Merged
Conversation
Add user reminder about backup codes feature changelog: Internal, Authentication, Add backup code reminder MFA (LG-6885)
changelog: Internal, Attempts API, Captures client port number
**Why**: Since the URL selected for the help center content is different than the URL we assumed it would be in the code implementation. changelog: Upcoming Features, In-person proofing, Add links to help center articles for in-person proofing
* Remove CircleCI changelog: Internal, Continuous Integration, Remove CircleCI * remove other stuff
* changelog: Internal,Attempts API, Adds logging for IRS at MFA selection (LG-6979) * changelog: Internal, Attempts Api, Add Logging for MFA selection (LG-6979) * LG-6979: update config * restore tracker event * array string
* LG-6986 LG-7240 WebAuthn Enroll Failure logging changelog: Internal, Attempts API, Track additional events
* Symbolize keys in payload Better compat with kwargs splatting * Update event argument to match client-side payload See: https://github.com/18F/identity-idp/blob/b90f21d6ff2804850190016e254c94bc8adb782c/app/javascript/packages/document-capture/components/acuant-capture.jsx#L425 * Update spec to assert expected payload * add a regresssion spec for the frontend logs controller * get frontend log controller tests passing * remove symbolize keys * Remove named kwargs Logs same data, hash as string keys * Add changelog changelog: Bug Fixes, Logging, Resolve error with frontend logging Co-authored-by: Jonathan Hooper <jonathan.hooper@gsa.gov>
* Lg-7091: submitteD * changelog: Internal, Account Recovery, Submit log when account request is submitted (LG-7091) * remove binding.pry * remove binding.pry * request controller spec * account reset rubocop * update text
Enforce 'indented' style, and correct existing occurrences changelog: Internal, Rubocop, Enable MultilineMethodCallIndentation=indented
* placeholder * encrypt events with AES-256-GCM * Encrypt IRS Attempts API in compressed envelope changelog: Upcoming Features, IRS Attempts API, Refactor API to better conform to Attempts API Specification * rename Encryptor to EnvelopeEncryptor * Move gzip into EnvelopeEncryptor * formatting fix * add #formatted_timestamp spec
* LG-7142-gpo-welcome-back
* LG-7290 Unify naming of irs attempts tracker event changelog: Internal, Attempts API, Track additional events
* Remove custom "Required" validation message **Why**: - They are inconsistent with desired error feedback UX, which should be implemented as design system error messages via ValidatedFieldComponent. - Improves performance of critical path by reducing JavaScript (and locale data) bundle size. - For context, the Sign In page loads locale data which includes only this one string for required fields. - Contributes toward removal of form-validation pack, to be removed between this and #6771 changelog: Improvements, Form Validation, Use consistent error message feedback for form validation * Use ValidatedFieldComponent for "Sign In" email field **Why**: For consistent error feedback * Omit specs for removed behaviors
[skip changelog]
**Why**: This code was implemented but never used in production. Drift has made it such that it no longer works. changelog: Internal, Code Cleanup, Unused mail bounced code was removed
[skip changelog]
* Add ButtonComponent unstyled, full_width options Add Danger support to ButtonComponent Update specs for ButtonComponent * Add SubmitButtonComponent View Component Add SubmitButtonComponent specs Add specs for SubmitButtonElement Add documentation for SubmitButton package * Customize SimpleForm to use custom SubmitButtonComponent * Replace form-validation global submit handling with SimpleForm **Why**: - So that submit button behaviors are self-contained - To work towards being able to use SimpleForm helpers directly instead of through a wrapper (validated_form_for) - To simplify button appearance customization through forwarded button options changelog: Internal, Code Quality, Use common submit button handling * Set big, wide as SubmitButtonComponent default * Remove unused alert element * Convert more submit buttons to simplify CSS class assignment * Avoid big, wide for unstyled submit button * Add support for block content to submit form builder For consistency with default form builder behavior, and to allow better support for shared options and varied content Ref: https://github.com/rails/rails/blob/c13856e477d6c6b8b4a86652cd997cc94890710d/actionview/lib/action_view/helpers/form_helper.rb#L2633-L2635 * Correct device choice button as non-wide * Assign content as explicit first argument More readable * Target button by element selector Less prescriptive * Fix pw-strength selector Previously button would render as input[type=submit], now as button[type=submit] * Find button form by traversing ancestor Since it's now wrapped with lg-submit-button * Fix XPath spec references to submit button as input element Now it's a button element
* changelog: Internal, Account Recovery, add Attempt API for cancel aaccount deletion request (LG-7092) * add rubocop * rubocop
**Why**: Because it's no longer needed as of #6771, since the purpose was to enhance forms with behaviors provided by the `form-validation.js` script, which was removed in #6771. The helper is now essentially an alias for simple_form_for, so we can call it directly instead. changelog: Internal, Code Quality, Use common submit button handling
* Don't include ThreatMetrix JS tag w/o session_id * Remove ThreatMetrix from IPP flow Limiting scope of ThreatMetrix rollout for now changelog: Upcoming Features, ThreatMetrix, Remove ThreatMetrix from in-person proofing flow. * Don't make ThreatMetrix API call w/o a session id For IPP, no session ID will be available, so we should not make the call to avoid leaking user data. * Update app/views/idv/shared/_ssn.html.erb Co-authored-by: Zach Margolis <zachmargolis@users.noreply.github.com> * Update app/jobs/resolution_proofing_job.rb Co-authored-by: Zach Margolis <zachmargolis@users.noreply.github.com> * Update IPP ssn tests Keep test, but make it for the new behavior (no session id added) * Lint Co-authored-by: Zach Margolis <zachmargolis@users.noreply.github.com>
* Added attempt events when user is locked out - sms changelog: Internal, Attempts API, Track additional events * Updated code to complete lg7201 * linter fixes * updated event descriptions * updated backup_code to support new events * removed default parameter baed on feedback * lint fix * Resolved Merge conflicts * Fixed login_piv_cac description regression
* Updating types to deal with new native camera attempts -- What With the addition of new checks for `maxAttemptsBeforeNativeCamera`, which triggers the use of the native camera after a certain number of failed Acuant attempts, we needed to update some of the type definitions. In addition to doing so, we have converted several of the affected files to full TypeScript (from JSDoc annotations). * Post-rebase fixes changelog: Improvements, TypeScript, rebasing typescript changes on main and associated fixes * Fixing linting issues changelog: Improvements, TypeScript, fixing linting issues * Update app/javascript/packages/document-capture/components/acuant-capture.tsx Co-authored-by: Andrew Duthie <andrew.duthie@gsa.gov> * Update app/javascript/packages/document-capture/components/acuant-capture.tsx Co-authored-by: Zach Margolis <zachmargolis@users.noreply.github.com> * Update app/javascript/packages/document-capture/components/acuant-capture.tsx Co-authored-by: Zach Margolis <zachmargolis@users.noreply.github.com> * Update app/javascript/packages/document-capture/components/acuant-capture.tsx Co-authored-by: Zach Margolis <zachmargolis@users.noreply.github.com> * Fixing incorrect optional props in ImageAnalyticsPayload Also switching to the global window object, which already is annotated with the AcuantJavaScriptWebSdk interface changelog: Improvements, TypeScript, updating interface property types * Update app/javascript/packages/document-capture/components/acuant-capture.tsx Co-authored-by: Andrew Duthie <andrew.duthie@gsa.gov> * Update app/javascript/packages/document-capture/components/acuant-capture.tsx Co-authored-by: Andrew Duthie <andrew.duthie@gsa.gov> * Update app/javascript/packages/document-capture/components/acuant-capture.tsx Co-authored-by: Andrew Duthie <andrew.duthie@gsa.gov> * Update app/javascript/packages/document-capture/components/acuant-capture.tsx Co-authored-by: Andrew Duthie <andrew.duthie@gsa.gov> * Using interface extension for TS types Additionally, I have renamed failed-capture-context.jsx to tsx explicitly changelog: Improvements, TypeScript, updating type definitions * Removing dead type definition changelog: Improvements, TypeScript, removing old type definition Co-authored-by: Eric Gade <ecgade@macbook-m1.home> Co-authored-by: Andrew Duthie <andrew.duthie@gsa.gov> Co-authored-by: Zach Margolis <zachmargolis@users.noreply.github.com>
* Add subresource integrity attribute for JavaScript packs **Why**: For additional protection against script manipulation, particularly in combination with CDN. See: https://developer.mozilla.org/en-US/docs/Web/Security/Subresource_Integrity changelog: Improvements, Security, Enable subresource integrity for JavaScript * Add specs
…P pages (#6801) * LG-6874: Preserve non-blocking errors for each step in React flows * changelog: Upcoming Features, In-person proofing, Preserve doc auth errors for first couple steps of IPP flow * LG-6874: Rename values and move useEffect for step error preservation per peer review feedback
This commit disables the FSMv2 tooling that was built in React. The work on this stalled and it is unlikely it will get built in this form. Having it in the main path by default in development is confusing. [skip changelog]
…#6808) changelog: Bug Fixes, API, Fix 500 error when not providing Authorization header in Attempts API
* Tie in-person nil issuer condition to SP required config **Why**: Since it's intended to align to the option being available without an associated service provider only in environments where verification without one is allowed, such as in local development. [skip changelog] * Bump GitLab
* changelog: Internal, Logging, Track Attempt api account complete logged * add fixes and simplifications * rubocop * Trigger Build
* small temporary bugfix for reauthentication param * also added a fix for submitted event changelog: Internal, Attempts API, Bugfix for Events
* Updating rails form hints to be labels -- What By updating the simple_form initializer wrappers and the configuration of the output in the validated_form template, we ensure that the hints -- if present -- are caught by screen readers. We do this by making the hints a <label> instead of a <div>, and pointing that label to the same input element as the main form's label. This way both the main label and the hint are read by screen readers. * Updating forgot password link preamble for screen reader -- What On the Re-Enter Password screen for GPO verify, the text "Forgot password?" that precedes the password reset link is not readable by screen readers. To deal with this, we add the localized text of "Forgot password?" to the `title=` attribute of the link itself inside of the corresponding React component. This ensures that screen readers will read both the link text and the forgot password hint. changelog: Improvements, Accessibility, updating password hint * Switching to basic aria-label and updating tests changelog: Improvements, Accessibility, updating aria-label forgot password * Fixing linting errors in ruby template changelog: Improvements, Linting, fixing template formatting * Simplifying form hint accessibility with describedby -- What Instead of using two <label> elements to refer to the same input field (which might cause issues and is in a grey area when it comes to correcness), we simply give the hint div a generated id and prepend that id to the input's `aria-describedby` attribute value. (This is in the context of validated field components) changelog: Improvements, Accessibility, simplifying validated field hint accessibility * Fixing formatting lints in erb file changelog: Improvements, Formatting, fixing erb linting errors * Changing forgot password link text per discussion -- What After some discussion regarding the accesibility/descriptive properties of the "Forgot password?" aria label and subsequent "Follow these instructions" link on the SSN confirmation password entry page of IdV, we decided to change the link text and remove the non-link description entirely. This commit makes that change and updates the localizations (which already existed elsewhere) to match other "forgot password" text around the site. Additionally, we have updated some test assumptions about querying. * Updating corresponding template and localizations / tests -- What Because the FSMv2 was still enabled for the React component locally, I was not seeing the template version. This commit updates the template and also removes now unused localizations from the config. I am also updating a couple of Ruby component tests that assumed a single aria-describedby value on labelled validation components with hints, whereas now we supply two values to that attribute * Update spec/components/validated_field_component_spec.rb Co-authored-by: Andrew Duthie <andrew.duthie@gsa.gov> * Update app/javascript/packages/verify-flow/steps/password-confirm/password-confirm-step.tsx Co-authored-by: Andrew Duthie <andrew.duthie@gsa.gov> * Changing name of validate field hint element id changelog: Improvements, Accessibility, element ids * Switching field error aria description to come before field hint -- What Previously, the order of the aria-describedby attribute values was reversed from what we would probably want, meaning that if a validation error was present, the error would be read after the hint. We want the error to be read first so users know that something was not right, then provide the hint. * Update spec/components/validated_field_component_spec.rb Co-authored-by: Andrew Duthie <andrew.duthie@gsa.gov>
Add tracking for event forgot_password_email_confirmed changelog: Internal, Authentication, Add tracking forgot password email confirmed event (LG-7088)
changelog: Improvements, Attempts API, Hash Device UUID for IRS Attempts API
…#6798) Add tracking for user_registration_password_submitted event changelog: Internal, Account Recovery, Add tracking for user_registration_password_submitted event (LG-7202)
…ed (#6778) Add tracking for event forgot_password_new_password_submitted changelog: Internal, Attempts API, Track forgot_password_new_password_submitted (LG-7089)
* Updating Want a Letter template with emphasis and new locales -- What Per LG-7141, we are updating the GPO template for the "Want a Letter?" view, with emphasis on specific words and slightly modified localizations. changelog: Improvements, Localization, updating want a letter page * Updating to the _html key format for sanitized html strings changelog: Improvements, Design, Updating GPO letter page design
* LG-7303 - send IP address to TMX LG-7304 - send app_id to TMX changelog: Internal, DDP Proofer, send ip_address and app_id to API * Switch to keyword args (see what CodeClimate shows) (#6825) Co-authored-by: Zach Margolis <zachmargolis@users.noreply.github.com>
…rm their personal key. (#6821) * LG-7162: Feature flag controlling whether the user is forced to confirm their personal key. On by default (current behavior), if disabled will skip the personal key confirmation. Using a feature flag in anticipation of design/content changes that are being worked on. changelog: Upcoming Features, Identity Verification, no longer require confirmation of personal key * Skip the personal key confirmation in the original, deployed, version (i.e., not FSMv2). * combine two specs to save runtime
changelog: Internal, Attempts API, Track additional events
The initial implementation improperly conflated Rack::Request and ActionDispatch::Request. changelog: Internal, Attempts API, Fixes client port HTTP header
…6829) * Allow triggering failures in mock DDP proofer Add "magic" SSNs that will trigger 3 separate `review_status` values from the mock LexisNexis DDP proofer: | 666-77-8888 | `"reject"` | | 666-77-9999 | `"review"` | | 666-77-0000 | `nil` | This will support testing of the integration of the proofer into the ID verification flow. changelog: Internal, ThreatMetrix, Allow triggering failures in mock DDP proofer (LG-7016) * Add tests for DdpMockClient
…ion funnel (#6824) changelog: Internal, Logging, Ensure distinction between WebAuthn Roaming and Platform in registration funnel
aduth
approved these changes
Aug 24, 2022
Contributor
**Why**: because other errors were slipping through and not being rescued correctly changelog: Bug fixes, Multi-factor authentication, handle errors from vendors better (cherry picked from commit b31b442)
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
16 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
No description provided.