Deploy RC 295

app/assets/stylesheets/components/_index.scss

@@ -15,6 +15,7 @@
 @forward 'icon';
 @forward 'language-picker';
 @forward 'list';
+@forward 'modal';
 @forward 'nav';
 @forward 'page-heading';
 @forward 'password';

app/components/modal_component.scss → app/assets/stylesheets/components/_modal.scss

@@ -1,5 +1,5 @@
 @use 'uswds-core' as *;
-@use 'variables/app' as *;
+@use '../variables/app' as *;
 
 .usa-modal-overlay {
   // Temporary styles to avoid inheriting too much of the USWDS opinionated modal styling until

app/controllers/concerns/idv_step_concern.rb

@@ -29,9 +29,8 @@ def pii_from_doc
     flow_session['pii_from_doc']
   end
 
-  # copied from doc_auth_controller
   def flow_path
-    idv_session.flow_path || flow_session[:flow_path]
+    idv_session.flow_path
   end
 
   private

app/controllers/idv/agreement_controller.rb

@@ -49,7 +49,6 @@ def analytics_arguments
     def skip_to_capture
       flow_session[:skip_upload_step] = true
       idv_session.flow_path = 'standard'
-      flow_session[:flow_path] = 'standard' # temp added for 50/50, remove in future deploy
     end
 
     def consent_form_params

app/controllers/idv/document_capture_controller.rb

@@ -52,7 +52,6 @@ def extra_view_variables
 
     def confirm_hybrid_handoff_complete
       return if idv_session.flow_path.present?
-      return if flow_session[:flow_path].present? # remove in future deploy
 
       redirect_to idv_hybrid_handoff_url
     end

app/controllers/idv/gpo_controller.rb

@@ -27,6 +27,7 @@ def create
         redirect_to capture_password_url
       elsif resend_requested?
         resend_letter
+        flash[:success] = t('idv.messages.gpo.another_letter_on_the_way')
         redirect_to idv_come_back_later_url
       else
         redirect_to idv_review_url

app/controllers/idv/gpo_verify_controller.rb

@@ -9,6 +9,12 @@ class GpoVerifyController < ApplicationController
 
     def index
       analytics.idv_gpo_verification_visited
+
+      if rate_limiter.limited?
+        render_rate_limited
+        return
+      end
+
       gpo_mail = Idv::GpoMail.new(current_user)
       @gpo_verify_form = GpoVerifyForm.new(user: current_user, pii: pii)
       @code = session[:last_gpo_confirmation_code] if FeatureManagement.reveal_gpo_code?
@@ -18,9 +24,7 @@ def index
         !gpo_mail.mail_spammed? &&
         !gpo_mail.profile_too_old?
 
-      if rate_limiter.limited?
-        render_rate_limited
-      elsif pii_locked?
+      if pii_locked?
         redirect_to capture_password_url
       else
         render :index
@@ -32,13 +36,13 @@ def pii
     end
 
     def create
-      @gpo_verify_form = build_gpo_verify_form
-
-      rate_limiter.increment!
       if rate_limiter.limited?
         render_rate_limited
         return
       end
+      rate_limiter.increment!
+
+      @gpo_verify_form = build_gpo_verify_form
 
       result = @gpo_verify_form.submit
       analytics.idv_gpo_verification_submitted(**result.to_h)

app/controllers/idv/hybrid_handoff_controller.rb

@@ -38,11 +38,10 @@ def hybrid_flow_chosen?
     end
 
     def handle_phone_submission
-      rate_limiter.increment!
       return rate_limited_failure if rate_limiter.limited?
+      rate_limiter.increment!
       idv_session.phone_for_mobile_flow = params[:doc_auth][:phone]
       idv_session.flow_path = 'hybrid'
-      flow_session[:flow_path] = 'hybrid' # temp addition for 50/50 remove in future deploy
       telephony_result = send_link
       telephony_form_response = build_telephony_form_response(telephony_result)
 
@@ -62,7 +61,6 @@ def handle_phone_submission
       else
         redirect_to idv_hybrid_handoff_url
         idv_session.flow_path = nil
-        flow_session[:flow_path] = nil # temp added for 50/50, remove in future deploy
       end
 
       analytics.idv_doc_auth_upload_submitted(
@@ -99,7 +97,7 @@ def build_telephony_form_response(telephony_result)
         extra: {
           telephony_response: telephony_result.to_h,
           destination: :link_sent,
-          flow_path: idv_session.flow_path || flow_session[:flow_path], # remove in future deploy
+          flow_path: idv_session.flow_path,
         },
       )
     end
@@ -116,7 +114,6 @@ def update_document_capture_session_requested_at(session_uuid)
 
     def bypass_send_link_steps
       idv_session.flow_path = 'standard'
-      flow_session[:flow_path] = 'standard' # temp added for 50/50, remove in future deploy
       redirect_to idv_document_capture_url
 
       analytics.idv_doc_auth_upload_submitted(
@@ -214,14 +211,11 @@ def confirm_hybrid_handoff_needed
       setup_for_redo if params[:redo]
 
       idv_session.flow_path = 'standard' if flow_session[:skip_upload_step]
-      # next line temp added for 50/50, remove in future deploy
-      flow_session[:flow_path] = 'standard' if flow_session[:skip_upload_step]
-      # flow_session temp added for 50/50, remove in future deploy.
-      return if !idv_session.flow_path && !flow_session[:flow_path]
+      return if !idv_session.flow_path
 
-      if idv_session.flow_path == 'standard' || flow_session[:flow_path] == 'standard'
+      if idv_session.flow_path == 'standard'
         redirect_to idv_document_capture_url
-      elsif idv_session.flow_path == 'hybrid' || flow_session[:flow_path] == 'hybrid'
+      elsif idv_session.flow_path == 'hybrid'
         redirect_to idv_link_sent_url
       end
     end
@@ -230,10 +224,8 @@ def setup_for_redo
       flow_session[:redo_document_capture] = true
       if flow_session[:skip_upload_step]
         idv_session.flow_path = 'standard'
-        flow_session[:flow_path] = 'standard' # temp added for 50/50, remove in future deploy
       else
         idv_session.flow_path = nil
-        flow_session[:flow_path] = nil # temp added for 50/50, remove in future deploy
       end
     end
 

app/controllers/idv/link_sent_controller.rb

@@ -40,9 +40,8 @@ def extra_view_variables
 
     def confirm_hybrid_handoff_complete
       return if idv_session.flow_path == 'hybrid'
-      return if flow_session[:flow_path] == 'hybrid'
 
-      if idv_session.flow_path == 'standard' || flow_session[:flow_path] == 'standard'
+      if idv_session.flow_path == 'standard'
         redirect_to idv_document_capture_url
       else
         redirect_to idv_hybrid_handoff_url
@@ -71,13 +70,11 @@ def handle_document_verification_success(get_results_response)
       save_proofing_components(current_user)
       extract_pii_from_doc(current_user, get_results_response, store_in_session: true)
       idv_session.flow_path = 'hybrid'
-      flow_session[:flow_path] = 'hybrid' # temp added for 50/50, remove in future deploy
     end
 
     def render_document_capture_cancelled
       redirect_to idv_hybrid_handoff_url
       idv_session.flow_path = nil
-      flow_session[:flow_path] = nil # temp added for 50/50, remove in future deploy
       failure(I18n.t('errors.doc_auth.document_capture_cancelled'))
     end
 

app/controllers/idv/review_controller.rb

@@ -52,7 +52,13 @@ def create
 
       user_session[:need_personal_key_confirmation] = true
 
-      flash[:success] = t('idv.messages.confirm')
+      flash[:success] =
+        if gpo_user_flow?
+          t('idv.messages.gpo.letter_on_the_way')
+        else
+          t('idv.messages.confirm')
+        end
+
       redirect_to next_step
 
       analytics.idv_review_complete(

app/controllers/idv/verify_info_controller.rb

@@ -29,7 +29,6 @@ def update
         if flow_session['redo_document_capture']
           flow_session.delete('redo_document_capture')
           idv_session.flow_path ||= 'standard'
-          flow_session[:flow_path] ||= 'standard' # temp added for 50/50, remove in future deploy
         end
 
         redirect_to idv_verify_info_url

app/controllers/two_factor_authentication/otp_verification_controller.rb

@@ -51,7 +51,7 @@ def handle_valid_confirmation_otp
     end
 
     def otp_verification_form
-      OtpVerificationForm.new(current_user, sanitized_otp_code)
+      OtpVerificationForm.new(current_user, sanitized_otp_code, phone_configuration)
     end
 
     def redirect_if_blank_phone

app/controllers/two_factor_authentication/personal_key_verification_controller.rb

@@ -14,15 +14,23 @@ def show
     def create
       @personal_key_form = PersonalKeyForm.new(current_user, personal_key_param)
       result = @personal_key_form.submit
-      analytics_hash = result.to_h.merge(multi_factor_auth_method: 'personal-key')
-
-      analytics.track_mfa_submit_event(analytics_hash)
 
+      track_analytics(result)
       handle_result(result)
     end
 
     private
 
+    def track_analytics(result)
+      mfa_created_at = current_user.encrypted_recovery_code_digest_generated_at
+      analytics_hash = result.to_h.merge(
+        multi_factor_auth_method: 'personal-key',
+        multi_factor_auth_method_created_at: mfa_created_at,
+      )
+
+      analytics.track_mfa_submit_event(analytics_hash)
+    end
+
     def check_personal_key_enabled
       return if TwoFactorAuthentication::PersonalKeyPolicy.new(current_user).enabled?
 

app/controllers/two_factor_authentication/webauthn_verification_controller.rb

@@ -56,18 +56,14 @@ def handle_valid_webauthn
     def handle_invalid_webauthn
       is_platform_auth = params[:platform].to_s == 'true'
       if is_platform_auth
-        if presenter_for_two_factor_authentication_method.multiple_factors_enabled?
-          flash[:error] = t(
-            'two_factor_authentication.webauthn_error.multiple_methods',
-            link: view_context.link_to(
-              t('two_factor_authentication.webauthn_error.additional_methods_link'),
-              login_two_factor_options_path,
-            ),
-          )
-          redirect_to login_two_factor_webauthn_url(platform: params[:platform])
-        else
-          redirect_to login_two_factor_webauthn_error_url
-        end
+        flash[:error] = t(
+          'two_factor_authentication.webauthn_error.multiple_methods',
+          link: view_context.link_to(
+            t('two_factor_authentication.webauthn_error.additional_methods_link'),
+            login_two_factor_options_path,
+          ),
+        )
+        redirect_to login_two_factor_webauthn_url(platform: 'true')
       else
         flash[:error] = t('errors.general')
         redirect_to login_two_factor_webauthn_url
@@ -112,6 +108,7 @@ def analytics_properties
         context: context,
         multi_factor_auth_method: auth_method,
         webauthn_configuration_id: form&.webauthn_configuration&.id,
+        multi_factor_auth_method_created_at: form&.webauthn_configuration&.created_at,
       }
     end
 

app/forms/backup_code_verification_form.rb

@@ -17,12 +17,18 @@ def submit(params)
   attr_reader :user, :backup_code
 
   def valid_backup_code?
-    BackupCodeGenerator.new(@user).verify(backup_code)
+    backup_code_config.present?
+  end
+
+  def backup_code_config
+    @backup_code_config ||= BackupCodeGenerator.new(@user).
+      if_valid_consume_code_return_config(backup_code)
   end
 
   def extra_analytics_attributes
     {
       multi_factor_auth_method: 'backup_code',
+      multi_factor_auth_method_created_at: backup_code_config.created_at,
     }
   end
 end

app/forms/openid_connect_authorize_form.rb

@@ -260,7 +260,8 @@ def scopes
 
   def validate_privileges
     if (ial2_requested? && !ial_context.ial2_service_provider?) ||
-       (ial_context.ialmax_requested? && !ial_context.ial2_service_provider?)
+       (ial_context.ialmax_requested? &&
+        !IdentityConfig.store.allowed_ialmax_providers.include?(client_id))
       errors.add(
         :acr_values, t('openid_connect.authorization.errors.no_auth'),
         type: :no_auth

app/forms/otp_verification_form.rb

@@ -8,9 +8,10 @@ class OtpVerificationForm
   validate :validate_user_otp_expiration
   validate :validate_code_equals_user_otp
 
-  def initialize(user, code)
+  def initialize(user, code, phone_configuration)
     @user = user
     @code = code
+    @phone_configuration = phone_configuration
   end
 
   def submit
@@ -28,7 +29,7 @@ def submit
 
   private
 
-  attr_reader :code, :user
+  attr_reader :code, :user, :phone_configuration
 
   def validate_code_length
     return if code.blank? || code.size == TwoFactorAuthenticatable::DIRECT_OTP_LENGTH
@@ -63,8 +64,11 @@ def otp_expired?
   end
 
   def extra_analytics_attributes
+    multi_factor_auth_method_created_at = phone_configuration&.created_at
+
     {
       multi_factor_auth_method: 'otp_code',
+      multi_factor_auth_method_created_at: multi_factor_auth_method_created_at,
     }
   end
 end

app/forms/totp_verification_form.rb

@@ -8,7 +8,7 @@ def submit
     cfg = if_valid_totp_code_return_config
     FormResponse.new(
       success: cfg.present?,
-      extra: extra_analytics_attributes(cfg&.id),
+      extra: extra_analytics_attributes(cfg),
     )
   end
 
@@ -29,10 +29,11 @@ def totp_code_length
     TwoFactorAuthenticatable::OTP_LENGTH
   end
 
-  def extra_analytics_attributes(cfg_id)
+  def extra_analytics_attributes(cfg)
     {
       multi_factor_auth_method: 'totp',
-      auth_app_configuration_id: cfg_id,
+      auth_app_configuration_id: cfg&.id,
+      multi_factor_auth_method_created_at: cfg&.created_at,
     }
   end
 end