Deploy RC 302 to Production

.rubocop.yml

@@ -932,6 +932,7 @@ Style/AndOr:
     - conditionals
 
 Style/ArgumentsForwarding:
+  UseAnonymousForwarding: false
   Enabled: true
 
 Style/ArrayJoin:

Gemfile

@@ -110,7 +110,7 @@ group :development, :test do
   gem 'pry-rails'
   gem 'psych'
   gem 'rspec-rails', '~> 6.0'
-  gem 'rubocop', '~> 1.43.0', require: false
+  gem 'rubocop', '~> 1.55.1', require: false
   gem 'rubocop-performance', '~> 1.15.0', require: false
   gem 'rubocop-rails', '>= 2.5.2', require: false
 end

Gemfile.lock

@@ -366,6 +366,7 @@ GEM
     jwt (2.7.1)
     knapsack (4.0.0)
       rake
+    language_server-protocol (3.17.0.3)
     launchy (2.5.0)
       addressable (~> 2.7)
     letter_opener (1.8.1)
@@ -439,13 +440,14 @@ GEM
     openssl-signature_algorithm (1.2.1)
       openssl (> 2.0, < 3.1)
     orm_adapter (0.5.0)
-    parallel (1.22.1)
-    parser (3.2.2.0)
+    parallel (1.23.0)
+    parser (3.2.2.3)
       ast (~> 2.4.1)
+      racc
     pg (1.4.5)
     pg_query (2.2.0)
       google-protobuf (>= 3.19.2)
-    phonelib (0.6.54)
+    phonelib (0.8.2)
     pkcs11 (0.3.4)
     premailer (1.21.0)
       addressable
@@ -589,18 +591,19 @@ GEM
     rspec-support (3.12.0)
     rspec_junit_formatter (0.6.0)
       rspec-core (>= 2, < 4, != 2.12.0)
-    rubocop (1.43.0)
+    rubocop (1.55.1)
       json (~> 2.3)
+      language_server-protocol (>= 3.17.0)
       parallel (~> 1.10)
-      parser (>= 3.2.0.0)
+      parser (>= 3.2.2.3)
       rainbow (>= 2.2.2, < 4.0)
       regexp_parser (>= 1.8, < 3.0)
       rexml (>= 3.2.5, < 4.0)
-      rubocop-ast (>= 1.24.1, < 2.0)
+      rubocop-ast (>= 1.28.1, < 2.0)
       ruby-progressbar (~> 1.7)
       unicode-display_width (>= 2.4.0, < 3.0)
-    rubocop-ast (1.24.1)
-      parser (>= 3.1.1.0)
+    rubocop-ast (1.29.0)
+      parser (>= 3.2.1.0)
     rubocop-performance (1.15.2)
       rubocop (>= 1.7.0, < 2.0)
       rubocop-ast (>= 0.4.0)
@@ -819,7 +822,7 @@ DEPENDENCIES
   rspec-rails (~> 6.0)
   rspec-retry
   rspec_junit_formatter
-  rubocop (~> 1.43.0)
+  rubocop (~> 1.55.1)
   rubocop-performance (~> 1.15.0)
   rubocop-rails (>= 2.5.2)
   ruby-progressbar

app/assets/stylesheets/utilities/_util.scss

@@ -13,15 +13,3 @@ html.js .no-js {
   backface-visibility: hidden;
   transform: scale(0.7);
 }
-
-@include at-media('tablet') {
-  .sm-left-align {
-    text-align: left;
-  }
-}
-
-.half-center {
-  margin: 0 auto;
-  text-align: center;
-  width: 300px;
-}

app/components/block_link_component.rb

@@ -1,6 +1,8 @@
 class BlockLinkComponent < BaseComponent
   attr_reader :url, :action, :new_tab, :tag_options
 
+  alias_method :new_tab?, :new_tab
+
   def initialize(url:, action: tag.method(:a), new_tab: false, **tag_options)
     @action = action
     @url = url
@@ -10,12 +12,12 @@ def initialize(url:, action: tag.method(:a), new_tab: false, **tag_options)
 
   def css_class
     classes = ['usa-link', 'block-link', *tag_options[:class]]
-    classes << 'usa-link--external' if new_tab
+    classes << 'usa-link--external' if new_tab?
     classes
   end
 
   def target
-    '_blank' if new_tab
+    '_blank' if new_tab?
   end
 
   def wrapper(&block)

app/components/password_confirmation_component.html.erb

@@ -3,7 +3,7 @@
         form: form,
         name: :password,
         type: :password,
-        label: t('forms.password'),
+        label: password_label,
         required: true,
         **field_options,
         input_html: field_options[:input_html].to_h.merge(
@@ -16,7 +16,7 @@
         form: form,
         name: :password_confirmation,
         type: :password_confirmation,
-        label: t('components.password_confirmation.confirm_label'),
+        label: confirmation_label,
         required: true,
         **field_options,
         input_html: field_options[:input_html].to_h.merge(

app/components/password_confirmation_component.rb

@@ -3,14 +3,26 @@ class PasswordConfirmationComponent < BaseComponent
 
   def initialize(
     form:,
+    password_label: nil,
+    confirmation_label: nil,
     field_options: {},
     **tag_options
   )
     @form = form
+    @password_label = password_label
+    @confirmation_label = confirmation_label
     @field_options = field_options
     @tag_options = tag_options
   end
 
+  def password_label
+    @password_label || t('forms.password')
+  end
+
+  def confirmation_label
+    @confirmation_label || t('components.password_confirmation.confirm_label')
+  end
+
   def toggle_id
     "password-confirmation-toggle-#{unique_id}"
   end

app/components/troubleshooting_options_component.rb

@@ -4,10 +4,19 @@ class TroubleshootingOptionsComponent < BaseComponent
 
   attr_reader :tag_options
 
-  def initialize(**tag_options)
+  def initialize(options: [], **tag_options)
+    @options_from_constructor = options
     @tag_options = tag_options.dup
   end
 
+  def options
+    @options_from_constructor.map(&method(:render)) + get_slot(:options)
+  end
+
+  def options?
+    options.present?
+  end
+
   def render?
     options?
   end

app/components/webauthn_verify_button_component.html.erb

@@ -9,8 +9,7 @@
     ) do %>
   <div class="webauthn-verify-button__spinner text-center" hidden>
     <%= image_tag(
-          asset_url('spinner.gif'),
-          srcset: asset_url('spinner@2x.gif'),
+          asset_url('loading-badge.gif'),
           height: 144,
           width: 144,
           alt: '',

app/controllers/concerns/idv_step_concern.rb

@@ -41,6 +41,10 @@ def flow_path
   private
 
   def confirm_ssn_step_complete
+    if IdentityConfig.store.in_person_ssn_info_controller_enabled
+      # mark ssn step as complete for FSM
+      flow_session['Idv::Steps::InPerson::SsnStep'] = true if flow_session.dig(:pii_from_user, :ssn)
+    end
     return if pii.present? && pii[:ssn].present?
     redirect_to prev_url
   end

app/controllers/concerns/rate_limit_concern.rb

@@ -40,7 +40,7 @@ def rate_limited_redirect(rate_limit_type)
     when :idv_resolution
       redirect_to idv_session_errors_failure_url
     when :idv_doc_auth
-      redirect_to idv_session_errors_throttled_url
+      redirect_to idv_session_errors_rate_limited_url
     when :proof_address
       redirect_to idv_phone_errors_failure_url
     when :proof_ssn

app/controllers/idv/agreement_controller.rb

@@ -18,7 +18,7 @@ def show
     end
 
     def update
-      skip_to_capture if params[:skip_hybrid_handoff] || params[:skip_upload]
+      skip_to_capture if params[:skip_hybrid_handoff]
 
       result = Idv::ConsentForm.new.submit(consent_form_params)
 

app/controllers/idv/capture_doc_status_controller.rb

@@ -34,7 +34,7 @@ def redirect_url
       return unless flow_session && document_capture_session
 
       if rate_limiter.limited?
-        idv_session_errors_throttled_url
+        idv_session_errors_rate_limited_url
       elsif user_has_establishing_in_person_enrollment?
         idv_in_person_url
       end
@@ -85,7 +85,7 @@ def had_barcode_attention_result?
         idv_session.had_barcode_attention_error = session_result.attention_with_barcode?
       end
 
-      flow_session[:had_barcode_attention_error]
+      idv_session.had_barcode_attention_error
     end
 
     def idv_session

app/controllers/idv/getting_started_controller.rb

@@ -20,7 +20,7 @@ def show
     end
 
     def update
-      skip_to_capture if params[:skip_hybrid_handoff] || params[:skip_upload]
+      skip_to_capture if params[:skip_hybrid_handoff]
 
       result = Idv::ConsentForm.new.submit(consent_form_params)
 

app/controllers/idv/phone_errors_controller.rb

@@ -5,6 +5,7 @@ class PhoneErrorsController < ApplicationController
 
     before_action :confirm_two_factor_authenticated
     before_action :confirm_idv_phone_step_needed
+    before_action :confirm_idv_phone_step_submitted
     before_action :set_gpo_letter_available
     before_action :ignore_form_step_wait_requests
 
@@ -45,6 +46,10 @@ def confirm_idv_phone_step_needed
       redirect_to idv_review_url if idv_session.user_phone_confirmation == true
     end
 
+    def confirm_idv_phone_step_submitted
+      redirect_to idv_phone_url if idv_session.previous_phone_step_params.nil?
+    end
+
     def ignore_form_step_wait_requests
       head(:no_content) if request.headers['HTTP_X_FORM_STEPS_WAIT']
     end

app/controllers/idv/verify_info_controller.rb

@@ -16,7 +16,7 @@ def show
       Funnel::DocAuth::RegisterStep.new(current_user.id, sp_session[:issuer]).
         call('verify', :view, true)
 
-      @had_barcode_read_failure = flow_session[:had_barcode_read_failure]
+      @had_barcode_read_failure = idv_session.had_barcode_read_failure
       process_async_state(load_async_state)
     end
 

app/controllers/sign_up/passwords_controller.rb

@@ -67,7 +67,7 @@ def process_successful_password_creation
     end
 
     def password_form
-      @password_form ||= PasswordForm.new(@user, validate_confirmation: true)
+      @password_form ||= PasswordForm.new(@user)
     end
 
     def process_unsuccessful_password_creation

app/controllers/two_factor_authentication/piv_cac_verification_controller.rb

@@ -71,10 +71,7 @@ def render_show_after_invalid
     end
 
     def piv_cac_view_data
-      {
-        two_factor_authentication_method: 'piv_cac',
-        hide_fallback_question: service_provider_mfa_policy.piv_cac_required?,
-      }.merge(generic_data)
+      { two_factor_authentication_method: 'piv_cac' }.merge(generic_data)
     end
 
     def piv_cac_verification_form

app/controllers/users/passwords_controller.rb

@@ -41,7 +41,7 @@ def capture_password_if_pii_requested_but_locked
     end
 
     def user_params
-      params.require(:update_user_password_form).permit(:password)
+      params.require(:update_user_password_form).permit(:password, :password_confirmation)
     end
 
     def handle_valid_password

app/controllers/users/reset_passwords_controller.rb

@@ -180,7 +180,7 @@ def create_reset_event_and_send_notification
 
     def user_params
       params.require(:reset_password_form).
-        permit(:password, :reset_password_token)
+        permit(:password, :password_confirmation, :reset_password_token)
     end
 
     def assert_reset_token_passed

app/forms/openid_connect_authorize_form.rb

@@ -234,6 +234,7 @@ def extra_analytics_attributes
       unauthorized_scope: @unauthorized_scope,
       code_digest: code ? Digest::SHA256.hexdigest(code) : nil,
       code_challenge_present: code_challenge.present?,
+      service_provider_pkce: service_provider&.pkce,
     }
   end
 

app/forms/openid_connect_token_form.rb

@@ -199,6 +199,7 @@ def extra_analytics_attributes
       user_id: identity&.user&.uuid,
       code_digest: code ? Digest::SHA256.hexdigest(code) : nil,
       code_verifier_present: code_verifier.present?,
+      service_provider_pkce: service_provider&.pkce,
     }
   end
 

app/forms/password_form.rb

@@ -2,9 +2,9 @@ class PasswordForm
   include ActiveModel::Model
   include FormPasswordValidator
 
-  def initialize(user, options = {})
+  def initialize(user)
     @user = user
-    @validate_confirmation = options.fetch(:validate_confirmation, false)
+    @validate_confirmation = true
   end
 
   def submit(params)

app/forms/reset_password_form.rb

@@ -8,14 +8,15 @@ class ResetPasswordForm
 
   def initialize(user)
     @user = user
+    @reset_password_token = @user.reset_password_token
+    @validate_confirmation = true
     @active_profile = user.active_profile
     @pending_profile = user.pending_profile
-
-    self.reset_password_token = @user.reset_password_token
   end
 
   def submit(params)
-    self.password = params[:password]
+    @password = params[:password]
+    @password_confirmation = params[:password_confirmation]
 
     @success = valid?
 

app/forms/two_factor_options_form.rb

@@ -60,7 +60,13 @@ def has_no_configured_mfa?
     mfa_user.enabled_mfa_methods_count == 0
   end
 
+  def platform_auth_only_option?
+    mfa_user.enabled_mfa_methods_count == 1 &&
+      mfa_user.webauthn_platform_configurations.count == 1
+  end
+
   def has_no_mfa_or_in_required_flow?
-    has_no_configured_mfa? || in_phishing_resistant_or_piv_cac_required_flow?
+    has_no_configured_mfa? || in_phishing_resistant_or_piv_cac_required_flow? ||
+      platform_auth_only_option?
   end
 end

app/forms/update_user_password_form.rb

@@ -7,10 +7,12 @@ class UpdateUserPasswordForm
   def initialize(user, user_session = nil)
     @user = user
     @user_session = user_session
+    @validate_confirmation = true
   end
 
   def submit(params)
-    self.password = params[:password]
+    @password = params[:password]
+    @password_confirmation = params[:password_confirmation]
     success = valid?
     process_valid_submission if success
     FormResponse.new(success: success, errors: errors)