Deploy RC 267 to Prod

app/controllers/concerns/fraud_review_concern.rb

@@ -1,16 +1,34 @@
 module FraudReviewConcern
   extend ActiveSupport::Concern
 
+  def handle_fraud
+    handle_pending_fraud_review
+    handle_fraud_rejection
+  end
+
   def handle_pending_fraud_review
     redirect_to_fraud_review if fraud_review_pending?
   end
 
+  def handle_fraud_rejection
+    redirect_to_fraud_rejection if fraud_rejection?
+  end
+
   def redirect_to_fraud_review
     redirect_to idv_setup_errors_url
   end
 
+  def redirect_to_fraud_rejection
+    redirect_to idv_not_verified_url
+  end
+
   def fraud_review_pending?
     return false unless user_fully_authenticated?
     current_user.fraud_review_pending?
   end
+
+  def fraud_rejection?
+    return false unless user_fully_authenticated?
+    current_user.fraud_rejection?
+  end
 end

app/controllers/concerns/idv/step_utilities_concern.rb

@@ -11,19 +11,6 @@ def flow_path
       flow_session[:flow_path]
     end
 
-    def confirm_pii_from_doc
-      @pii = flow_session&.[]('pii_from_doc') # hash with indifferent access
-      return if @pii.present?
-
-      flow_session&.delete('Idv::Steps::DocumentCaptureStep')
-      redirect_to idv_doc_auth_url
-    end
-
-    def confirm_profile_not_already_confirmed
-      return unless idv_session.verify_info_step_complete?
-      redirect_to idv_review_url
-    end
-
     # Copied from capture_doc_flow.rb
     # and from doc_auth_flow.rb
     def acuant_sdk_ab_test_analytics_args

app/controllers/concerns/idv/verify_info_concern.rb

@@ -123,7 +123,7 @@ def async_state_done(current_async_state)
     end
 
     def next_step_url
-      return idv_gpo_url if OutageStatus.new.gpo_only?
+      return idv_gpo_url if FeatureManagement.idv_gpo_only?
       idv_phone_url
     end
 
@@ -221,7 +221,7 @@ def add_proofing_costs(results)
         elsif stage == :threatmetrix
           # transaction_id comes from request_id
           tmx_id = hash[:transaction_id]
-          log_irs_tmx_fraud_check_event(hash) if tmx_id
+          log_irs_tmx_fraud_check_event(hash, current_user) if tmx_id
           add_cost(:threatmetrix, transaction_id: tmx_id) if tmx_id
         end
       end

app/controllers/concerns/idv_step_concern.rb

@@ -8,6 +8,14 @@ module IdvStepConcern
     before_action :confirm_idv_needed
   end
 
+  def confirm_document_capture_complete
+    @pii = flow_session&.[]('pii_from_doc') # hash with indifferent access
+    return if @pii.present?
+
+    flow_session&.delete('Idv::Steps::DocumentCaptureStep')
+    redirect_to idv_doc_auth_url
+  end
+
   def confirm_verify_info_step_complete
     return if idv_session.verify_info_step_complete?
 
@@ -18,6 +26,11 @@ def confirm_verify_info_step_complete
     end
   end
 
+  def confirm_verify_info_step_needed
+    return unless idv_session.verify_info_step_complete?
+    redirect_to idv_review_url
+  end
+
   def confirm_address_step_complete
     return if idv_session.address_step_complete?
 

app/controllers/idv/address_controller.rb

@@ -3,7 +3,7 @@ class AddressController < ApplicationController
     include IdvSession
 
     before_action :confirm_two_factor_authenticated
-    before_action :confirm_pii_from_doc
+    before_action :confirm_document_capture_complete
 
     def new
       analytics.idv_address_visit
@@ -24,7 +24,7 @@ def update
 
     private
 
-    def confirm_pii_from_doc
+    def confirm_document_capture_complete
       @pii = user_session.dig('idv/doc_auth', 'pii_from_doc')
       return if @pii.present?
       redirect_to idv_doc_auth_url

app/controllers/idv/doc_auth_controller.rb

@@ -2,7 +2,6 @@ module Idv
   class DocAuthController < ApplicationController
     before_action :confirm_two_factor_authenticated
     before_action :redirect_if_pending_in_person_enrollment
-    before_action :handle_pending_fraud_review
     before_action :redirect_if_pending_profile
     before_action :extend_timeout_using_meta_refresh_for_select_paths
 
@@ -13,6 +12,7 @@ class DocAuthController < ApplicationController
     include FraudReviewConcern
 
     before_action :redirect_if_flow_completed
+    before_action :handle_fraud
     before_action :override_document_capture_step_csp
     before_action :update_if_skipping_upload
     # rubocop:disable Rails/LexicallyScopedActionFilter

app/controllers/idv/in_person/verify_info_controller.rb

@@ -9,7 +9,7 @@ class VerifyInfoController < ApplicationController
       before_action :renders_404_if_flag_not_set
       before_action :confirm_two_factor_authenticated
       before_action :confirm_ssn_step_complete
-      before_action :confirm_profile_not_already_confirmed
+      before_action :confirm_verify_info_step_needed
 
       def show
         @in_person_proofing = true
@@ -107,7 +107,7 @@ def confirm_ssn_step_complete
         redirect_to idv_in_person_url
       end
 
-      def confirm_profile_not_already_confirmed
+      def confirm_verify_info_step_needed
         # todo: should this instead be like so?
         # return unless idv_session.resolution_successful == true
         return unless idv_session.verify_info_step_complete?

app/controllers/idv/not_verified_controller.rb

@@ -0,0 +1,9 @@
+module Idv
+  class NotVerifiedController < ApplicationController
+    before_action :confirm_two_factor_authenticated
+
+    def show
+      analytics.idv_not_verified_visited
+    end
+  end
+end

app/controllers/idv/ssn_controller.rb

@@ -1,13 +1,13 @@
 module Idv
   class SsnController < ApplicationController
     include IdvSession
+    include IdvStepConcern
     include StepIndicatorConcern
     include StepUtilitiesConcern
     include Steps::ThreatMetrixStepHelper
 
-    before_action :confirm_two_factor_authenticated
-    before_action :confirm_profile_not_already_confirmed
-    before_action :confirm_pii_from_doc
+    before_action :confirm_verify_info_step_needed
+    before_action :confirm_document_capture_complete
 
     attr_accessor :error_message
 

app/controllers/idv/verify_info_controller.rb

@@ -6,9 +6,8 @@ class VerifyInfoController < ApplicationController
     include VerifyInfoConcern
     include Steps::ThreatMetrixStepHelper
 
-    before_action :confirm_two_factor_authenticated
     before_action :confirm_ssn_step_complete
-    before_action :confirm_profile_not_already_confirmed
+    before_action :confirm_verify_info_step_needed
 
     def show
       @in_person_proofing = false

app/controllers/idv_controller.rb

@@ -4,8 +4,8 @@ class IdvController < ApplicationController
   include FraudReviewConcern
 
   before_action :confirm_two_factor_authenticated
-  before_action :handle_pending_fraud_review
   before_action :profile_needs_reactivation?, only: [:index]
+  before_action :handle_fraud
 
   def index
     if decorated_session.requested_more_recent_verification? ||

app/controllers/openid_connect/authorization_controller.rb

@@ -21,6 +21,7 @@ class AuthorizationController < ApplicationController
 
     def index
       return redirect_to_fraud_review if fraud_review_pending_for_ial2_request?
+      return redirect_to_fraud_rejection if fraud_rejection_for_ial2_request?
       return redirect_to_account_or_verify_profile_url if profile_or_identity_needs_verification?
       return redirect_to(sign_up_completed_url) if needs_completion_screen_reason
       link_identity_to_service_provider
@@ -90,6 +91,11 @@ def fraud_review_pending_for_ial2_request?
       fraud_review_pending?
     end
 
+    def fraud_rejection_for_ial2_request?
+      return false unless @authorize_form.ial2_or_greater?
+      fraud_rejection?
+    end
+
     def profile_or_identity_needs_verification?
       return false unless @authorize_form.ial2_or_greater?
       profile_needs_verification? || identity_needs_verification?

app/controllers/saml_idp_controller.rb

@@ -25,6 +25,7 @@ class SamlIdpController < ApplicationController
   def auth
     capture_analytics
     return redirect_to_fraud_review if fraud_review_pending? && ial2_requested?
+    return redirect_to_fraud_rejection if fraud_rejection? && ial2_requested?
     return redirect_to_verification_url if profile_or_identity_needs_verification_or_decryption?
     return redirect_to(sign_up_completed_url) if needs_completion_screen_reason
     if auth_count == 1 && first_visit_for_sp?

app/controllers/users/sessions_controller.rb

@@ -32,8 +32,6 @@ def new
     end
 
     def create
-      track_authentication_attempt(auth_params[:email])
-
       return process_locked_out_session if session_bad_password_count_max_exceeded?
       return process_locked_out_user if current_user && user_locked_out?(current_user)
 
@@ -42,6 +40,7 @@ def create
       handle_valid_authentication
     ensure
       increment_session_bad_password_count if throttle_password_failure && !current_user
+      track_authentication_attempt(auth_params[:email])
     end
 
     def destroy
@@ -175,6 +174,7 @@ def track_authentication_attempt(email)
         success: success,
         user_id: user.uuid,
         user_locked_out: user_locked_out?(user),
+        bad_password_count: session[:bad_password_count].to_i,
         stored_location: session['user_return_to'],
         sp_request_url_present: sp_session[:request_url].present?,
         remember_device: remember_device_cookie.present?,

app/forms/register_user_email_form.rb

@@ -84,6 +84,7 @@ def process_successful_submission(request_id, instructions)
     # To prevent discovery of existing emails, we check to see if the email is
     # already taken and if so, we act as if the user registration was successful.
     if email_taken? && user_unconfirmed?
+      update_user_language_preference
       send_sign_up_unconfirmed_email(request_id)
     elsif email_taken?
       send_sign_up_confirmed_email
@@ -98,6 +99,12 @@ def process_successful_submission(request_id, instructions)
     end
   end
 
+  def update_user_language_preference
+    if existing_user.email_language != email_language
+      existing_user.update(email_language: email_language)
+    end
+  end
+
   def extra_analytics_attributes
     {
       email_already_exists: email_taken?,

app/javascript/packages/document-capture/context/upload.tsx

@@ -12,7 +12,6 @@ const UploadContext = createContext({
   backgroundUploadURLs: {} as Record<string, string>,
   backgroundUploadEncryptKey: undefined as CryptoKey | undefined,
   flowPath: 'standard' as FlowPath,
-  csrf: null as string | null,
   formData: {} as Record<string, any>,
 });
 
@@ -45,11 +44,6 @@ interface UploadOptions {
    * Endpoint to which payload should be sent.
    */
   endpoint: string;
-
-  /**
-   * CSRF token to send as parameter to upload implementation.
-   */
-  csrf: string | null;
 }
 
 export interface UploadSuccessResponse {
@@ -142,11 +136,6 @@ interface UploadContextProviderProps {
    */
   statusPollInterval?: number;
 
-  /**
-   * CSRF token to send as parameter to upload implementation.
-   */
-  csrf: string | null;
-
   /**
    * Extra form data to merge into the payload before uploading
    */
@@ -177,27 +166,25 @@ function UploadContextProvider({
   endpoint,
   statusEndpoint,
   statusPollInterval,
-  csrf,
   formData = DEFAULT_FORM_DATA,
   flowPath,
   children,
 }: UploadContextProviderProps) {
-  const uploadWithCSRF = (payload) => upload({ ...payload, ...formData }, { endpoint, csrf });
+  const uploadWithFormData = (payload) => upload({ ...payload, ...formData }, { endpoint });
 
   const getStatus = () =>
     statusEndpoint
-      ? upload({ ...formData }, { endpoint: statusEndpoint, method: 'PUT', csrf })
+      ? upload({ ...formData }, { endpoint: statusEndpoint, method: 'PUT' })
       : Promise.reject();
 
   const value = useObjectMemo({
-    upload: uploadWithCSRF,
+    upload: uploadWithFormData,
     getStatus,
     statusPollInterval,
     backgroundUploadURLs,
     backgroundUploadEncryptKey,
     isMockClient,
     flowPath,
-    csrf,
     formData,
   });
 

app/javascript/packages/document-capture/services/upload.ts

@@ -1,5 +1,6 @@
 import { FormError } from '@18f/identity-form-steps';
 import { forceRedirect } from '@18f/identity-url';
+import { request } from '@18f/identity-request';
 import type {
   UploadSuccessResponse,
   UploadErrorResponse,
@@ -67,12 +68,13 @@ export function toFormEntryError(uploadFieldError: UploadFieldError): UploadForm
   return formEntryError;
 }
 
-const upload: UploadImplementation = async function (payload, { method = 'POST', endpoint, csrf }) {
-  const headers: HeadersInit = {};
-  if (csrf) {
-    headers['X-CSRF-Token'] = csrf;
-  }
-  const response = await window.fetch(endpoint, { method, headers, body: toFormData(payload) });
+const upload: UploadImplementation = async function (payload, { method = 'POST', endpoint }) {
+  const response = await request(endpoint, {
+    method,
+    body: toFormData(payload),
+    json: false,
+    read: false,
+  });
 
   if (!response.ok && !response.status.toString().startsWith('4')) {
     // 4xx is an expected error state, handled after JSON deserialization. Anything else not OK

app/javascript/packages/document-capture/styles.scss

@@ -2,4 +2,3 @@
 @import './components/acuant-capture';
 @import './components/acuant-capture-canvas';
 @import './components/location-collection-item';
-@import './components/review-issues-step';