Merged
Conversation
…us (#8149) We use ThreatMetrix as a tool for device profiling. It gives us a review_status result which we store in the database as a proofing component. That proofing component is used later in the process to determine if a profile needs additional review. We communicate with ThreatMetrix if device profiling is enabled or in collect only mode. We do not communicate with threatMetrix when device profiling is disabled. Previously, we would write nil to the proofing component if we received that or an unexpected review status from ThreatMetrix. This leads to ambiguity later in the process when determining if a user passed the ThreatMetrix check. Specifically, nil could mean the ThreatMetrix did not run because device profiling is disabled or it could mean that an error occurred and no review_status was provided. This commit changes the behavior of ThreatMetrix such that if ThreatMetrix is enabled it will write a review status or the job will respond with an exception result. This exception result will result in the user seeing an error and needing to re-submit and re-run the job. This resolves the ambiguity by making nil mean that ThreatMetrix was not enabled. [skip changelog]
…8153) * Return an empty hash from `#flow_session` if it has not been created We have observed a number of 500 errors that are the result of the flow session being nil. There is a new one present in the document capture controller. This commit fixes all of these issues and hopefully prevents new ones by modifying the non-FSM implementaitons of `#flow_session` to return an empty hash when the flow session has not been constructed yet. [skip changelog] * fix a test
* Maintain request ID in password reset changelog: Bug Fixes, Password Reset, Maintain partner request when user resets password in new session * Use branded experience assertion consistently These assertions are prone to false positives because the footer GSA logo includes the sp-logos path * Use perform_in_browser helper to initiate password reset * Clarify branded experience assertion * Move request_id handling from password controller So that it isn't persisted only in the case of a successful password submission, because otherwise the associated SP is dropped * Simplify parameter access * Add specs for SP metadata store
* changelog: Bug Fix, OpenID Connect, Update AAL in userinfo response to keep specific values Store passed AAL as text to store extra information * Update AAL1 tests * change AAL1 tests * update migration * update specs --------- Co-authored-by: Mitchell Henke <mitchell.henke@gsa.gov>
We no longer need to use the RedoAddressAction in the flow state machine to link from the VerifyInfo screen to the Address screen in the doc_auth flow. This is in preparation for deleting the RedoAddressAction. changelog: Internal, Verify Info step, Stop using RedoAddressAction and link directly to Address page to update address
…g the result hash (#8160) Prior to this commit the majority of our proofers returned an object with a #to_h method that returned a hash suitable for logging with the results of the proofing transaction. The exception was the DDP proofer. The DDP proofer's logged result needed to be constructed in the proofing job where it was invoked. This commit makes the DDP result mirror the other result classes. This will make it easier to reconstruct the DDP class to add logic around things like whether exceptions are present (see #8149). [skip changelog]
* Allow specifying fixture file for DDP Mock Proofer * Add review_status error to mock DDP proofer If review status was not pass, add an error * Record request_result error on mock ddp proofer * Cover the 'review' status in DDP mock proofer Not used in prod currently, but _could be_ * Add extra check to pass case * changelog: Internal, Fraud monitoring, Update mock DDP proofer to include errors like the real proofer
* round of changes complete * Adding and modifying tests * changelog: User-Facing Improvements, In-Person Proofing, Skip address page if same address as ID * Linting * update tests and state id spec to change jurisdiction * Missed jurisdiction in test * last jurisdiction * undoing call to mark address incomplete
* Remove EmailSentStep and associated references EmailSentStep is no longer referenced. It allowed users on mobile to receive an email and continue uploading photos of their ID on desktop. [skip changelog] * Small refactor in UploadStep * DocAuthLog and RegisterStep cleanup Mark email_sent columns as ignored Remove unused send_link token and mark those columns as ignored * Remove doc_auth_desktop_link_to_sp mailer * Remove unused doc_auth_link translations and mailer template * remove unused image state-id-confirm@3x.png
* Update documentation to remove references to design.login.gov * Fix Markdown syntax * Add changelog changelog: Internal, Documentation, Update documentation to remove references to Design System documentation
* Fix Idv outage spec cleanup process Ensure config-related stubs are torn down before calling `Rails.application.reload_routes!` [skip changelog] * Update spec/features/idv/outage_spec.rb Co-authored-by: Sonia Connolly <sonia.connolly@gsa.gov> * Appease linter --------- Co-authored-by: Sonia Connolly <sonia.connolly@gsa.gov>
…8087) * LG-9301 capture error and alert when ArcGIS service is not returning a token If ArcGIS is unable to return a token it was causing an exception in retrieve_token and throwing HTTP 500 responses. The UI had no indication of error and the responses were causing the on-call engineer to be notified. This change catches the missing token, logs the issue, and returns a 400 error which allows a retry. changelog: Internal, PO-Search, Return 400 instead of 500 and logs ArcGIS token issues * LG-9103 (erroneously noted 9301 previously) Remove existing token from cache if service is unavailable or creditials are invalid. changelog: Internal, In-person-proofing address lookup, Prevent http 500 errors from occurring with invalid token * LG-9103 Capture error and alert when ArcGIS is not returning a token Add two tests, one for no service and one for invalid credentials (no token returned)
* Add safer parsing of dynamic SAML urls (LG-8837) * Add additional spec coverage - Pulls ideas from #8105 changelog: Internal, Source code, Add stricter checking of URLs
* LG-9216: A/B test for tabbed Sign In view changelog: Upcoming Features, Sign In Experience, Implement A/B test for tabbed Sign In view * Add specs for TabNavigationComponent * AddTabNavigationComponent preview * Add translations for headings * Rename ivar for sign in bucket See: https://github.com/18F/identity-idp/pull/8112/files#r1154971724 Co-authored-by: Zach Margolis <zachmargolis@users.noreply.github.com> * Switch to session ID for bucket discriminator May be more reliable than IP if we're expecting to log values in later events * Add aria-current to current link * Rename ivar for consistency See: https://github.com/18F/identity-idp/pull/8112/files#r1159978157 * Enhance TabNavigationComponent to handle query parameters * Add request_id to tab navigation links * Include bucket in visit analytics * Include all options in config default Clearer usage * Track registration visit from homepage * Add analytics property for completions event * Fix new session view link parameter assertion * Add specs for devise/sessions/new.html.erb * Add specs for sign_up/registrations/new.html.erb * Normalize YAML * Fix specs to check for new parameter * Add approved label for tab navigation * Fix syntax error --------- Co-authored-by: Zach Margolis <zachmargolis@users.noreply.github.com>
* Remove request_id parameters from Sign In view links They're unnecessary, since the request_id will have already been saved to the session * changelog: Internal, Code Quality, Simplify markup for Sign In page * Refactor RegistrationsController to use session request ID * Use only session value for request ID Not intending to support to provide the request_id at the "Create an account" URL, this existed previously only as a carry over from the original implementation which did not persist the request ID from the initial visit to the Sign In page. * Revert RegisterUserEmailForm to supply request_id by submission Since it's not needed as a form parameter anymore * WIP remove more request_id * Avoid storing request_id in SessionsController This should already be stored at this point via SamlIdpAuthConcern#store_saml_request / OpenidConnect::AuthorizationController#store_request * Restore request_id parameter handling in SessionController 1. we rely on it for certain behaviors like timeout 2. there's at least safeguards to prevent double-storing metadata if it already exists in the session * Remove request_id from "Use a different email" link * Use request_id direct from SP session Save a Redis read * Remove request_id parameter from A/B tabbed llinks
…8172) * Refactor implicit calculation of two-factor authentication methods changelog: Internal, Two-Factor Authentication, Refactor implicit calculation of two-factor authentication methods * use keyword argument for next_url argument
jmhooper
approved these changes
Apr 11, 2023
* Remove phone_confirmed column from profiles table * Remove `ignored_columns` for column to be deleted changelog: Internal, Database Maintenance, remove unused column
mitchellhenke
approved these changes
Apr 11, 2023
jmhooper
approved these changes
Apr 11, 2023
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
10 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
User-Facing Improvements
Bug Fixes
Internal
Upcoming Features