Remove DocumentCaptureController direct usage of effective_user

app/controllers/concerns/idv/step_utilities_concern.rb

@@ -4,7 +4,7 @@ module StepUtilitiesConcern
     include AcuantConcern
 
     def irs_reproofing?
-      effective_user&.reproof_for_irs?(
+      current_user&.reproof_for_irs?(
         service_provider: current_sp,
       ).present?
     end

app/controllers/concerns/idv_session.rb

@@ -1,16 +1,15 @@
 module IdvSession
   extend ActiveSupport::Concern
-  include EffectiveUser
 
   included do
-    before_action :redirect_unless_effective_user
+    before_action :redirect_unless_idv_session_user
     before_action :redirect_if_sp_context_needed
   end
 
   def confirm_idv_needed
-    return if effective_user.active_profile.blank? ||
+    return if idv_session_user.active_profile.blank? ||
               decorated_session.requested_more_recent_verification? ||
-              effective_user.reproof_for_irs?(service_provider: current_sp)
+              idv_session_user.reproof_for_irs?(service_provider: current_sp)
 
     redirect_to idv_activated_url
   end
@@ -29,20 +28,26 @@ def confirm_phone_or_address_confirmed
   def idv_session
     @idv_session ||= Idv::Session.new(
       user_session: user_session,
-      current_user: effective_user,
+      current_user: idv_session_user,
       service_provider: current_sp,
     )
   end
 
-  def redirect_unless_effective_user
-    redirect_to root_url if !effective_user
+  def redirect_unless_idv_session_user
+    redirect_to root_url if !idv_session_user
   end
 
   def redirect_if_sp_context_needed
     return if sp_from_sp_session.present?
     return unless IdentityConfig.store.idv_sp_required
-    return if effective_user.profiles.any?
+    return if idv_session_user.profiles.any?
 
     redirect_to account_url
   end
+
+  def idv_session_user
+    return User.find_by(id: session[:doc_capture_user_id]) if !current_user && hybrid_session?
+
+    current_user
+  end
 end

app/controllers/concerns/rate_limit_concern.rb

@@ -47,16 +47,15 @@ def throttle_and_controller_match(throttle_type)
       self.instance_of?(Idv::VerifyInfoController) ||
         self.instance_of?(Idv::InPerson::VerifyInfoController)
     when :idv_doc_auth
-      self.instance_of?(Idv::DocumentCaptureController) ||
-        self.instance_of?(Idv::HybridMobile::DocumentCaptureController)
+      self.instance_of?(Idv::DocumentCaptureController)
     when :proof_address
       self.instance_of?(Idv::PhoneController)
     end
   end
 
   def idv_attempter_rate_limited?(throttle_type)
     Throttle.new(
-      user: effective_user,
+      user: idv_session_user,
       throttle_type: throttle_type,
     ).throttled?
   end

app/controllers/idv/session_errors_controller.rb

@@ -1,7 +1,6 @@
 module Idv
   class SessionErrorsController < ApplicationController
     include IdvSession
-    include EffectiveUser
     include StepIndicatorConcern
 
     before_action :confirm_two_factor_authenticated_or_user_id_in_session
@@ -15,7 +14,7 @@ def exception
 
     def warning
       throttle = Throttle.new(
-        user: effective_user,
+        user: idv_session_user,
         throttle_type: :idv_resolution,
       )
 
@@ -29,7 +28,7 @@ def state_id_warning
 
     def failure
       throttle = Throttle.new(
-        user: effective_user,
+        user: idv_session_user,
         throttle_type: :idv_resolution,
       )
       @expires_at = throttle.expires_at
@@ -53,7 +52,7 @@ def ssn_failure
     end
 
     def throttled
-      throttle = Throttle.new(user: effective_user, throttle_type: :idv_doc_auth)
+      throttle = Throttle.new(user: idv_session_user, throttle_type: :idv_doc_auth)
       log_event(based_on_throttle: throttle)
       @expires_at = throttle.expires_at
     end

spec/controllers/concerns/rate_limit_concern_spec.rb

@@ -6,6 +6,7 @@
   module Idv
     class StepController < ApplicationController
       include RateLimitConcern
+      include IdvSession
 
       def show
         render plain: 'Hello'

spec/controllers/idv/document_capture_controller_spec.rb

@@ -102,6 +102,13 @@
       end
     end
 
+    it 'does not use effective user outside of analytics_user in ApplicationControler' do
+      allow(subject).to receive(:analytics_user).and_return(subject.current_user)
+      expect(subject).not_to receive(:effective_user)
+
+      get :show
+    end
+
     context 'user is rate_limited' do
       it 'redirects to rate limited page' do
         user = create(:user)