Deploy RC 266 to Prod

Gemfile

@@ -98,7 +98,6 @@ group :development, :test do
   gem 'i18n-tasks', '~> 1.0'
   gem 'knapsack'
   gem 'nokogiri', '~> 1.14.0'
-  gem 'parallel_tests', '~> 3.8.0'
   gem 'pg_query', require: false
   gem 'pry-byebug'
   gem 'pry-doc'

Gemfile.lock

@@ -435,8 +435,6 @@ GEM
       openssl (> 2.0, < 3.1)
     orm_adapter (0.5.0)
     parallel (1.22.1)
-    parallel_tests (3.8.1)
-      parallel
     parser (3.2.0.0)
       ast (~> 2.4.1)
     pg (1.4.5)
@@ -776,7 +774,6 @@ DEPENDENCIES
   newrelic_rpm (~> 8.0)
   nokogiri (~> 1.14.0)
   octokit (>= 4.25.0)
-  parallel_tests (~> 3.8.0)
   pg
   pg_query
   phonelib

Makefile

@@ -133,8 +133,8 @@ browsers.json: yarn.lock .browserslistrc ## Generates browsers.json browser supp
 	yarn generate-browsers-json
 
 test: export RAILS_ENV := test
-test: $(CONFIG) ## Runs RSpec and yarn tests in parallel
-	bundle exec rake parallel:spec && yarn test
+test: $(CONFIG) ## Runs RSpec and yarn tests
+	bundle exec rspec && yarn test
 
 test_serial: export RAILS_ENV := test
 test_serial: $(CONFIG) ## Runs RSpec and yarn tests serially

app/assets/stylesheets/components/_alert.scss

@@ -23,3 +23,7 @@
     transform: translateY(-50%);
   }
 }
+
+.usa-alert__text > p:last-child {
+  margin-bottom: 0;
+}

app/components/vendor_outage_alert_component.rb

@@ -37,6 +37,6 @@ def outages
   end
 
   def vendor_status
-    @vendor_status ||= VendorStatus.new
+    @vendor_status ||= OutageStatus.new
   end
 end

app/controllers/concerns/api/csrf_token_concern.rb

@@ -0,0 +1,7 @@
+module Api
+  module CsrfTokenConcern
+    def add_csrf_token_header_to_response
+      response.set_header('X-CSRF-Token', form_authenticity_token)
+    end
+  end
+end

app/controllers/concerns/idv/document_capture_concern.rb

@@ -1,7 +1,9 @@
 module Idv
   module DocumentCaptureConcern
     def override_document_capture_step_csp
-      return if params[:step] != 'document_capture'
+      if !IdentityConfig.store.doc_auth_document_capture_controller_enabled
+        return if params[:step] != 'document_capture'
+      end
 
       policy = current_content_security_policy
       policy.connect_src(*policy.connect_src, 'us.acas.acuant.net')

app/controllers/concerns/idv/step_utilities_concern.rb

@@ -43,5 +43,15 @@ def irs_reproofing?
         service_provider: current_sp,
       ).present?
     end
+
+    def document_capture_session
+      @document_capture_session ||= DocumentCaptureSession.find_by(
+        uuid: flow_session[document_capture_session_uuid_key],
+      )
+    end
+
+    def document_capture_session_uuid_key
+      :document_capture_session_uuid
+    end
   end
 end

app/controllers/concerns/idv/verify_info_concern.rb

@@ -114,14 +114,19 @@ def async_state_done(current_async_state)
         move_applicant_to_idv_session
         idv_session.mark_verify_info_step_complete!
         idv_session.invalidate_steps_after_verify_info!
-        redirect_to idv_phone_url
+        redirect_to next_step_url
       else
         idv_session.invalidate_verify_info_step!
       end
 
       analytics.idv_doc_auth_verify_proofing_results(**form_response.to_h)
     end
 
+    def next_step_url
+      return idv_gpo_url if OutageStatus.new.gpo_only?
+      idv_phone_url
+    end
+
     def summarize_result_and_throttle_failures(summary_result)
       if summary_result.success?
         add_proofing_components

app/controllers/concerns/reauthentication_required_concern.rb

@@ -1,10 +1,32 @@
 module ReauthenticationRequiredConcern
+  include MfaSetupConcern
+
   def confirm_recently_authenticated
+    if IdentityConfig.store.reauthentication_for_second_factor_management_enabled
+      confirm_recently_authenticated_2fa
+    else
+      @reauthn = reauthn?
+      return unless user_signed_in?
+      return if recently_authenticated?
+
+      prompt_for_current_password
+    end
+  end
+
+  def confirm_recently_authenticated_2fa
     @reauthn = reauthn?
-    return unless user_signed_in?
-    return if recently_authenticated?
+    return unless user_fully_authenticated?
+    non_remembered_device_authentication = user_session[:auth_method].present? &&
+                                           user_session[:auth_method] != 'remember_device'
+    return if recently_authenticated? && non_remembered_device_authentication
+    return if in_multi_mfa_selection_flow?
+
+    analytics.user_2fa_reauthentication_required(
+      auth_method: user_session[:auth_method],
+      authenticated_at: user_session[:authn_at],
+    )
 
-    prompt_for_current_password
+    prompt_for_second_factor
   end
 
   private
@@ -24,6 +46,13 @@ def prompt_for_current_password
     redirect_to user_password_confirm_url
   end
 
+  def prompt_for_second_factor
+    store_location(request.url)
+    user_session[:context] = 'reauthentication'
+
+    redirect_to login_two_factor_options_path(reauthn: true)
+  end
+
   def factor_from_controller_name
     {
       # see LG-5701, translate these

app/controllers/concerns/remember_device_concern.rb

@@ -14,7 +14,11 @@ def save_remember_device_preference
   end
 
   def check_remember_device_preference
-    return unless UserSessionContext.authentication_or_reauthentication_context?(context)
+    if IdentityConfig.store.reauthentication_for_second_factor_management_enabled
+      return unless UserSessionContext.authentication_context?(context)
+    else
+      return unless UserSessionContext.authentication_or_reauthentication_context?(context)
+    end
     return if remember_device_cookie.nil?
     return unless remember_device_cookie.valid_for_user?(
       user: current_user,

app/controllers/idv/doc_auth_controller.rb

@@ -70,11 +70,30 @@ def flow_session
     end
 
     def check_for_outage
-      if VendorStatus.new.any_ial2_vendor_outage?
-        session[:vendor_outage_redirect] = current_step
-        session[:vendor_outage_redirect_from_idv] = true
-        redirect_to vendor_outage_url
-      end
+      return if flow_session[:skip_vendor_outage]
+
+      return redirect_for_proofing_vendor_outage if OutageStatus.new.any_idv_vendor_outage?
+      return redirect_for_gpo_only if FeatureManagement.idv_gpo_only?
+    end
+
+    def redirect_for_proofing_vendor_outage
+      session[:vendor_outage_redirect] = current_step
+      session[:vendor_outage_redirect_from_idv] = true
+
+      redirect_to vendor_outage_url
+    end
+
+    def redirect_for_gpo_only
+      return redirect_to vendor_outage_url unless FeatureManagement.gpo_verification_enabled?
+
+      # During a phone outage, skip the hybrid handoff
+      # step and go straight to document upload
+      flow_session[:skip_upload_step] = true unless FeatureManagement.idv_allow_hybrid_flow?
+
+      session[:vendor_outage_redirect] = current_step
+      session[:vendor_outage_redirect_from_idv] = true
+
+      redirect_to idv_mail_only_warning_url
     end
   end
 end

app/controllers/idv/document_capture_controller.rb

@@ -3,18 +3,35 @@ class DocumentCaptureController < ApplicationController
     include IdvSession
     include StepIndicatorConcern
     include StepUtilitiesConcern
+    include DocumentCaptureConcern
 
     before_action :render_404_if_document_capture_controller_disabled
     before_action :confirm_two_factor_authenticated
+    before_action :confirm_agreement_step_complete
+    before_action :override_document_capture_step_csp
 
     def show
       increment_step_counts
 
       analytics.idv_doc_auth_document_capture_visited(**analytics_arguments)
 
+      Funnel::DocAuth::RegisterStep.new(current_user.id, sp_session[:issuer]).
+        call('document_capture', :view, true)
+
       render :show, locals: extra_view_variables
     end
 
+    def update
+      handle_stored_result
+
+      analytics.idv_doc_auth_document_capture_submitted(**analytics_arguments)
+
+      Funnel::DocAuth::RegisterStep.new(current_user.id, sp_session[:issuer]).
+        call('document_capture', :update, true)
+
+      redirect_to idv_ssn_url
+    end
+
     def extra_view_variables
       url_builder = ImageUploadPresignedUrlGenerator.new
 
@@ -33,7 +50,6 @@ def extra_view_variables
           transaction_id: flow_session[:document_capture_session_uuid],
         ),
       }.merge(
-        native_camera_ab_testing_variables,
         acuant_sdk_upgrade_a_b_testing_variables,
         in_person_cta_variant_testing_variables,
       )
@@ -45,6 +61,12 @@ def render_404_if_document_capture_controller_disabled
       render_not_found unless IdentityConfig.store.doc_auth_document_capture_controller_enabled
     end
 
+    def confirm_agreement_step_complete
+      return if flow_session['Idv::Steps::AgreementStep']
+
+      redirect_to idv_doc_auth_url
+    end
+
     def analytics_arguments
       {
         flow_path: flow_path,
@@ -65,13 +87,6 @@ def increment_step_counts
       current_flow_step_counts['Idv::Steps::DocumentCaptureStep'] += 1
     end
 
-    def native_camera_ab_testing_variables
-      {
-        acuant_sdk_upgrade_ab_test_bucket:
-          AbTests::ACUANT_SDK.bucket(flow_session[:document_capture_session_uuid]),
-      }
-    end
-
     def acuant_sdk_upgrade_a_b_testing_variables
       bucket = AbTests::ACUANT_SDK.bucket(flow_session[:document_capture_session_uuid])
       testing_enabled = IdentityConfig.store.idv_acuant_sdk_upgrade_a_b_testing_enabled
@@ -97,5 +112,79 @@ def in_person_cta_variant_testing_variables
         in_person_cta_variant_active: bucket,
       }
     end
+
+    def handle_stored_result
+      if stored_result&.success?
+        save_proofing_components
+        extract_pii_from_doc(stored_result, store_in_session: !hybrid_flow_mobile?)
+      else
+        extra = { stored_result_present: stored_result.present? }
+        failure(I18n.t('doc_auth.errors.general.network_error'), extra)
+      end
+    end
+
+    def stored_result
+      return @stored_result if defined?(@stored_result)
+      @stored_result = document_capture_session&.load_result
+    end
+
+    def save_proofing_components
+      return unless current_user
+
+      doc_auth_vendor = DocAuthRouter.doc_auth_vendor(
+        discriminator: flow_session[document_capture_session_uuid_key],
+        analytics: analytics,
+      )
+
+      component_attributes = {
+        document_check: doc_auth_vendor,
+        document_type: 'state_id',
+      }
+      ProofingComponent.create_or_find_by(user: current_user).update(component_attributes)
+    end
+
+    def hybrid_flow_mobile?
+      user_id_from_token.present?
+    end
+
+    def user_id_from_token
+      flow_session[:doc_capture_user_id]
+    end
+
+    # copied from doc_auth_base_step.rb
+    # @param [DocAuth::Response,
+    #   DocumentCaptureSessionAsyncResult,
+    #   DocumentCaptureSessionResult] response
+    def extract_pii_from_doc(response, store_in_session: false)
+      pii_from_doc = response.pii_from_doc.merge(
+        uuid: effective_user.uuid,
+        phone: effective_user.phone_configurations.take&.phone,
+        uuid_prefix: ServiceProvider.find_by(issuer: sp_session[:issuer])&.app_id,
+      )
+
+      flow_session[:had_barcode_read_failure] = response.attention_with_barcode?
+      if store_in_session
+        flow_session[:pii_from_doc] ||= {}
+        flow_session[:pii_from_doc].merge!(pii_from_doc)
+        idv_session.clear_applicant!
+      end
+      track_document_state(pii_from_doc[:state])
+    end
+
+    def track_document_state(state)
+      return unless IdentityConfig.store.state_tracking_enabled && state
+      doc_auth_log = DocAuthLog.find_by(user_id: current_user.id)
+      return unless doc_auth_log
+      doc_auth_log.state = state
+      doc_auth_log.save!
+    end
+
+    # copied from Flow::Failure module
+    def failure(message, extra = nil)
+      flow_session[:error_message] = message
+      form_response_params = { success: false, errors: { message: message } }
+      form_response_params[:extra] = extra unless extra.nil?
+      FormResponse.new(**form_response_params)
+    end
   end
 end

app/controllers/idv/gpo_only_warning_controller.rb

@@ -0,0 +1,17 @@
+module Idv
+  class GpoOnlyWarningController < ApplicationController
+    include IdvSession
+    include StepIndicatorConcern
+
+    before_action :confirm_two_factor_authenticated
+
+    def show
+      user_session['idv/doc_auth'][:skip_vendor_outage] = true
+      render :show, locals: { current_sp:, exit_url: }
+    end
+
+    def exit_url
+      current_sp&.return_to_sp_url || account_path
+    end
+  end
+end