Deploy RC 308 to Prod

.github/dependabot.yml

@@ -1,8 +1,15 @@
 version: 2
 updates:
-  - package-ecosystem: 'npm'
-    directory: '/'
+  - package-ecosystem: npm
+    directory: /
     schedule:
-      interval: 'daily'
+      interval: daily
     allow:
       - dependency-name: '@18f/identity-design-system'
+      - dependency-name: libphonenumber-js
+  - package-ecosystem: bundler
+    directory: /
+    schedule:
+      interval: daily
+    allow:
+      - dependency-name: phonelib

Gemfile.lock

@@ -60,70 +60,70 @@ GIT
 GEM
   remote: https://rubygems.org/
   specs:
-    actioncable (7.0.7)
-      actionpack (= 7.0.7)
-      activesupport (= 7.0.7)
+    actioncable (7.0.7.2)
+      actionpack (= 7.0.7.2)
+      activesupport (= 7.0.7.2)
       nio4r (~> 2.0)
       websocket-driver (>= 0.6.1)
-    actionmailbox (7.0.7)
-      actionpack (= 7.0.7)
-      activejob (= 7.0.7)
-      activerecord (= 7.0.7)
-      activestorage (= 7.0.7)
-      activesupport (= 7.0.7)
+    actionmailbox (7.0.7.2)
+      actionpack (= 7.0.7.2)
+      activejob (= 7.0.7.2)
+      activerecord (= 7.0.7.2)
+      activestorage (= 7.0.7.2)
+      activesupport (= 7.0.7.2)
       mail (>= 2.7.1)
       net-imap
       net-pop
       net-smtp
-    actionmailer (7.0.7)
-      actionpack (= 7.0.7)
-      actionview (= 7.0.7)
-      activejob (= 7.0.7)
-      activesupport (= 7.0.7)
+    actionmailer (7.0.7.2)
+      actionpack (= 7.0.7.2)
+      actionview (= 7.0.7.2)
+      activejob (= 7.0.7.2)
+      activesupport (= 7.0.7.2)
       mail (~> 2.5, >= 2.5.4)
       net-imap
       net-pop
       net-smtp
       rails-dom-testing (~> 2.0)
-    actionpack (7.0.7)
-      actionview (= 7.0.7)
-      activesupport (= 7.0.7)
+    actionpack (7.0.7.2)
+      actionview (= 7.0.7.2)
+      activesupport (= 7.0.7.2)
       rack (~> 2.0, >= 2.2.4)
       rack-test (>= 0.6.3)
       rails-dom-testing (~> 2.0)
       rails-html-sanitizer (~> 1.0, >= 1.2.0)
-    actiontext (7.0.7)
-      actionpack (= 7.0.7)
-      activerecord (= 7.0.7)
-      activestorage (= 7.0.7)
-      activesupport (= 7.0.7)
+    actiontext (7.0.7.2)
+      actionpack (= 7.0.7.2)
+      activerecord (= 7.0.7.2)
+      activestorage (= 7.0.7.2)
+      activesupport (= 7.0.7.2)
       globalid (>= 0.6.0)
       nokogiri (>= 1.8.5)
-    actionview (7.0.7)
-      activesupport (= 7.0.7)
+    actionview (7.0.7.2)
+      activesupport (= 7.0.7.2)
       builder (~> 3.1)
       erubi (~> 1.4)
       rails-dom-testing (~> 2.0)
       rails-html-sanitizer (~> 1.1, >= 1.2.0)
-    activejob (7.0.7)
-      activesupport (= 7.0.7)
+    activejob (7.0.7.2)
+      activesupport (= 7.0.7.2)
       globalid (>= 0.3.6)
-    activemodel (7.0.7)
-      activesupport (= 7.0.7)
-    activerecord (7.0.7)
-      activemodel (= 7.0.7)
-      activesupport (= 7.0.7)
+    activemodel (7.0.7.2)
+      activesupport (= 7.0.7.2)
+    activerecord (7.0.7.2)
+      activemodel (= 7.0.7.2)
+      activesupport (= 7.0.7.2)
     activerecord-postgis-adapter (8.0.2)
       activerecord (~> 7.0.0)
       rgeo-activerecord (~> 7.0.0)
-    activestorage (7.0.7)
-      actionpack (= 7.0.7)
-      activejob (= 7.0.7)
-      activerecord (= 7.0.7)
-      activesupport (= 7.0.7)
+    activestorage (7.0.7.2)
+      actionpack (= 7.0.7.2)
+      activejob (= 7.0.7.2)
+      activerecord (= 7.0.7.2)
+      activesupport (= 7.0.7.2)
       marcel (~> 1.0)
       mini_mime (>= 1.1.0)
-    activesupport (7.0.7)
+    activesupport (7.0.7.2)
       concurrent-ruby (~> 1.0, >= 1.0.2)
       i18n (>= 1.6, < 2)
       minitest (>= 5.1)
@@ -443,7 +443,7 @@ GEM
     pg (1.5.3)
     pg_query (4.2.3)
       google-protobuf (>= 3.22.3)
-    phonelib (0.8.2)
+    phonelib (0.8.3)
     pkcs11 (0.3.4)
     premailer (1.21.0)
       addressable
@@ -492,20 +492,20 @@ GEM
     rack_session_access (0.2.0)
       builder (>= 2.0.0)
       rack (>= 1.0.0)
-    rails (7.0.7)
-      actioncable (= 7.0.7)
-      actionmailbox (= 7.0.7)
-      actionmailer (= 7.0.7)
-      actionpack (= 7.0.7)
-      actiontext (= 7.0.7)
-      actionview (= 7.0.7)
-      activejob (= 7.0.7)
-      activemodel (= 7.0.7)
-      activerecord (= 7.0.7)
-      activestorage (= 7.0.7)
-      activesupport (= 7.0.7)
+    rails (7.0.7.2)
+      actioncable (= 7.0.7.2)
+      actionmailbox (= 7.0.7.2)
+      actionmailer (= 7.0.7.2)
+      actionpack (= 7.0.7.2)
+      actiontext (= 7.0.7.2)
+      actionview (= 7.0.7.2)
+      activejob (= 7.0.7.2)
+      activemodel (= 7.0.7.2)
+      activerecord (= 7.0.7.2)
+      activestorage (= 7.0.7.2)
+      activesupport (= 7.0.7.2)
       bundler (>= 1.15.0)
-      railties (= 7.0.7)
+      railties (= 7.0.7.2)
     rails-controller-testing (1.0.5)
       actionpack (>= 5.0.1.rc1)
       actionview (>= 5.0.1.rc1)
@@ -520,9 +520,9 @@ GEM
     rails-i18n (7.0.6)
       i18n (>= 0.7, < 2)
       railties (>= 6.0.0, < 8)
-    railties (7.0.7)
-      actionpack (= 7.0.7)
-      activesupport (= 7.0.7)
+    railties (7.0.7.2)
+      actionpack (= 7.0.7.2)
+      activesupport (= 7.0.7.2)
       method_source
       rake (>= 12.2)
       thor (~> 1.0)

app/components/page_footer_component.rb

@@ -10,6 +10,6 @@ def call
   end
 
   def css_class
-    ['margin-top-4 padding-top-2 border-top border-primary-light', *tag_options[:class]]
+    ['page-footer margin-top-4 padding-top-2 border-top border-primary-light', *tag_options[:class]]
   end
 end

app/controllers/concerns/forced_reauthentication_concern.rb

@@ -0,0 +1,19 @@
+# This module defines an interface for storing when an issuer has forced re-authentication
+# for an active session. A request to force re-authentication that does not result
+# in the user needing to re-authenticate due to not being authenticated should be excluded.
+
+module ForcedReauthenticationConcern
+  def issuer_forced_reauthentication?(issuer:)
+    session.dig(:forced_reauthentication_sps, issuer) == true
+  end
+
+  def set_issuer_forced_reauthentication(issuer:, is_forced_reauthentication:)
+    if is_forced_reauthentication
+      session[:forced_reauthentication_sps] ||= {}
+      session[:forced_reauthentication_sps][issuer] = true
+    elsif session[:forced_reauthentication_sps]
+      session[:forced_reauthentication_sps].delete(issuer)
+      session.delete(:forced_reauthentication_sps) if session[:forced_reauthentication_sps].blank?
+    end
+  end
+end

app/controllers/concerns/idv/ab_test_analytics_concern.rb

@@ -4,7 +4,12 @@ module AbTestAnalyticsConcern
     include Idv::GettingStartedAbTestConcern
 
     def ab_test_analytics_buckets
-      acuant_sdk_ab_test_analytics_args.
+      buckets = {}
+      if defined?(idv_session)
+        buckets[:skip_hybrid_handoff] = idv_session&.skip_hybrid_handoff
+      end
+
+      buckets.merge(acuant_sdk_ab_test_analytics_args).
         merge(getting_started_ab_test_analytics_bucket)
     end
   end

app/controllers/concerns/idv/verify_info_concern.rb

@@ -30,8 +30,7 @@ def shared_update
         should_proof_state_id: should_use_aamva?(pii),
         trace_id: amzn_trace_id,
         user_id: current_user.id,
-        threatmetrix_session_id:
-          idv_session.threatmetrix_session_id || flow_session[:threatmetrix_session_id],
+        threatmetrix_session_id: idv_session.threatmetrix_session_id,
         request_ip: request.remote_ip,
         double_address_verification: capture_secondary_id_enabled,
       )
@@ -195,8 +194,9 @@ def async_state_done(current_async_state)
           address_edited: !!(idv_session.address_edited || flow_session['address_edited']),
           address_line2_present: !pii[:address2].blank?,
           pii_like_keypaths: [[:errors, :ssn], [:response_body, :first_name],
+                              [:same_address_as_id],
                               [:state_id, :state_id_jurisdiction]],
-        }.merge(ab_test_analytics_buckets),
+        },
       )
       log_idv_verification_submitted_event(
         success: form_response.success?,
@@ -219,7 +219,7 @@ def async_state_done(current_async_state)
         idv_session.invalidate_verify_info_step!
       end
 
-      analytics.idv_doc_auth_verify_proofing_results(**form_response.to_h)
+      analytics.idv_doc_auth_verify_proofing_results(**analytics_arguments, **form_response.to_h)
     end
 
     def next_step_url

app/controllers/concerns/saml_idp_auth_concern.rb

@@ -1,6 +1,7 @@
 module SamlIdpAuthConcern
   extend ActiveSupport::Concern
   extend Forwardable
+  include ForcedReauthenticationConcern
 
   included do
     # rubocop:disable Rails/LexicallyScopedActionFilter
@@ -19,9 +20,22 @@ module SamlIdpAuthConcern
   private
 
   def sign_out_if_forceauthn_is_true_and_user_is_signed_in
+    if !saml_request.force_authn?
+      set_issuer_forced_reauthentication(
+        issuer: saml_request_service_provider.issuer,
+        is_forced_reauthentication: false,
+      )
+    end
+
     return unless user_signed_in? && saml_request.force_authn?
 
-    sign_out unless sp_session[:final_auth_request]
+    if !sp_session[:final_auth_request]
+      sign_out
+      set_issuer_forced_reauthentication(
+        issuer: saml_request_service_provider.issuer,
+        is_forced_reauthentication: true,
+      )
+    end
     sp_session[:final_auth_request] = false
   end
 

app/controllers/frontend_log_controller.rb

@@ -28,8 +28,8 @@ class FrontendLogController < ApplicationController
     'Multi-Factor Authentication: download backup code' => :multi_factor_auth_backup_code_download,
     'Show Password button clicked' => :show_password_button_clicked,
     'Sign In: IdV requirements accordion clicked' => :sign_in_idv_requirements_accordion_clicked,
-    'User prompted before navigation and still on page' => :user_prompted_before_navigation_and_still_on_page,
     'User prompted before navigation' => :user_prompted_before_navigation,
+    'User prompted before navigation and still on page' => :user_prompted_before_navigation_and_still_on_page,
   }.transform_values { |method| AnalyticsEvents.instance_method(method) }.freeze
   # rubocop:enable Layout/LineLength
 

app/controllers/idv/agreement_controller.rb

@@ -41,6 +41,7 @@ def analytics_arguments
       {
         step: 'agreement',
         analytics_id: 'Doc Auth',
+        skip_hybrid_handoff: idv_session.skip_hybrid_handoff,
         irs_reproofing: irs_reproofing?,
       }.merge(ab_test_analytics_buckets)
     end

app/controllers/idv/document_capture_controller.rb

@@ -75,7 +75,8 @@ def analytics_arguments
         analytics_id: 'Doc Auth',
         irs_reproofing: irs_reproofing?,
         redo_document_capture: idv_session.redo_document_capture,
-      }.compact.merge(ab_test_analytics_buckets)
+        skip_hybrid_handoff: idv_session.skip_hybrid_handoff,
+      }.merge(ab_test_analytics_buckets)
     end
 
     def handle_stored_result

app/controllers/idv/getting_started_controller.rb

@@ -46,6 +46,7 @@ def analytics_arguments
       {
         step: 'getting_started',
         analytics_id: 'Doc Auth',
+        skip_hybrid_handoff: idv_session.skip_hybrid_handoff,
         irs_reproofing: irs_reproofing?,
       }.merge(ab_test_analytics_buckets)
     end

app/controllers/idv/hybrid_handoff_controller.rb

@@ -145,7 +145,8 @@ def analytics_arguments
         analytics_id: 'Doc Auth',
         irs_reproofing: irs_reproofing?,
         redo_document_capture: params[:redo] ? true : nil,
-      }.compact.merge(ab_test_analytics_buckets)
+        skip_hybrid_handoff: idv_session.skip_hybrid_handoff,
+      }.merge(ab_test_analytics_buckets)
     end
 
     def form_response(destination:)

app/controllers/idv/link_sent_controller.rb

@@ -6,7 +6,6 @@ class LinkSentController < ApplicationController
 
     before_action :confirm_hybrid_handoff_complete
     before_action :confirm_document_capture_needed
-    before_action :extend_timeout_using_meta_refresh
 
     def show
       analytics.idv_doc_auth_link_sent_visited(**analytics_arguments)
@@ -91,18 +90,5 @@ def document_capture_session_result
           document_capture_session&.load_doc_auth_async_result
       end
     end
-
-    def extend_timeout_using_meta_refresh
-      max_10min_refreshes = IdentityConfig.store.doc_auth_extend_timeout_by_minutes / 10
-      return if max_10min_refreshes <= 0
-      meta_refresh_count = flow_session[:meta_refresh_count].to_i
-      return if meta_refresh_count >= max_10min_refreshes
-      do_meta_refresh(meta_refresh_count)
-    end
-
-    def do_meta_refresh(meta_refresh_count)
-      @meta_refresh = 10 * 60
-      flow_session[:meta_refresh_count] = meta_refresh_count + 1
-    end
   end
 end

app/controllers/openid_connect/authorization_controller.rb

@@ -6,6 +6,7 @@ class AuthorizationController < ApplicationController
     include SecureHeadersConcern
     include AuthorizationCountConcern
     include BillableEventTrackable
+    include ForcedReauthenticationConcern
 
     before_action :build_authorize_form_from_params, only: [:index]
     before_action :pre_validate_authorize_form, only: [:index]
@@ -125,12 +126,22 @@ def pre_validate_authorize_form
     end
 
     def sign_out_if_prompt_param_is_login_and_user_is_signed_in
+      if @authorize_form.prompt != 'login'
+        set_issuer_forced_reauthentication(
+          issuer: @authorize_form.service_provider.issuer,
+          is_forced_reauthentication: false,
+        )
+      end
       return unless user_signed_in? && @authorize_form.prompt == 'login'
       return if session[:oidc_state_for_login_prompt] == @authorize_form.state
       return if check_sp_handoff_bounced
       unless sp_session[:request_url] == request.original_url
         sign_out
         session[:oidc_state_for_login_prompt] = @authorize_form.state
+        set_issuer_forced_reauthentication(
+          issuer: @authorize_form.service_provider.issuer,
+          is_forced_reauthentication: true,
+        )
       end
     end