From 63248fb46feb4ae46e4bd4fe9efbdbcd9facd097 Mon Sep 17 00:00:00 2001
From: Jonathan Hooper <jonathan.hooper@gsa.gov>
Date: Thu, 12 Oct 2023 12:01:42 -0400
Subject: [PATCH 1/2] LG-11189 Count successful doc auth proofing towards the
 rate limit

Prior to this commit we reset the doc auth rate limiter on success. This was done to prevent users from being rate limited after successfully completing a step. The logic that caused that issue was addressed in #9343.

This commit starts counting successful attempts to towards the rate limit. This protects our vendors from abuse and makes it easier for us to make this step re-entrant to support the back button.

changelog: Improvements, Rate Limiting, The idv doc auth rate limiter was modified to rate limit on successful doc auth attempts as well as on failed doc auth proofing attempts
---
 app/controllers/idv/document_capture_controller.rb | 2 +-
 app/forms/idv/api_image_upload_form.rb             | 1 -
 2 files changed, 1 insertion(+), 2 deletions(-)

diff --git a/app/controllers/idv/document_capture_controller.rb b/app/controllers/idv/document_capture_controller.rb
index 6d854de756f..fe5c62b2537 100644
--- a/app/controllers/idv/document_capture_controller.rb
+++ b/app/controllers/idv/document_capture_controller.rb
@@ -5,7 +5,7 @@ class DocumentCaptureController < ApplicationController
     include IdvStepConcern
     include StepIndicatorConcern
 
-    before_action :confirm_not_rate_limited
+    before_action :confirm_not_rate_limited, except: [:update]
     before_action :confirm_hybrid_handoff_complete
     before_action :confirm_document_capture_needed
     before_action :override_csp_to_allow_acuant
diff --git a/app/forms/idv/api_image_upload_form.rb b/app/forms/idv/api_image_upload_form.rb
index f9ba4f53c81..32aad077ce9 100644
--- a/app/forms/idv/api_image_upload_form.rb
+++ b/app/forms/idv/api_image_upload_form.rb
@@ -116,7 +116,6 @@ def validate_pii_from_doc(client_response)
 
       if client_response.success? && response.success?
         store_pii(client_response)
-        rate_limiter.reset!
       end
 
       response

From 22d34d0ca1e845c32359ff96f01e80de6aa882b6 Mon Sep 17 00:00:00 2001
From: Jonathan Hooper <jonathan.hooper@gsa.gov>
Date: Thu, 12 Oct 2023 15:53:14 -0400
Subject: [PATCH 2/2] a little extra testing

---
 spec/features/idv/doc_auth/document_capture_spec.rb | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/spec/features/idv/doc_auth/document_capture_spec.rb b/spec/features/idv/doc_auth/document_capture_spec.rb
index 5bb0ca21b80..eedb3fef6bc 100644
--- a/spec/features/idv/doc_auth/document_capture_spec.rb
+++ b/spec/features/idv/doc_auth/document_capture_spec.rb
@@ -105,6 +105,10 @@
         it 'proceeds to the next page with valid info' do
           attach_and_submit_images
           expect(page).to have_current_path(idv_ssn_url)
+
+          visit idv_document_capture_path
+
+          expect(page).to have_current_path(idv_session_errors_rate_limited_path)
         end
       end
     end