Deploy RC 328 to Prod

.gitignore

@@ -24,6 +24,7 @@
 .ruby-version
 .vagrant
 .capistrano
+.tool-versions
 
 # avoid checking in stray files
 *.bak

Gemfile

@@ -73,7 +73,6 @@ gem 'stringex', require: false
 gem 'strong_migrations', '>= 0.4.2'
 gem 'subprocess', require: false
 gem 'terminal-table', require: false
-gem 'uglifier', '~> 4.2'
 gem 'valid_email', '>= 0.1.3'
 gem 'view_component', '~> 3.0.0'
 gem 'webauthn', '~> 2.5.2'

Gemfile.lock

@@ -286,7 +286,6 @@ GEM
     erubi (1.12.0)
     et-orbi (1.2.7)
       tzinfo
-    execjs (2.8.1)
     factory_bot (6.2.1)
       activesupport (>= 5.0.0)
     factory_bot_rails (6.2.0)
@@ -650,8 +649,6 @@ GEM
       openssl-signature_algorithm (~> 1.0)
     tzinfo (2.0.6)
       concurrent-ruby (~> 1.0)
-    uglifier (4.2.0)
-      execjs (>= 0.3.0, < 3)
     unf (0.1.4)
       unf_ext
     unf_ext (0.0.8)
@@ -818,7 +815,6 @@ DEPENDENCIES
   subprocess
   tableparser
   terminal-table
-  uglifier (~> 4.2)
   valid_email (>= 0.1.3)
   view_component (~> 3.0.0)
   webauthn (~> 2.5.2)

app/assets/stylesheets/components/_btn.scss

@@ -11,7 +11,6 @@
   // Temporary: To be backported to design system. Unstyled buttons should inherit the appearance
   // of a link.
   display: inline;
-  width: auto;
 }
 
 .usa-button:disabled.usa-button--active,

app/assets/stylesheets/components/_list.scss

@@ -6,7 +6,6 @@
       background-image: url('/alert/success.svg');
       background-repeat: no-repeat;
       content: '';
-      display: inline-block;
       float: left;
       height: 1rem;
       margin-top: 0.33rem;

app/controllers/concerns/idv/ab_test_analytics_concern.rb

@@ -8,6 +8,7 @@ def ab_test_analytics_buckets
       buckets = {}
       if defined?(idv_session)
         buckets[:skip_hybrid_handoff] = idv_session&.skip_hybrid_handoff
+        buckets[:phone_with_camera] = idv_session&.phone_with_camera
       end
 
       buckets.merge(acuant_sdk_ab_test_analytics_args).

app/controllers/concerns/idv/phone_question_ab_test_concern.rb

@@ -14,10 +14,9 @@ def phone_question_user
 
     def maybe_redirect_for_phone_question_ab_test
       return if phone_question_ab_test_bucket != :show_phone_question
-      return if request.referer == idv_phone_question_url
-      return if request.referer == idv_link_sent_url
-      return if request.referer == idv_hybrid_handoff_url
-      return if request.referer == idv_hybrid_handoff_url(redo: true)
+
+      return if !defined?(idv_session)
+      return if !idv_session.phone_with_camera.nil?
 
       redirect_to idv_phone_question_url
     end

app/controllers/concerns/idv_step_concern.rb

@@ -119,4 +119,19 @@ def extra_analytics_properties
     end
     extra
   end
+
+  def flow_policy
+    @flow_policy ||= Idv::FlowPolicy.new(idv_session: idv_session, user: current_user)
+  end
+
+  def confirm_step_allowed
+    return if flow_policy.controller_allowed?(controller: self.class)
+
+    redirect_to url_for_latest_step
+  end
+
+  def url_for_latest_step
+    step_info = flow_policy.info_for_latest_step
+    url_for(controller: step_info.controller, action: step_info.action)
+  end
 end

app/controllers/concerns/rate_limit_concern.rb

@@ -27,7 +27,7 @@ def confirm_not_rate_limited_for_phone_address_verification
   private
 
   def confirm_not_rate_limited_for_phone_and_letter_address_verification
-    if idv_attempter_rate_limited?(:proof_address) && Idv::GpoMail.new(current_user).mail_spammed?
+    if idv_attempter_rate_limited?(:proof_address) && Idv::GpoMail.new(current_user).rate_limited?
       rate_limit_redirect!(:proof_address)
       return true
     end

app/controllers/idv/agreement_controller.rb

@@ -4,7 +4,7 @@ class AgreementController < ApplicationController
     include StepIndicatorConcern
 
     before_action :confirm_not_rate_limited
-    before_action :confirm_welcome_step_complete
+    before_action :confirm_step_allowed
     before_action :confirm_document_capture_not_complete
 
     def show
@@ -38,6 +38,15 @@ def update
       end
     end
 
+    def self.step_info
+      Idv::StepInfo.new(
+        key: :agreement,
+        controller: controller_name,
+        next_steps: [:hybrid_handoff, :document_capture, :phone_question],
+        preconditions: ->(idv_session:, user:) { idv_session.welcome_visited },
+      )
+    end
+
     private
 
     def analytics_arguments
@@ -60,17 +69,5 @@ def skip_to_capture
     def consent_form_params
       params.require(:doc_auth).permit(:idv_consent_given)
     end
-
-    def confirm_welcome_step_complete
-      return if idv_session.welcome_visited
-
-      redirect_to idv_welcome_url
-    end
-
-    def confirm_agreement_needed
-      return unless idv_session.idv_consent_given
-
-      redirect_to idv_hybrid_handoff_url
-    end
   end
 end

app/controllers/idv/by_mail/enter_code_controller.rb

@@ -30,7 +30,7 @@ def index
         gpo_mail = Idv::GpoMail.new(current_user)
         @can_request_another_letter =
           FeatureManagement.gpo_verification_enabled? &&
-          !gpo_mail.mail_spammed? &&
+          !gpo_mail.rate_limited? &&
           !gpo_mail.profile_too_old?
 
         if pii_locked?

app/controllers/idv/by_mail/request_letter_controller.rb

@@ -8,7 +8,7 @@ class RequestLetterController < ApplicationController
       before_action :confirm_two_factor_authenticated
       before_action :confirm_idv_needed
       before_action :confirm_user_completed_idv_profile_step
-      before_action :confirm_mail_not_spammed
+      before_action :confirm_mail_not_rate_limited
       before_action :confirm_profile_not_too_old
 
       def index
@@ -82,8 +82,8 @@ def first_letter_requested_at
         current_user.gpo_verification_pending_profile&.gpo_verification_pending_at
       end
 
-      def confirm_mail_not_spammed
-        redirect_to idv_enter_password_url if gpo_mail_service.mail_spammed?
+      def confirm_mail_not_rate_limited
+        redirect_to idv_enter_password_url if gpo_mail_service.rate_limited?
       end
 
       def confirm_user_completed_idv_profile_step

app/controllers/idv/document_capture_controller.rb

@@ -7,6 +7,7 @@ class DocumentCaptureController < ApplicationController
     include PhoneQuestionAbTestConcern
 
     before_action :confirm_not_rate_limited, except: [:update]
+    before_action :confirm_step_allowed
     before_action :confirm_hybrid_handoff_complete
     before_action :confirm_document_capture_needed
     before_action :override_csp_to_allow_acuant
@@ -52,6 +53,15 @@ def extra_view_variables
       )
     end
 
+    def self.step_info
+      Idv::StepInfo.new(
+        key: :document_capture,
+        controller: controller_name,
+        next_steps: [:success], # [:ssn],
+        preconditions: ->(idv_session:, user:) { idv_session.flow_path == 'standard' },
+      )
+    end
+
     private
 
     def confirm_hybrid_handoff_complete

app/controllers/idv/hybrid_handoff_controller.rb

@@ -7,7 +7,7 @@ class HybridHandoffController < ApplicationController
 
     before_action :confirm_not_rate_limited
     before_action :confirm_verify_info_step_needed
-    before_action :confirm_agreement_step_complete
+    before_action :confirm_step_allowed
     before_action :confirm_hybrid_handoff_needed, only: :show
     before_action :maybe_redirect_for_phone_question_ab_test, only: :show
 
@@ -35,6 +35,15 @@ def update
       end
     end
 
+    def self.step_info
+      Idv::StepInfo.new(
+        key: :hybrid_handoff,
+        controller: controller_name,
+        next_steps: [:link_sent, :document_capture],
+        preconditions: ->(idv_session:, user:) { idv_session.idv_consent_given },
+      )
+    end
+
     def handle_phone_submission
       return rate_limited_failure if rate_limiter.limited?
       rate_limiter.increment!
@@ -190,12 +199,6 @@ def failure(message, extra = nil)
       FormResponse.new(**form_response_params)
     end
 
-    def confirm_agreement_step_complete
-      return if idv_session.idv_consent_given
-
-      redirect_to idv_agreement_url
-    end
-
     def formatted_destination_phone
       raw_phone = params.require(:doc_auth).permit(:phone)
       PhoneFormatter.format(raw_phone, country_code: 'US')

app/controllers/idv/hybrid_mobile/document_capture_controller.rb

@@ -55,7 +55,10 @@ def analytics_arguments
           step: 'document_capture',
           analytics_id: 'Doc Auth',
           irs_reproofing: irs_reproofing?,
-        }.merge(ab_test_analytics_buckets)
+        }.merge(
+          ab_test_analytics_buckets,
+          phone_with_camera,
+        )
       end
 
       def handle_stored_result
@@ -82,6 +85,10 @@ def redo_document_capture_pending?
 
         document_capture_session.requested_at > stored_result.captured_at
       end
+
+      def phone_with_camera
+        { phone_with_camera: phone_question_ab_test_bucket == :show_phone_question ? true : nil }
+      end
     end
   end
 end

app/controllers/idv/in_person/address_controller.rb

@@ -0,0 +1,80 @@
+module Idv
+  module InPerson
+    class AddressController < ApplicationController
+      include IdvStepConcern
+
+      before_action :render_404_if_in_person_residential_address_controller_enabled_not_set
+      before_action :confirm_in_person_state_id_step_complete
+      before_action :confirm_in_person_address_step_needed
+
+      def show
+        analytics.idv_in_person_proofing_address_visited(**analytics_arguments)
+
+        render :show, locals: extra_view_variables
+      end
+
+      def extra_view_variables
+        {
+          form:,
+          pii:,
+          updating_address: updating_address?,
+        }
+      end
+
+      private
+
+      def flow_session
+        user_session.fetch('idv/in_person', {})
+      end
+
+      def updating_address?
+        flow_session[:pii_from_user].has_key?(:address1) && user_session[:idv].has_key?(:ssn)
+      end
+
+      def pii
+        data = flow_session[:pii_from_user]
+        data = data.merge(flow_params) if params.has_key?(:in_person_address)
+        data.deep_symbolize_keys
+      end
+
+      def form
+        @form ||= Idv::InPerson::AddressForm.new
+      end
+
+      def flow_params
+        params.require(:in_person_address).permit(
+          *Idv::InPerson::AddressForm::ATTRIBUTES,
+        )
+      end
+
+      def form_submit
+        form.submit(flow_params)
+      end
+
+      def analytics_arguments
+        {
+          flow_path: flow_path,
+          step: 'address',
+          analytics_id: 'In Person Proofing',
+          irs_reproofing: irs_reproofing?,
+        }
+      end
+
+      def render_404_if_in_person_residential_address_controller_enabled_not_set
+        render_not_found unless
+            IdentityConfig.store.in_person_residential_address_controller_enabled
+      end
+
+      def confirm_in_person_state_id_step_complete
+        return if pii_from_user&.has_key?(:identity_doc_address1)
+        redirect_to idv_in_person_step_url(step: :state_id)
+      end
+
+      def confirm_in_person_address_step_needed
+        return if pii_from_user && pii_from_user[:same_address_as_id] == 'false' &&
+                  !pii_from_user.has_key?(:address1)
+        redirect_to idv_in_person_ssn_url
+      end
+    end
+  end
+end

app/controllers/idv/in_person/ssn_controller.rb

@@ -89,7 +89,11 @@ def updating_ssn?
 
       def confirm_in_person_address_step_complete
         return if pii_from_user && pii_from_user[:address1].present?
-        redirect_to idv_in_person_step_url(step: :address)
+        if IdentityConfig.store.in_person_residential_address_controller_enabled
+          redirect_to idv_in_person_proofing_address_url
+        else
+          redirect_to idv_in_person_step_url(step: :address)
+        end
       end
     end
   end

app/controllers/idv/link_sent_controller.rb

@@ -6,6 +6,7 @@ class LinkSentController < ApplicationController
     include PhoneQuestionAbTestConcern
 
     before_action :confirm_not_rate_limited
+    before_action :confirm_step_allowed
     before_action :confirm_hybrid_handoff_complete
     before_action :confirm_document_capture_needed
 
@@ -38,6 +39,15 @@ def extra_view_variables
       )
     end
 
+    def self.step_info
+      Idv::StepInfo.new(
+        key: :link_sent,
+        controller: controller_name,
+        next_steps: [:success], # [:ssn],
+        preconditions: ->(idv_session:, user:) { idv_session.flow_path == 'hybrid' },
+      )
+    end
+
     private
 
     def confirm_hybrid_handoff_complete

app/controllers/idv/phone_controller.rb

@@ -217,7 +217,7 @@ def formatted_previous_phone_step_params_phone
     def gpo_letter_available
       return @gpo_letter_available if defined?(@gpo_letter_available)
       @gpo_letter_available ||= FeatureManagement.gpo_verification_enabled? &&
-                                !Idv::GpoMail.new(current_user).mail_spammed?
+                                !Idv::GpoMail.new(current_user).rate_limited?
     end
 
     # Migrated from otp_delivery_method_controller