Deploy RC 322 to Prod

.gitlab-ci.yml

@@ -243,6 +243,7 @@ js_build:
     - *bundle_install
     - *yarn_production_install
     - bundle exec rake assets:precompile
+    - make lint_asset_bundle_size
 
 js_tests:
   stage: test

.rubocop.yml

@@ -5,6 +5,7 @@
 # https://github.com/bbatsov/rubocop/blob/master/config/disabled.yml
 require:
   - rubocop-rails
+  - rubocop-rspec
   - rubocop-performance
   - ./lib/linters/analytics_event_name_linter.rb
   - ./lib/linters/localized_validation_message_linter.rb
@@ -997,6 +998,9 @@ Rails/WhereNot:
 Rails/WhereNotWithMultipleConditions:
   Enabled: true
 
+RSpec/LeakyConstantDeclaration:
+  Enabled: true
+
 Security/Eval:
   Enabled: true
 

Gemfile

@@ -87,7 +87,6 @@ gem 'zxcvbn', '0.1.9'
 group :development do
   gem 'better_errors', '>= 2.5.1'
   gem 'derailed_benchmarks'
-  gem 'guard-rspec', require: false
   gem 'irb'
   gem 'letter_opener', '~> 1.8'
   gem 'rack-mini-profiler', '>= 1.1.3', require: false
@@ -107,10 +106,12 @@ group :development, :test do
   gem 'pry-doc'
   gem 'pry-rails'
   gem 'psych'
+  gem 'rspec', '~> 3.12.0'
   gem 'rspec-rails', '~> 6.0'
   gem 'rubocop', '~> 1.55.1', require: false
   gem 'rubocop-performance', '~> 1.18.0', require: false
   gem 'rubocop-rails', '>= 2.5.2', require: false
+  gem 'rubocop-rspec', require: false
 end
 
 group :test do

Gemfile.lock

@@ -299,7 +299,6 @@ GEM
     ffi-compiler (1.0.1)
       ffi (>= 1.0.0)
       rake
-    formatador (0.2.5)
     foundation_emails (2.2.1.0)
     fugit (1.8.1)
       et-orbi (~> 1, >= 1.2.7)
@@ -318,20 +317,6 @@ GEM
       thor (>= 0.14.1)
       webrick (>= 1.3)
     google-protobuf (3.24.0)
-    guard (2.16.2)
-      formatador (>= 0.2.4)
-      listen (>= 2.7, < 4.0)
-      lumberjack (>= 1.0.12, < 2.0)
-      nenv (~> 0.1)
-      notiffany (~> 0.0)
-      pry (>= 0.9.12)
-      shellany (~> 0.0)
-      thor (>= 0.18.1)
-    guard-compat (1.2.1)
-    guard-rspec (4.7.3)
-      guard (~> 2.1)
-      guard-compat (~> 1.1)
-      rspec (>= 2.99.0, < 4.0)
     hashdiff (1.0.1)
     hashie (4.1.0)
     heapy (0.2.0)
@@ -394,7 +379,6 @@ GEM
       yard (~> 0.9.25)
       zeitwerk (~> 2.5)
     lru_redux (1.1.0)
-    lumberjack (1.2.9)
     mail (2.8.1)
       mini_mime (>= 0.1.1)
       net-imap
@@ -411,7 +395,6 @@ GEM
     minitest (5.19.0)
     msgpack (1.7.2)
     multiset (0.5.3)
-    nenv (0.3.0)
     net-imap (0.3.7)
       date
       net-protocol
@@ -429,9 +412,6 @@ GEM
     nokogiri (1.14.5)
       mini_portile2 (~> 2.8.0)
       racc (~> 1.4)
-    notiffany (0.1.3)
-      nenv (~> 0.1)
-      shellany (~> 0.0)
     openssl (3.0.2)
     openssl-signature_algorithm (1.2.1)
       openssl (> 2.0, < 3.1)
@@ -596,13 +576,21 @@ GEM
       unicode-display_width (>= 2.4.0, < 3.0)
     rubocop-ast (1.29.0)
       parser (>= 3.2.1.0)
+    rubocop-capybara (2.19.0)
+      rubocop (~> 1.41)
+    rubocop-factory_bot (2.24.0)
+      rubocop (~> 1.33)
     rubocop-performance (1.18.0)
       rubocop (>= 1.7.0, < 2.0)
       rubocop-ast (>= 0.4.0)
     rubocop-rails (2.20.2)
       activesupport (>= 4.2.0)
       rack (>= 1.1)
       rubocop (>= 1.33.0, < 2.0)
+    rubocop-rspec (2.24.1)
+      rubocop (~> 1.33)
+      rubocop-capybara (~> 2.17)
+      rubocop-factory_bot (~> 2.22)
     ruby-progressbar (1.13.0)
     ruby-saml (1.13.0)
       nokogiri (>= 1.10.5)
@@ -622,7 +610,6 @@ GEM
       rexml (~> 3.2, >= 3.2.5)
       rubyzip (>= 1.2.2, < 3.0)
       websocket (~> 1.0)
-    shellany (0.0.1)
     shoulda-matchers (4.5.1)
       activesupport (>= 4.2.0)
     simple_form (5.1.0)
@@ -748,7 +735,6 @@ DEPENDENCIES
   faraday-retry
   foundation_emails
   good_job (~> 3.0)
-  guard-rspec
   hashie (~> 4.1)
   http_accept_language
   i18n-tasks (~> 1.0)
@@ -799,12 +785,14 @@ DEPENDENCIES
   retries
   rotp (~> 6.1)
   rqrcode
+  rspec (~> 3.12.0)
   rspec-rails (~> 6.0)
   rspec-retry
   rspec_junit_formatter
   rubocop (~> 1.55.1)
   rubocop-performance (~> 1.18.0)
   rubocop-rails (>= 2.5.2)
+  rubocop-rspec
   ruby-progressbar
   ruby-saml
   safe_target_blank (>= 1.0.2)

Makefile

@@ -33,6 +33,7 @@ ARTIFACT_DESTINATION_FILE ?= ./tmp/idp.tar.gz
 	lint_tracker_events \
 	lint_yaml \
 	lint_yarn_workspaces \
+	lint_asset_bundle_size \
 	lintfix \
 	normalize_yaml \
 	optimize_assets \
@@ -113,6 +114,10 @@ lint_yaml: normalize_yaml ## Lints YAML files
 lint_yarn_workspaces: ## Lints Yarn workspace packages
 	scripts/validate-workspaces.js
 
+lint_asset_bundle_size: ## Lints JavaScript and CSS compiled bundle size
+	find app/assets/builds/application.css -size -350000c | grep .
+	find public/packs/js/application-*.digested.js -size -8000c | grep .
+
 lint_migrations:
 	scripts/migration_check
 

app/controllers/concerns/rate_limit_concern.rb

@@ -1,27 +1,36 @@
 module RateLimitConcern
   extend ActiveSupport::Concern
 
-  ALL_IDV_RATE_LIMITTERS = [:idv_resolution, :idv_doc_auth, :proof_address, :proof_ssn].freeze
+  ALL_IDV_RATE_LIMITERS = [:idv_resolution, :idv_doc_auth, :proof_ssn].freeze
 
-  def confirm_not_rate_limited(rate_limiters = ALL_IDV_RATE_LIMITTERS)
-    rate_limited = false
-    rate_limiters.each do |rate_limit_type|
-      if rate_limit_redirect!(rate_limit_type)
-        rate_limited = true
-        break
-      end
+  def confirm_not_rate_limited(rate_limiters = ALL_IDV_RATE_LIMITERS)
+    exceeded_rate_limits = check_for_exceeded_rate_limits(rate_limiters)
+    if exceeded_rate_limits.any?
+      rate_limit_redirect!(exceeded_rate_limits.first)
+      return true
     end
-    rate_limited
+    confirm_not_rate_limited_for_phone_and_letter_address_verification
   end
 
   def confirm_not_rate_limited_after_doc_auth
-    rate_limitters = [:idv_resolution, :proof_ssn, :proof_address]
-    confirm_not_rate_limited(rate_limitters)
+    rate_limiters = [:idv_resolution, :proof_ssn]
+    confirm_not_rate_limited(rate_limiters)
   end
 
-  def confirm_not_rate_limited_after_idv_resolution
-    rate_limitters = [:proof_address]
-    confirm_not_rate_limited(rate_limitters)
+  def confirm_not_rate_limited_for_phone_address_verification
+    if idv_attempter_rate_limited?(:proof_address)
+      rate_limit_redirect!(:proof_address)
+      return true
+    end
+  end
+
+  private
+
+  def confirm_not_rate_limited_for_phone_and_letter_address_verification
+    if idv_attempter_rate_limited?(:proof_address) && Idv::GpoMail.new(current_user).mail_spammed?
+      rate_limit_redirect!(:proof_address)
+      return true
+    end
   end
 
   def rate_limit_redirect!(rate_limit_type)
@@ -60,6 +69,12 @@ def rate_limited_redirect(rate_limit_type)
     end
   end
 
+  def check_for_exceeded_rate_limits(rate_limit_types)
+    rate_limit_types.select do |rate_limit_type|
+      idv_attempter_rate_limited?(rate_limit_type)
+    end
+  end
+
   def idv_attempter_rate_limited?(rate_limit_type)
     if rate_limit_type == :proof_ssn
       return unless pii_ssn

app/controllers/idv/by_mail/enter_code_controller.rb

@@ -24,12 +24,14 @@ def index
         end
 
         gpo_mail = Idv::GpoMail.new(current_user)
+        @gpo_mail_spammed = gpo_mail.mail_spammed?
+        @last_date_letter_was_sent = last_date_letter_was_sent
         @gpo_verify_form = GpoVerifyForm.new(user: current_user, pii: pii)
         @code = session[:last_gpo_confirmation_code] if FeatureManagement.reveal_gpo_code?
 
         @should_prompt_user_to_request_another_letter =
           FeatureManagement.gpo_verification_enabled? &&
-          !gpo_mail.mail_spammed? &&
+          !@gpo_mail_spammed &&
           !gpo_mail.profile_too_old?
 
         if pii_locked?
@@ -152,6 +154,11 @@ def threatmetrix_enabled?
       def pii_locked?
         !Pii::Cacher.new(current_user, user_session).exists_in_session?
       end
+
+      def last_date_letter_was_sent
+        current_user.gpo_verification_pending_profile&.gpo_confirmation_codes&.
+          pluck(:updated_at)&.max
+      end
     end
   end
 end

app/controllers/idv/phone_controller.rb

@@ -7,7 +7,7 @@ class PhoneController < ApplicationController
 
     attr_reader :idv_form
 
-    before_action :confirm_not_rate_limited_after_idv_resolution, except: [:new]
+    before_action :confirm_not_rate_limited_for_phone_address_verification, except: [:new]
     before_action :confirm_verify_info_step_complete
     before_action :confirm_step_needed
     before_action :set_idv_form
@@ -24,7 +24,7 @@ def new
 
       render 'shared/wait' and return if async_state.in_progress?
 
-      return if confirm_not_rate_limited_after_idv_resolution
+      return if confirm_not_rate_limited_for_phone_address_verification
 
       if async_state.none?
         Funnel::DocAuth::RegisterStep.new(current_user.id, current_sp&.issuer).

app/controllers/idv/phone_errors_controller.rb

@@ -6,7 +6,7 @@ class PhoneErrorsController < ApplicationController
 
     before_action :confirm_two_factor_authenticated
     before_action :confirm_idv_phone_step_needed
-    before_action :confirm_idv_phone_step_submitted
+    before_action :confirm_idv_phone_step_submitted, except: [:failure]
     before_action :set_gpo_letter_available
     before_action :ignore_form_step_wait_requests
 
@@ -32,6 +32,8 @@ def jobfail
     end
 
     def failure
+      return redirect_to(idv_phone_url) unless rate_limiter.limited?
+
       @expires_at = rate_limiter.expires_at
       track_event(type: :failure)
     end

app/controllers/users/piv_cac_authentication_setup_controller.rb

@@ -56,7 +56,7 @@ def submit_new_piv_cac
     private
 
     def track_piv_cac_setup_visit
-      analytics.piv_cac_setup_visit(**analytics_properties)
+      analytics.piv_cac_setup_visited(**analytics_properties)
     end
 
     def remove_piv_cac

app/controllers/users/piv_cac_login_controller.rb

@@ -37,7 +37,7 @@ def error
     private
 
     def render_prompt
-      analytics.piv_cac_setup_visit(in_account_creation_flow: false)
+      analytics.piv_cac_login_visited
       @presenter = PivCacAuthenticationLoginPresenter.new(piv_cac_login_form, url_options)
       render :new
     end

app/controllers/users/piv_cac_setup_from_sign_in_controller.rb

@@ -32,7 +32,7 @@ def decline
     private
 
     def render_prompt
-      analytics.piv_cac_setup_visit(in_account_creation_flow: false)
+      analytics.piv_cac_setup_visited(in_account_creation_flow: false)
       render :prompt
     end