Clean up / refactor ThreatMetrix configuration

[matthinz]

🎫 Ticket

LG-8512

🛠 Summary of changes

TLDR: There will be 2 settings to control whether/how ThreatMetrix is enabled. The ThreatMetrix mock will now be enabled by default locally

This PR removes references to the following config flags:

• lexisnexis_threatmetrix_enabled
• lexisnexis_threatmetrix_required_to_verify
• proofing_device_profiling_collecting_enabled

It then adds a new config flag, proofing_device_profiling to be used to control how "on" ThreatMetrix is. Valid values are:

Value	Description
disabled	No ThreatMetrix Javascript is included on the page during IdV, no API calls are made to ThreatMetrix, and profiles are never deactivated due to ThreatMetrix judgements.
collect_only	ThreatMetrix Javascript is included on the page during IdV, and we make the session query API call and record the result on the user's ProofingComponent. Profiles are never deactivated due to ThreatMetrix status.
enabled	ThreatMetrix Javascript is included on the page during IdV, we make API calls, store the result on the user's ProofingComponent, and will deactivate the profile if the review status is not "pass".

Additionally, this PR now enables the ThreatMetrix mock implementation (via the lexisnexis_threatmetrix_mock_enabled flag) in development and test environments.

To allow for migration, this PR allows the old config flags to continue existing, but be overridden by the new flag. #7639 fully removes the old config flags.

📜 Testing Plan

(This plan is provided as sets of config flags for your application.yml and what you should see after running through identity verification with them applied.)

Verify that old flags are still respected for now:

proofing_device_profiling_collecting_enabled: true
lexisnexis_threatmetrix_required_to_verify: true
lexisnexis_threatmetrix_mock_enabled: true

You should see:

• Mock result field on SSN screen
• Evidence of ThreatMetrix on proofing component after IdV
• Decisioning applied (redirect to sad screen)

Verify that new flag overrides old flags:

proofing_device_profiling_collecting_enabled: true
lexisnexis_threatmetrix_required_to_verify: true
lexisnexis_threatmetrix_mock_enabled: true
proofing_device_profiling: disabled

You should see:

• No mock result field on SSN screen
• No evidence of Threatmetrix on proofing component after IdV
• No decisioning applied

Verify that new flag works for collection and that ThreatMetrix mock enabled by default:

proofing_device_profiling: collect_only

You should see:

• Mock result field on SSN screen
• Evidence of ThreatMetrix on proofing component after IdV
• No decisioning applied

Verify that new flag works for collection & decisioning and that mock enabled by default:

proofing_device_profiling: enabled

You should see:

• Mock result field on SSN screen
• Evidence of ThreatMetrix on proofing component after IdV
• Decisioning applied (redirect to sad screen)

Verify that new flag works for collection & decisioning and that mock can be disabled:

proofing_device_profiling: enabled
lexisnexis_threatmetrix_mock_enabled: false

You should see (assuming you don't have additional variables set to configure ThreatMetrix API access):

• No mock result field on SSN screen
• Evidence of ThreatMetrix on proofing component after IdV
• Decisioning applied (redirect to sad screen)
• Exceptions related to ThreatMetrix in events.log (since it's not properly configured, but mock was disabled)

[matthinz]

Minor update here: Check that the profile is deactivated due to threatmetrix rather than re-evaluating the threatmetrix_review_status

[zachmargolis]

adding :collect_only is a great use of an enum!

[zachmargolis]

LGTM

[theabrad]

LGTM

[theabrad]

duplicate. line 176 already has mock_enabled: true

[matthinz]

Yeah, the goal here is to enable it locally by default but disable it by default in production