LG-10427 prevent doc image resubmission validation

app/forms/idv/api_image_upload_form.rb

@@ -8,6 +8,7 @@ class ApiImageUploadForm
     validates_presence_of :document_capture_session
 
     validate :validate_images
+    validate :validate_duplicate_images, if: :image_resubmission_check?
     validate :limit_if_rate_limited
 
     def initialize(params, service_provider:, analytics: nil,
@@ -41,8 +42,9 @@ def submit
         doc_pii_response: doc_pii_response,
       )
 
+      failed_fingerprints = store_failed_images(client_response, doc_pii_response)
+      response.extra[:failed_image_fingerprints] = failed_fingerprints
       track_event(response)
-
       response
     end
 
@@ -92,7 +94,6 @@ def post_images_to_client
         client_response: response,
         vendor_request_time_in_ms: timer.results['vendor_request'],
       )
-
       response
     end
 
@@ -122,7 +123,8 @@ def validate_pii_from_doc(client_response)
     end
 
     def extra_attributes
-      return @extra_attributes if defined?(@extra_attributes)
+      return @extra_attributes if defined?(@extra_attributes) &&
+                                  @extra_attributes&.dig('attempts') == attempts
       @extra_attributes = {
         attempts: attempts,
         remaining_attempts: remaining_attempts,
@@ -131,17 +133,26 @@ def extra_attributes
         flow_path: params[:flow_path],
       }
 
+      @extra_attributes[:front_image_fingerprint] = front_image_fingerprint
+      @extra_attributes[:back_image_fingerprint] = back_image_fingerprint
+      @extra_attributes.merge!(getting_started_ab_test_analytics_bucket)
+      @extra_attributes
+    end
+
+    def front_image_fingerprint
+      return @front_image_fingerprint if @front_image_fingerprint
       if readable?(:front)
-        @extra_attributes[:front_image_fingerprint] =
+        @front_image_fingerprint =
           Digest::SHA256.urlsafe_base64digest(front_image_bytes)
       end
+    end
 
+    def back_image_fingerprint
+      return @back_image_fingerprint if @back_image_fingerprint
       if readable?(:back)
-        @extra_attributes[:back_image_fingerprint] =
+        @back_image_fingerprint =
           Digest::SHA256.urlsafe_base64digest(back_image_bytes)
       end
-
-      @extra_attributes.merge!(getting_started_ab_test_analytics_bucket)
     end
 
     def remaining_attempts
@@ -199,8 +210,31 @@ def validate_images
       end
     end
 
+    def validate_duplicate_images
+      capture_result = document_capture_session&.load_result
+      return unless capture_result
+      error_sides = []
+      if capture_result&.failed_front_image?(front_image_fingerprint)
+        errors.add(
+          :front, t('doc_auth.errors.doc.resubmit_failed_image'), type: :duplicate_image
+        )
+        error_sides << 'front'
+      end
+
+      if capture_result&.failed_back_image?(back_image_fingerprint)
+        errors.add(
+          :back, t('doc_auth.errors.doc.resubmit_failed_image'), type: :duplicate_image
+        )
+        error_sides << 'back'
+      end
+      unless error_sides.empty?
+        analytics.idv_doc_auth_failed_image_resubmitted(
+          side: error_sides.length == 2 ? 'both' : error_sides[0], **extra_attributes,
+        )
+      end
+    end
+
     def limit_if_rate_limited
-      return unless document_capture_session
       return unless rate_limited?
 
       errors.add(:limit, t('errors.doc_auth.rate_limited_heading'), type: :rate_limited)
@@ -367,5 +401,53 @@ def track_event(response)
         failure_reason: response.errors&.except(:hints)&.presence,
       )
     end
+
+    ##
+    # Store failed image fingerprints in document_capture_session_result
+    # when client_response is not successful and not a network error
+    # ( http status except handled status 438, 439, 440 ) or doc_pii_response is not successful.
+    # @param [Object] client_response
+    # @param [Object] doc_pii_response
+    # @return [Object] latest failed fingerprints
+    def store_failed_images(client_response, doc_pii_response)
+      unless image_resubmission_check?
+        return {
+          front: [],
+          back: [],
+        }
+      end
+      # doc auth failed due to non network error or doc_pii is not valid
+      if client_response && !client_response.success? && !client_response.network_error?
+        errors_hash = client_response.errors&.to_h || {}
+        ## assume both sides' error presents or both sides' error missing
+        failed_front_fingerprint = extra_attributes[:front_image_fingerprint]
+        failed_back_fingerprint = extra_attributes[:back_image_fingerprint]
+        ## not both sides' error present nor both sides' error missing
+        ## equivalent to: only one side error presents
+        only_one_side_error = errors_hash[:front]&.present? ^ errors_hash[:back]&.present?
+        if only_one_side_error
+          ## find which side is missing
+          failed_front_fingerprint = nil unless errors_hash[:front]&.present?
+          failed_back_fingerprint = nil unless errors_hash[:back]&.present?
+        end
+        document_capture_session.
+          store_failed_auth_image_fingerprint(failed_front_fingerprint, failed_back_fingerprint)
+      elsif doc_pii_response && !doc_pii_response.success?
+        document_capture_session.store_failed_auth_image_fingerprint(
+          extra_attributes[:front_image_fingerprint],
+          extra_attributes[:back_image_fingerprint],
+        )
+      end
+      # retrieve updated data from session
+      captured_result = document_capture_session&.load_result
+      {
+        front: captured_result&.failed_front_image_fingerprints || [],
+        back: captured_result&.failed_back_image_fingerprints || [],
+      }
+    end
+
+    def image_resubmission_check?
+      IdentityConfig.store.doc_auth_check_failed_image_resubmission_enabled
+    end
   end
 end

app/javascript/packages/document-capture/components/acuant-capture.tsx

@@ -62,6 +62,16 @@ interface ImageAnalyticsPayload {
    * capture functionality
    */
   acuantCaptureMode?: AcuantCaptureMode;
+
+  /**
+   * Fingerprint of the image, base64 encoded SHA-256 digest
+   */
+  fingerprint: string | null;
+
+  /**
+   *
+   */
+  failedImageResubmission: boolean;
 }
 
 interface AcuantImageAnalyticsPayload extends ImageAnalyticsPayload {
@@ -75,6 +85,7 @@ interface AcuantImageAnalyticsPayload extends ImageAnalyticsPayload {
   sharpnessScoreThreshold: number;
   isAssessedAsBlurry: boolean;
   assessment: AcuantImageAssessment;
+  isAssessedAsUnsupported: boolean;
 }
 
 interface AcuantCaptureProps {
@@ -178,6 +189,31 @@ export function getNormalizedAcuantCaptureFailureMessage(
   }
 }
 
+function getFingerPrint(file: File): Promise<string | null> {
+  return new Promise((resolve) => {
+    const reader = new FileReader();
+    reader.onload = () => {
+      const dataBuffer = reader.result;
+      window.crypto.subtle
+        .digest('SHA-256', dataBuffer as ArrayBuffer)
+        .then((arrayBuffer) => {
+          const digestArray = new Uint8Array(arrayBuffer);
+          const strDigest = digestArray.reduce(
+            (data, byte) => data + String.fromCharCode(byte),
+            '',
+          );
+          const base64String = window.btoa(strDigest);
+          const urlSafeBase64String = base64String
+            .replace(/\+/g, '-')
+            .replace(/\//g, '_')
+            .replace(/=+$/, '');
+          resolve(urlSafeBase64String);
+        })
+        .catch(() => null);
+    };
+    reader.readAsArrayBuffer(file);
+  });
+}
 function getImageDimensions(file: File): Promise<{ width: number | null; height: number | null }> {
   let objectURL: string;
   return file.type.indexOf('image/') === 0
@@ -196,6 +232,22 @@ function getImageDimensions(file: File): Promise<{ width: number | null; height:
     : Promise.resolve({ width: null, height: null });
 }
 
+function getImageMetadata(
+  file: File,
+): Promise<{ width: number | null; height: number | null; fingerprint: string | null }> {
+  const dimension = getImageDimensions(file);
+  const fingerprint = getFingerPrint(file);
+  return new Promise<{ width: number | null; height: number | null; fingerprint: string | null }>(
+    function (resolve) {
+      Promise.all([dimension, fingerprint])
+        .then((results) => {
+          resolve({ width: results[0].width, height: results[0].height, fingerprint: results[1] });
+        })
+        .catch(() => ({ width: null, height: null, fingerprint: null }));
+    },
+  );
+}
+
 /**
  * Pauses default focus trap behaviors for a single tick. If a focus transition occurs during this
  * tick, the focus trap's deactivation will be overridden to prevent any default focus return, in
@@ -289,6 +341,7 @@ function AcuantCapture(
     onResetFailedCaptureAttempts,
     failedSubmissionAttempts,
     forceNativeCamera,
+    failedSubmissionImageFingerprints,
   } = useContext(FailedCaptureAttemptsContext);
 
   const hasCapture = !isError && (isReady ? isCameraSupported : isMobile);
@@ -330,17 +383,19 @@ function AcuantCapture(
    */
   async function onUpload(nextValue: File | null) {
     let analyticsPayload: ImageAnalyticsPayload | undefined;
+    let hasFailed = false;
     if (nextValue) {
-      const { width, height } = await getImageDimensions(nextValue);
-
+      const { width, height, fingerprint } = await getImageMetadata(nextValue);
+      hasFailed = failedSubmissionImageFingerprints[name]?.includes(fingerprint);
       analyticsPayload = getAddAttemptAnalyticsPayload({
         width,
         height,
+        fingerprint,
         mimeType: nextValue.type,
         source: 'upload',
         size: nextValue.size,
+        failedImageResubmission: hasFailed,
       });
-
       trackEvent(`IdV: ${name} image added`, analyticsPayload);
     }
 
@@ -472,6 +527,8 @@ function AcuantCapture(
       isAssessedAsBlurry,
       assessment,
       size: getDecodedBase64ByteSize(nextCapture.image.data),
+      fingerprint: null,
+      failedImageResubmission: false,
     });
 
     trackEvent(`IdV: ${name} image added`, analyticsPayload);

app/javascript/packages/document-capture/components/document-capture.tsx

@@ -117,6 +117,7 @@ function DocumentCapture({ onStepChange = () => {} }: DocumentCaptureProps) {
                     isFailedDocType: submissionError.isFailedDocType,
                     captureHints: submissionError.hints,
                     pii: submissionError.pii,
+                    failedImageFingerprints: submissionError.failed_image_fingerprints,
                   })(ReviewIssuesStep)
                 : ReviewIssuesStep,
             title: t('errors.doc_auth.rate_limited_heading'),

app/javascript/packages/document-capture/components/document-side-acuant-capture.jsx

@@ -1,5 +1,6 @@
 import { t } from '@18f/identity-i18n';
-import { FormError } from '@18f/identity-form-steps';
+import { FormError, FormStepsContext } from '@18f/identity-form-steps';
+import { useContext } from 'react';
 import AcuantCapture from './acuant-capture';
 
 /** @typedef {import('@18f/identity-form-steps').FormStepError<*>} FormStepError */
@@ -43,7 +44,7 @@ function DocumentSideAcuantCapture({
   className,
 }) {
   const error = errors.find(({ field }) => field === side)?.error;
-
+  const { changeStepCanComplete } = useContext(FormStepsContext);
   return (
     <AcuantCapture
       ref={registerField(side, { isRequired: true })}
@@ -54,12 +55,18 @@ function DocumentSideAcuantCapture({
       /* i18n-tasks-use t('doc_auth.headings.front') */
       bannerText={t(`doc_auth.headings.${side}`)}
       value={value}
-      onChange={(nextValue, metadata) =>
+      onChange={(nextValue, metadata) => {
         onChange({
           [side]: nextValue,
           [`${side}_image_metadata`]: JSON.stringify(metadata),
-        })
-      }
+        });
+        if (metadata?.failedImageResubmission) {
+          onError(new Error(t('doc_auth.errors.doc.resubmit_failed_image')), { field: side });
+          changeStepCanComplete(false);
+        } else {
+          changeStepCanComplete(true);
+        }
+      }}
       onCameraAccessDeclined={() => {
         onError(new CameraAccessDeclinedError(), { field: side });
         onError(new CameraAccessDeclinedError(undefined, { isDetail: true }));