Deploy RC 289

app/controllers/concerns/idv/verify_info_concern.rb

@@ -2,7 +2,7 @@ module Idv
   module VerifyInfoConcern
     extend ActiveSupport::Concern
 
-    def update
+    def shared_update
       return if idv_session.verify_info_step_document_capture_session_uuid
       analytics.idv_doc_auth_verify_submitted(**analytics_arguments)
       Funnel::DocAuth::RegisterStep.new(current_user.id, sp_session[:issuer]).
@@ -48,13 +48,7 @@ def update
         double_address_verification: capture_secondary_id_enabled,
       )
 
-      # Don't allow the user to go back to document capture after verifying
-      if flow_session['redo_document_capture']
-        flow_session.delete('redo_document_capture')
-        flow_session[:flow_path] ||= 'standard'
-      end
-
-      redirect_to after_update_url
+      return true
     end
 
     private

app/controllers/idv/gpo_controller.rb

@@ -98,10 +98,7 @@ def confirmation_maker_perform
     end
 
     def send_reminder
-      current_user.confirmed_email_addresses.each do |email_address|
-        UserMailer.with(user: current_user, email_address: email_address).
-          letter_reminder.deliver_now_or_later
-      end
+      current_user.send_email_to_all_addresses(:letter_reminder)
     end
 
     def pii_locked?

app/controllers/idv/gpo_verify_controller.rb

@@ -51,21 +51,26 @@ def create
         return
       end
 
-      if result.extra[:pending_in_person_enrollment]
-        redirect_to idv_in_person_ready_to_verify_url
-      else
-        prepare_for_personal_key
+      prepare_for_personal_key
 
-        redirect_to idv_personal_key_url
-      end
+      redirect_to idv_personal_key_url
     end
 
     private
 
+    def pending_in_person_enrollment?
+      return false unless IdentityConfig.store.in_person_proofing_enabled
+      current_user.pending_in_person_enrollment.present?
+    end
+
+    def account_not_ready_to_be_activated?
+      fraud_check_failed? || pending_in_person_enrollment?
+    end
+
     def prepare_for_personal_key
-      event, _disavowal_token = create_user_event(:account_verified)
+      unless account_not_ready_to_be_activated?
+        event, _disavowal_token = create_user_event(:account_verified)
 
-      if !fraud_check_failed?
         UserAlerts::AlertUserAboutAccountVerified.call(
           user: current_user,
           date_time: event.created_at,

app/controllers/idv/in_person/verify_info_controller.rb

@@ -8,7 +8,6 @@ class VerifyInfoController < ApplicationController
       include VerifyInfoConcern
       include OutageConcern
 
-      before_action :renders_404_if_flag_not_set
       before_action :confirm_ssn_step_complete
       before_action :confirm_verify_info_step_needed
       before_action :check_for_outage, only: :show
@@ -36,6 +35,17 @@ def show
         process_async_state(load_async_state)
       end
 
+      def update
+        success = shared_update
+
+        if success
+          # Mark the FSM verify step completed. This is for the 50/50 state
+          flow_session['Idv::Steps::InPerson::VerifyStep'] = true
+
+          redirect_to idv_in_person_verify_info_url
+        end
+      end
+
       private
 
       # state_id_type is hard-coded here because it's required for proofing against
@@ -50,18 +60,10 @@ def invalid_state?
         pii.blank?
       end
 
-      def after_update_url
-        idv_in_person_verify_info_url
-      end
-
       def prev_url
         idv_in_person_step_url(step: :ssn)
       end
 
-      def renders_404_if_flag_not_set
-        render_not_found unless IdentityConfig.store.in_person_verify_info_controller_enabled
-      end
-
       def pii
         @pii = flow_session[:pii_from_user]
       end
@@ -73,11 +75,23 @@ def flow_session
 
       def analytics_arguments
         {
-          flow_path: flow_path,
+          flow_path: flow_session[:flow_path],
           step: 'verify',
           analytics_id: 'In Person Proofing',
           irs_reproofing: irs_reproofing?,
-        }.merge(**acuant_sdk_ab_test_analytics_args)
+        }.merge(**acuant_sdk_ab_test_analytics_args).
+          merge(**extra_analytics_properties)
+      end
+
+      def extra_analytics_properties
+        extra = {
+          pii_like_keypaths: [[:same_address_as_id], [:state_id, :state_id_jurisdiction]],
+        }
+        unless flow_session.dig(:pii_from_user, :same_address_as_id).nil?
+          extra[:same_address_as_id] =
+            flow_session[:pii_from_user][:same_address_as_id].to_s == 'true'
+        end
+        extra
       end
     end
   end

app/controllers/idv/review_controller.rb

@@ -92,6 +92,7 @@ def init_profile
       idv_session.create_profile_from_applicant_with_password(password)
 
       if idv_session.address_verification_mechanism == 'gpo'
+        current_user.send_email_to_all_addresses(:letter_reminder)
         analytics.idv_gpo_address_letter_enqueued(enqueued_at: Time.zone.now, resend: false)
       end
 

app/controllers/idv/verify_info_controller.rb

@@ -34,15 +34,25 @@ def show
       process_async_state(load_async_state)
     end
 
+    def update
+      success = shared_update
+
+      if success
+        # Don't allow the user to go back to document capture after verifying
+        if flow_session['redo_document_capture']
+          flow_session.delete('redo_document_capture')
+          flow_session[:flow_path] ||= 'standard'
+        end
+
+        redirect_to idv_verify_info_url
+      end
+    end
+
     private
 
     # state ID type isn't manually set for Idv::VerifyInfoController
     def set_state_id_type; end
 
-    def after_update_url
-      idv_verify_info_url
-    end
-
     def prev_url
       idv_ssn_url
     end

app/controllers/two_factor_authentication/otp_verification_controller.rb

@@ -147,11 +147,6 @@ def post_analytics(result)
       end
     end
 
-    def sign_up_mfa_selection_order_bucket
-      return unless in_multi_mfa_selection_flow?
-      @sign_up_mfa_selection_order_bucket = AbTests::SIGN_UP_MFA_SELECTION.bucket(current_user.uuid)
-    end
-
     def analytics_properties
       parsed_phone = Phonelib.parse(phone)
 
@@ -165,7 +160,6 @@ def analytics_properties
         phone_configuration_id: phone_configuration&.id,
         in_multi_mfa_selection_flow: in_multi_mfa_selection_flow?,
         enabled_mfa_methods_count: mfa_context.enabled_mfa_methods_count,
-        sign_up_mfa_priority_bucket: sign_up_mfa_selection_order_bucket,
       }
     end
 

app/controllers/users/backup_code_setup_controller.rb

@@ -24,10 +24,7 @@ def index
     def create
       generate_codes
       result = BackupCodeSetupForm.new(current_user).submit
-      analytics_properties = result.to_h.merge(
-        sign_up_mfa_selection_order_bucket:
-                  sign_up_mfa_selection_order_bucket,
-      )
+      analytics_properties = result.to_h
       analytics.backup_code_setup_visit(**analytics_properties)
       irs_attempts_api_tracker.mfa_enroll_backup_code(success: result.success?)
 
@@ -79,7 +76,6 @@ def mfa_user
     def track_backup_codes_confirmation_setup_visit
       analytics.multi_factor_auth_enter_backup_code_confirmation_visit(
         enabled_mfa_methods_count: mfa_user.enabled_mfa_methods_count,
-        sign_up_mfa_selection_order_bucket: sign_up_mfa_selection_order_bucket,
       )
     end
 
@@ -93,11 +89,6 @@ def generate_codes
       user_session[:backup_codes] = @codes
     end
 
-    def sign_up_mfa_selection_order_bucket
-      return unless in_multi_mfa_selection_flow?
-      AbTests::SIGN_UP_MFA_SELECTION.bucket(current_user.uuid)
-    end
-
     def set_backup_code_setup_presenter
       @presenter = SetupPresenter.new(
         current_user: current_user,

app/controllers/users/mfa_selection_controller.rb

@@ -10,19 +10,13 @@ class MfaSelectionController < ApplicationController
     def index
       two_factor_options_form
       @after_setup_path = after_mfa_setup_path
-      @sign_up_mfa_selection_order_bucket = AbTests::SIGN_UP_MFA_SELECTION.bucket(current_user.uuid)
       @presenter = two_factor_options_presenter
-      analytics.user_registration_2fa_additional_setup_visit(
-        sign_up_mfa_priority_bucket: @sign_up_mfa_selection_order_bucket,
-      )
+      analytics.user_registration_2fa_additional_setup_visit
     end
 
     def update
       result = submit_form
-      @sign_up_mfa_selection_order_bucket = AbTests::SIGN_UP_MFA_SELECTION.bucket(current_user.uuid)
-      analytics_hash = result.to_h.merge(
-        sign_up_mfa_priority_bucket: @sign_up_mfa_selection_order_bucket,
-      )
+      analytics_hash = result.to_h
       analytics.user_registration_2fa_additional_setup(**analytics_hash)
 
       if result.success?
@@ -45,7 +39,6 @@ def submit_form
     def two_factor_options_presenter
       TwoFactorOptionsPresenter.new(
         user_agent: request.user_agent,
-        priority_bucket: @sign_up_mfa_selection_order_bucket,
         user: current_user,
         phishing_resistant_required: service_provider_mfa_policy.phishing_resistant_required?,
         piv_cac_required: service_provider_mfa_policy.piv_cac_required?,

app/controllers/users/phone_setup_controller.rb

@@ -43,16 +43,10 @@ def recaptcha_enabled?
       FeatureManagement.phone_recaptcha_enabled?
     end
 
-    def sign_up_mfa_selection_order_bucket
-      return unless in_multi_mfa_selection_flow?
-      AbTests::SIGN_UP_MFA_SELECTION.bucket(current_user.uuid)
-    end
-
     def track_phone_setup_visit
       mfa_user = MfaContext.new(current_user)
       analytics.user_registration_phone_setup_visit(
         enabled_mfa_methods_count: mfa_user.enabled_mfa_methods_count,
-        sign_up_mfa_selection_order_bucket: sign_up_mfa_selection_order_bucket,
       )
     end
 

app/controllers/users/piv_cac_authentication_setup_controller.rb

@@ -64,11 +64,6 @@ def track_piv_cac_setup_visit
       )
     end
 
-    def sign_up_mfa_selection_order_bucket
-      return unless in_multi_mfa_selection_flow?
-      AbTests::SIGN_UP_MFA_SELECTION.bucket(current_user.uuid)
-    end
-
     def remove_piv_cac
       revoke_remember_device(current_user)
       current_user_id = current_user.id
@@ -170,7 +165,6 @@ def analytics_properties
       {
         in_multi_mfa_selection_flow: in_multi_mfa_selection_flow?,
         enabled_mfa_methods_count: mfa_context.enabled_mfa_methods_count,
-        sign_up_mfa_selection_order_bucket: sign_up_mfa_selection_order_bucket,
       }
     end
 

app/controllers/users/sessions_controller.rb

@@ -10,13 +10,11 @@ class SessionsController < Devise::SessionsController
 
     rescue_from ActionController::InvalidAuthenticityToken, with: :redirect_to_signin
 
-    skip_before_action :session_expires_at, only: %i[active keepalive]
     skip_before_action :require_no_authentication, only: [:new]
     before_action :store_sp_metadata_in_session, only: [:new]
     before_action :check_user_needs_redirect, only: [:new]
     before_action :apply_secure_headers_override, only: [:new, :create]
     before_action :clear_session_bad_password_count_if_window_expired, only: [:create]
-    after_action :add_csrf_token_header_to_response, only: [:keepalive]
 
     def new
       override_csp_for_google_analytics
@@ -50,31 +48,6 @@ def destroy
       super
     end
 
-    def active
-      session[:pinged_at] = now
-      Rails.logger.debug(alive?: alive?, expires_at: expires_at)
-      render json: { live: alive?, timeout: expires_at }
-    end
-
-    def keepalive
-      session[:session_expires_at] = now + Devise.timeout_in if alive?
-      analytics.session_kept_alive if alive?
-
-      render json: { live: alive?, timeout: expires_at }
-    end
-
-    def timeout
-      analytics.session_timed_out
-      request_id = sp_session[:request_id]
-      sign_out
-      flash[:info] = t(
-        'notices.session_timedout',
-        app_name: APP_NAME,
-        minutes: IdentityConfig.store.session_timeout_in_minutes,
-      )
-      redirect_to root_url(request_id: request_id)
-    end
-
     private
 
     def clear_session_bad_password_count_if_window_expired
@@ -143,24 +116,10 @@ def handle_valid_authentication
       redirect_to next_url_after_valid_authentication
     end
 
-    def now
-      @now ||= Time.zone.now
-    end
-
-    def expires_at
-      session[:session_expires_at]&.to_datetime || (now - 1)
-    end
-
     def browser_is_ie11?
       BrowserCache.parse(request.user_agent).ie?(11)
     end
 
-    def alive?
-      return false unless session && expires_at
-      session_alive = expires_at > now
-      current_user.present? && session_alive
-    end
-
     def track_authentication_attempt(email)
       user = User.find_with_email(email) || AnonymousUser.new
 

app/controllers/users/totp_setup_controller.rb

@@ -66,18 +66,12 @@ def set_totp_setup_presenter
       )
     end
 
-    def sign_up_mfa_selection_order_bucket
-      return unless in_multi_mfa_selection_flow?
-      @sign_up_mfa_selection_order_bucket = AbTests::SIGN_UP_MFA_SELECTION.bucket(current_user.uuid)
-    end
-
     def track_event
       mfa_user = MfaContext.new(current_user)
       analytics.totp_setup_visit(
         user_signed_up: MfaPolicy.new(current_user).two_factor_enabled?,
         totp_secret_present: new_totp_secret.present?,
         enabled_mfa_methods_count: mfa_user.enabled_mfa_methods_count,
-        sign_up_mfa_selection_order_bucket: sign_up_mfa_selection_order_bucket,
       )
     end
 
@@ -144,7 +138,6 @@ def current_auth_app_count
     def analytics_properties
       {
         in_multi_mfa_selection_flow: in_multi_mfa_selection_flow?,
-        sign_up_mfa_selection_order_bucket: sign_up_mfa_selection_order_bucket,
         pii_like_keypaths: [[:mfa_method_counts, :phone]],
       }
     end