LG-9825: Add back-end validation for the DOB on the state id form by dawei-nava · Pull Request #8501 · 18F/identity-idp

dawei-nava · 2023-05-27T12:54:14Z

🎫 Ticket LG9825 Backend validation of DOB.

🛠 Summary of changes

Validate the DOB for minimum age requirement on the state id form.

📜 Testing Plan

Provide a checklist of steps to confirm the changes.

Modify form_state_id_validator.rb and change age to Time.zone.today - 200.years
Navigate through ipp flow and to the state_id step. Use an invalid first name like First5, an invalid DOB like 12-2-2022
Submit it will flag the first name as invalid, but DOB as valid
Modify the age to be greater than 13 but less than 200
Submit the form again, it will flag the DOB as invalid(validation by backend)
Remove change form_state_id_validator.rb to restore the original validate function.
Submit the form, the DOB field validated as normal

👀 Screenshots

Disable both frontend and backend validation:

After restore backend validation

and test cases. changelog: Internal, In-Person Proofing, Add DOB validation for minimal age.

app/validators/form_dob_validator.rb

app/forms/idv/state_id_form.rb

app/validators/form_dob_validator.rb

app/components/memorable_date_component.rb

app/forms/idv/state_id_form.rb

…rmResponse success flag.

app/validators/form_dob_validator.rb

app/components/memorable_date_component.html.erb

app/forms/idv/state_id_form.rb

app/components/memorable_date_component.rb

app/validators/form_dob_validator.rb

app/forms/idv/state_id_form.rb

app/services/usps_in_person_proofing/date_validator.rb

svalexander · 2023-06-01T13:41:29Z

app/services/usps_in_person_proofing/date_validator.rb

@@ -0,0 +1,37 @@
+module UspsInPersonProofing
+  # Validator that can be attached to a form or other model
+  # to verify that specific supported fields are comparable to other dates.


This validator is to make sure a user's age is within an accepted range right? Would it be more accurate/clear to say "...to verify that user input in supported date fields fall within an accepted range".

@svalexander, it not necessarily a single range, can be combinations of following:
greater_than, greater_than_or_equal_to, equal_to, less_than, less_than_or_equal_to and other_than.

app/services/usps_in_person_proofing/date_validator.rb

svalexander · 2023-06-01T13:53:20Z

app/services/usps_in_person_proofing/date_validator.rb

+
+    # @param [String,Date,#to_hash] param
+    # @return [Date]
+    # It's caller's responsibility to ensure the param contains required entries


i'm not quite sure I understand this comment. what are required entries?

@svalexander, the param can be a type of ActionController::Parameters from state id form submission, where it contains 3 keys, year, month, day. Here we treat it as a hash, so if you pass in anything can be treated as a hash(.to_hash method), it assumes that these three entries exists, it's caller's responsibility to make sure they exists to avoid error.

ahh ok thank you for clarifying

NavaTim

Main issues are to correct the test file naming and ensure that the tests are using the values that they're setting. Other changes are recommended, but I'd be willing to approve without them.

NavaTim · 2023-06-01T16:18:08Z

spec/forms/idv/in_person/adress_form_spec.rb

Typo in file name - should be address_form_spec.rb.

NavaTim · 2023-06-01T16:20:52Z

spec/forms/idv/in_person/adress_form_spec.rb

+      good_params[:same_address_as_id] = false
+      result = subject.submit(bad_params)


You're setting a value on good_params here but instead using bad_params.

NavaTim · 2023-06-01T16:21:13Z

spec/forms/idv/in_person/adress_form_spec.rb

+      good_params[:same_address_as_id] = false
+      result = subject.submit(bad_params)


Similar to the above:

You're setting a value on good_params here but instead using bad_params.

NavaTim · 2023-06-01T16:24:39Z

spec/forms/idv/in_person/adress_form_spec.rb

+  let(:good_params) do
+    {
+      address1: Faker::Address.street_address,
+      address2: Faker::Address.secondary_address,
+      zipcode: Faker::Address.zip_code,
+      state: Faker::Address.state_abbr,
+      city: Faker::Address.city,
+    }
+  end
+  let(:invalid_char) { '$' }
+  let(:bad_params) do
+    {
+      address1: invalid_char + Faker::Address.street_address,
+      address2: invalid_char + Faker::Address.secondary_address + invalid_char,
+      zipcode: Faker::Address.zip_code,
+      state: Faker::Address.state_abbr,
+      city: invalid_char + Faker::Address.city,
+    }
+  end


It would be good to wrap these in an additional context indicating that these values and the following tests pertain specifically to transliteration. i.e. especially since the usage of good/bad here could otherwise seem ambiguous.

NavaTim · 2023-06-01T16:26:36Z

spec/forms/idv/in_person/adress_form_spec.rb

+      expect(subject.errors.to_hash).to include(:address1, :address2, :city)
+      expect(result).to be_kind_of(FormResponse)
+      expect(result.success?).to be(false)
+      expect(result.errors.empty?).to be(true)


It would be best to intentionally include at least one error unrelated to transliteration in this test in order to ensure that the combined behavior is correct.

NavaTim · 2023-06-01T16:28:42Z

spec/forms/idv/state_id_form_spec.rb

+        expect(subject.errors[:first_name]).to eq [
+          I18n.t(
+            'in_person_proofing.form.state_id.errors.unsupported_chars',
+            char_list: [invalid_char].join(', '),
+          ),
+        ]


It would be good here to add an additional line or test confirming that the result errors don't include the transliteration error.

@NavaTim addressed all comments on tests.

NavaTim

The PR works, but I recommend restricting the usage of the # prefix to usages like:

context '#submit' do

i.e. only in a context/describe block (not it/test), and only when the string name passed exactly matches the name of the method being tested.

NavaTim · 2023-06-01T17:23:56Z