enabled %> | ||
| <% unless IdentityConfig.store.lexisnexis_threatmetrix_account_id.empty? || updating_ssn %> | ||
| <%= f.hidden_field :threatmetrix_session_id, value: threatmetrix_session_id %> |
There was a problem hiding this comment.
For security/assurance purposes, what if we persisted this ID on the backend, in the session somewhere, instead of printing it to the page?
| 'h-api.online-metrix.net', | ||
| 'h.online-metrix.net', |
There was a problem hiding this comment.
let's only add these domains if profiling is enabled?
| '*.nr-data.net', | ||
| 'dap.digitalgov.gov', | ||
| '*.google-analytics.com', | ||
| 'h-api.online-metrix.net', |
There was a problem hiding this comment.
This domain will only be accessed by the backend, and doesn't need to be in CSP
| 'h-api.online-metrix.net', |
| 'dap.digitalgov.gov', | ||
| '*.google-analytics.com', | ||
| 'h-api.online-metrix.net', | ||
| 'h.online-metrix.net', |
There was a problem hiding this comment.
Something I came across in testing is that when RAILS_ENV is not production, the CSP doesn't get applied.
If proofing_device_profiling_collecting_enabled is true, we should include h.online-metrix.net in CSP for non-production environments.
allow the threatmetrix_session to persist in flow session
app/services/idv/steps/ssn_step.rb
Outdated
| flow_session[:pii_from_doc][:ssn] = flow_params[:ssn] | ||
|
|
||
| if IdentityConfig.store.proofing_device_profiling_collecting_enabled | ||
| flow_session[:threatmetrix_session_id] = threatmetrix_session_id |
There was a problem hiding this comment.
Will this overwrite the existing :threatmetrix_session_id (if the user is coming back to edit their SSN)? I think we want to hang on to the original session ID in that case.
There was a problem hiding this comment.
It seems like it would, yeah, which we probably want to avoid?
| if IdentityConfig.store.proofing_device_profiling_collecting_enabled | ||
| script_src << 'h.online-metrix.net' | ||
| end | ||
|
|
There was a problem hiding this comment.
After talking with @zachmargolis, I realized that I gave some bad guidance here. Let's not modify CSP in all environments: We want to ensure that we are not making calls to 3rd parties outside of production / staging. Apologies!
| if IdentityConfig.store.proofing_device_profiling_collecting_enabled | |
| script_src << 'h.online-metrix.net' | |
| end |
There was a problem hiding this comment.
We'd still need some CSP revisions for this to work at all, wouldn't we? I would expect some script_src, connect_src, and iframe_src.
There was a problem hiding this comment.
That's my understanding as well
There was a problem hiding this comment.
I think we'll need the following:
script_srcconnect_srcchild_srcimage_src
There was a problem hiding this comment.
(I'll leave a followup ticket for CSP stuff)
There was a problem hiding this comment.
Out of curiosity, why would image_src be needed? I follow the other ones since we have tags for script/iframe and I presume the script will make calls (therefore connect_src).
There was a problem hiding this comment.
ThreatMetrix uses <img> tags as part of its profiling, loading up images sourced from h.online-metrix.net
Co-authored-by: Matt Hinz <matthinz@gmail.com>
app/services/idv/steps/ssn_step.rb
Outdated
| flow_session[:pii_from_doc][:ssn] = flow_params[:ssn] | ||
|
|
||
| if IdentityConfig.store.proofing_device_profiling_collecting_enabled | ||
| flow_session[:threatmetrix_session_id] = threatmetrix_session_id |
There was a problem hiding this comment.
Will we want this to be present in the in-person proofing flow version of the SSN step as well?
There was a problem hiding this comment.
That is a very good question, I am not 100% certain, we need to confirm
There was a problem hiding this comment.
update: Let's include this on all instances of the SSN page and we can add more specific feature flags if needed
…y-idp into lg-7014-device-profiling-ssn
| end | ||
|
|
||
| def threatmetrix_session_id | ||
| return nil if !IdentityConfig.store.proofing_device_profiling_collecting_enabled |
There was a problem hiding this comment.
Do we need to check IdentityConfig.store.proofing_device_profiling_collecting_enabled twice (here and in the call function)?
app/services/idv/steps/ssn_step.rb
Outdated
| end | ||
|
|
||
| def threatmetrix_session_id | ||
| return nil if !IdentityConfig.store.proofing_device_profiling_collecting_enabled |
There was a problem hiding this comment.
Same as above, do we need to check IdentityConfig.store.proofing_device_profiling_collecting_enabled twice (here and in the call function)?
| flow_session[:pii_from_doc].nil? | ||
| end | ||
|
|
||
| def updating_ssn |
There was a problem hiding this comment.
let's file a FIXME ticket and see if we can find a way to share code with these two SSN steps? In case we ever add a 3rd?
|
|
||
| <% if IdentityConfig.store.proofing_device_profiling_collecting_enabled %> | ||
| <% unless IdentityConfig.store.lexisnexis_threatmetrix_org_id.empty? || updating_ssn %> | ||
| <script type="text/javascript" src="https://h.online-metrix.net/fp/tags.js?org_id=<%= IdentityConfig.store.lexisnexis_threatmetrix_org_id %>&session_id=<%= flow_session[:threatmetrix_session_id] %>"> |
There was a problem hiding this comment.
Questions, maybe we can address in a follow-up PR later, but:
- Do we need to worry about adding a nonce to this
<script>tag so our CSP will allow it in prod? ex - What if we used our
URIService.add_paramshelper so we don't have to manually interpolate?
| <script type="text/javascript" src="https://h.online-metrix.net/fp/tags.js?org_id=<%= IdentityConfig.store.lexisnexis_threatmetrix_org_id %>&session_id=<%= flow_session[:threatmetrix_session_id] %>"> | |
| <script type="text/javascript" src="<%= URIService.add_params("https://h.online-metrix.net/fp/tags.js", org_id: IdentityConfig.store.lexisnexis_threatmetrix_org_id, session_id: flow_session[:threatmetrix_session_id]) %>"> |
There was a problem hiding this comment.
Another thought, we may want to turn the domain into a config value but that's not needed right now
There was a problem hiding this comment.
I'll create a follow up ticket for these.
There was a problem hiding this comment.
Can we address the comment at #6694 (comment) ?
| Idv::Flows::InPersonFlow.new(controller, {}, 'idv/in_person').tap do |flow| | ||
| flow.flow_session = { | ||
| pii_from_user: {}, | ||
| threatmetrix_session_id: threatmetrix_session_id, |
There was a problem hiding this comment.
if this sets the session id... then what does the assertion check below? should we leave it blank here to make sure it gets assigned/
5 participants
Why? Updating the SSN page to enable LexisNexis ThreatMetrix device profiling in the form of a javascript embed.