LG-8387 Prevent Threatmetrix pending users from doing IdV sign ins

app/controllers/concerns/threatmetrix_review_concern.rb

@@ -0,0 +1,16 @@
+module ThreatmetrixReviewConcern
+  extend ActiveSupport::Concern
+
+  def handle_pending_threatmetrix_review
+    redirect_to_threatmetrix_review if threatmetrix_review_pending?
+  end
+
+  def redirect_to_threatmetrix_review
+    redirect_to idv_setup_errors_url
+  end
+
+  def threatmetrix_review_pending?
+    return false unless user_fully_authenticated?
+    current_user.decorate.threatmetrix_review_pending?
+  end
+end

app/controllers/idv/doc_auth_controller.rb

@@ -1,6 +1,7 @@
 module Idv
   class DocAuthController < ApplicationController
     before_action :confirm_two_factor_authenticated
+    before_action :handle_pending_threatmetrix_review
     before_action :redirect_if_pending_profile
     before_action :redirect_if_pending_in_person_enrollment
     before_action :extend_timeout_using_meta_refresh_for_select_paths
@@ -9,6 +10,7 @@ class DocAuthController < ApplicationController
     include Flow::FlowStateMachine
     include Idv::DocumentCaptureConcern
     include Idv::ThreatMetrixConcern
+    include ThreatmetrixReviewConcern
 
     before_action :redirect_if_flow_completed
     before_action :override_document_capture_step_csp

app/controllers/idv_controller.rb

@@ -2,8 +2,10 @@ class IdvController < ApplicationController
   include IdvSession
   include AccountReactivationConcern
   include InheritedProofingConcern
+  include ThreatmetrixReviewConcern
 
   before_action :confirm_two_factor_authenticated
+  before_action :handle_pending_threatmetrix_review
   before_action :profile_needs_reactivation?, only: [:index]
 
   def index

app/controllers/openid_connect/authorization_controller.rb

@@ -7,6 +7,7 @@ class AuthorizationController < ApplicationController
     include AuthorizationCountConcern
     include BillableEventTrackable
     include InheritedProofingConcern
+    include ThreatmetrixReviewConcern
 
     before_action :build_authorize_form_from_params, only: [:index]
     before_action :pre_validate_authorize_form, only: [:index]
@@ -20,6 +21,7 @@ class AuthorizationController < ApplicationController
     before_action :bump_auth_count, only: [:index]
 
     def index
+      return redirect_to_threatmetrix_review if threatmetrix_review_pending_for_ial2_request?
       return redirect_to_account_or_verify_profile_url if profile_or_identity_needs_verification?
       return redirect_to(sign_up_completed_url) if needs_completion_screen_reason
       link_identity_to_service_provider
@@ -84,6 +86,11 @@ def redirect_to_account_or_verify_profile_url
       redirect_to(idv_url) if identity_needs_verification?
     end
 
+    def threatmetrix_review_pending_for_ial2_request?
+      return false unless @authorize_form.ial2_or_greater?
+      threatmetrix_review_pending?
+    end
+
     def profile_or_identity_needs_verification?
       return false unless @authorize_form.ial2_or_greater?
       profile_needs_verification? || identity_needs_verification?

app/controllers/saml_idp_controller.rb

@@ -12,6 +12,7 @@ class SamlIdpController < ApplicationController
   include AuthorizationCountConcern
   include BillableEventTrackable
   include SecureHeadersConcern
+  include ThreatmetrixReviewConcern
 
   prepend_before_action :skip_session_load, only: [:metadata, :remotelogout]
   prepend_before_action :skip_session_expiration, only: [:metadata, :remotelogout]
@@ -24,6 +25,7 @@ class SamlIdpController < ApplicationController
 
   def auth
     capture_analytics
+    return redirect_to_threatmetrix_review if threatmetrix_review_pending? && ial2_requested?
     return redirect_to_verification_url if profile_or_identity_needs_verification_or_decryption?
     return redirect_to(sign_up_completed_url) if needs_completion_screen_reason
     if auth_count == 1 && first_visit_for_sp?

app/decorators/user_decorator.rb

@@ -77,6 +77,14 @@ def password_reset_profile
     profile if profile&.password_reset?
   end
 
+  def threatmetrix_review_pending?
+    @threatmetrix_review_pending ||= threatmetrix_review_pending_profile.present?
+  end
+
+  def threatmetrix_review_pending_profile
+    user.profiles.threatmetrix_review_pending.order(created_at: :desc).first
+  end
+
   def qrcode(otp_secret_key)
     options = {
       issuer: APP_NAME,

app/services/idv/steps/verify_base_step.rb

@@ -242,7 +242,7 @@ def async_state_done(current_async_state)
           # todo: add other edited fields?
           extra: {
             address_edited: !!flow_session['address_edited'],
-            pii_like_keypaths: [[:errors, :ssn]],
+            pii_like_keypaths: [[:errors, :ssn], [:response_body, :first_name]],
           },
         )
         pii_from_doc = pii || {}

spec/decorators/user_decorator_spec.rb

@@ -307,6 +307,25 @@
     end
   end
 
+  describe '#threatmetrix_review_pending_profile' do
+    let(:user) { create(:user) }
+    subject(:decorated_user) { UserDecorator.new(user) }
+
+    context 'with a threatmetrix review pending profile' do
+      it 'returns the profile' do
+        profile = create(
+          :profile, user: user, active: false, deactivation_reason: :threatmetrix_review_pending
+        )
+
+        expect(decorated_user.threatmetrix_review_pending_profile).to eq(profile)
+      end
+    end
+
+    context 'without a threatmetrix review pending profile' do
+      it { expect(decorated_user.threatmetrix_review_pending_profile).to eq(nil) }
+    end
+  end
+
   describe '#delete_account_bullet_key' do
     let(:user_decorator) { UserDecorator.new(build_stubbed(:user)) }
 

spec/features/idv/threatmetrix_pending_spec.rb

@@ -0,0 +1,57 @@
+require 'rails_helper'
+
+RSpec.feature 'Users pending threatmetrix review', :js do
+  include IdvStepHelper
+
+  before do
+    allow(IdentityConfig.store).to receive(:lexisnexis_threatmetrix_enabled).and_return(true)
+    allow(IdentityConfig.store).to receive(:lexisnexis_threatmetrix_required_to_verify).
+      and_return(true)
+    allow(IdentityConfig.store).to receive(:proofing_device_profiling_decisioning_enabled).
+      and_return(true)
+  end
+
+  scenario 'users pending threatmetrix see sad face screen and cannot perform idv' do
+    user = create(:user, :signed_up)
+
+    start_idv_from_sp
+    sign_in_and_2fa_user(user)
+    complete_doc_auth_steps_before_ssn_step
+    select 'Reject', from: :mock_profiling_result
+    complete_ssn_step
+    click_idv_continue
+    complete_phone_step(user)
+    complete_review_step(user)
+    acknowledge_and_confirm_personal_key
+
+    expect(page).to have_content(t('idv.failure.setup.heading'))
+    expect(page).to have_current_path(idv_setup_errors_path)
+
+    # User unable to sign into OIDC with IdV
+    set_new_browser_session
+    OtpRequestsTracker.destroy_all
+    start_idv_from_sp(:oidc)
+    sign_in_live_with_2fa(user)
+
+    expect(page).to have_content(t('idv.failure.setup.heading'))
+    expect(page).to have_current_path(idv_setup_errors_path)
+
+    # User unable to sign into SAML with IdV
+    set_new_browser_session
+    OtpRequestsTracker.destroy_all
+    start_idv_from_sp(:saml)
+    sign_in_live_with_2fa(user)
+
+    expect(page).to have_content(t('idv.failure.setup.heading'))
+    expect(page).to have_current_path(idv_setup_errors_path)
+
+    # User able to sign for IAL1
+    set_new_browser_session
+    OtpRequestsTracker.destroy_all
+    visit_idp_from_sp_with_ial1(:oidc)
+    sign_in_live_with_2fa(user)
+    click_agree_and_continue
+
+    expect(current_path).to eq('/auth/result')
+  end
+end

spec/support/controller_helper.rb

@@ -73,6 +73,7 @@ def stub_decorated_user_with_pending_profile(user)
     allow(user).to receive(:pending_profile).and_return(pending_profile)
     allow(decorated_user).to receive(:pending_profile_requires_verification?).
       and_return(has_pending_profile)
+    allow(decorated_user).to receive(:threatmetrix_review_pending?).and_return(false)
     decorated_user
   end