18F · aduth · Nov 16, 2023 · Nov 16, 2023 · Nov 16, 2023 · Nov 16, 2023
diff --git a/app/assets/stylesheets/components/_index.scss b/app/assets/stylesheets/components/_index.scss
@@ -13,7 +13,6 @@
 @forward 'hr';
 @forward 'icon';
 @forward 'language-picker';
-@forward 'list';
 @forward 'modal';
 @forward 'nav';
 @forward 'page-heading';

diff --git a/app/assets/stylesheets/components/_list.scss b/app/assets/stylesheets/components/_list.scss
diff --git a/app/components/icon_list_component.rb b/app/components/icon_list_component.rb
@@ -19,11 +19,12 @@ def css_class
   end
 
   class IconListItemComponent < BaseComponent
-    attr_reader :icon, :color
+    attr_reader :icon, :color, :tag_options
 
-    def initialize(icon:, color:)
+    def initialize(icon:, color:, **tag_options)
       @icon = icon
       @color = color
+      @tag_options = tag_options
     end
 
     def icon_css_class

diff --git a/app/components/icon_list_item_component.html.erb b/app/components/icon_list_item_component.html.erb
@@ -1,6 +1,6 @@
-<li class="usa-icon-list__item">
+<%= content_tag(:li, **tag_options, class: [*tag_options[:class], 'usa-icon-list__item']) do %>
   <%= content_tag(:div, class: icon_css_class) do %>
     <%= render IconComponent.new(icon: icon) %>
   <% end %>
   <div class="usa-icon-list__content"><%= content %></div>
-</li>
+<% end %>
diff --git a/app/controllers/application_controller.rb b/app/controllers/application_controller.rb
@@ -198,7 +198,7 @@ def fix_broken_personal_key_url
     if pii_unlocked
       cacher = Pii::Cacher.new(current_user, user_session)
       profile = current_user.active_profile
-      user_session[:personal_key] = profile.encrypt_recovery_pii(cacher.fetch)
+      user_session[:personal_key] = profile.encrypt_recovery_pii(cacher.fetch(profile.id))
       profile.save!
 
       analytics.broken_personal_key_regenerated

diff --git a/app/controllers/concerns/idv/verify_info_concern.rb b/app/controllers/concerns/idv/verify_info_concern.rb
@@ -176,7 +176,6 @@ def process_async_state(current_async_state)
 
         log_idv_verification_submitted_event(
           success: false,
-          failure_reason: { idv_verification: [:timeout] },
         )
       end
     end
@@ -192,14 +191,18 @@ def async_state_done(current_async_state)
         extra: {
           address_edited: !!idv_session.address_edited,
           address_line2_present: !pii[:address2].blank?,
-          pii_like_keypaths: [[:errors, :ssn], [:response_body, :first_name],
-                              [:same_address_as_id],
-                              [:state_id, :state_id_jurisdiction]],
+          pii_like_keypaths: [
+            [:errors, :ssn],
+            [:proofing_results, :context, :stages, :resolution, :errors, :ssn],
+            [:proofing_results, :context, :stages, :residential_address, :errors, :ssn],
+            [:proofing_results, :context, :stages, :threatmetrix, :response_body, :first_name],
+            [:same_address_as_id],
+            [:proofing_results, :context, :stages, :state_id, :state_id_jurisdiction],
+          ],
         },
       )
       log_idv_verification_submitted_event(
         success: form_response.success?,
-        failure_reason: irs_attempts_api_tracker.parse_failure_reason(form_response),
       )
 
       form_response.extra[:ssn_is_unique] = DuplicateSsnFinder.new(
@@ -292,7 +295,7 @@ def idv_result_to_form_response(
       )
     end
 
-    def log_idv_verification_submitted_event(success: false, failure_reason: nil)
+    def log_idv_verification_submitted_event(success: false)
       pii_from_doc = pii || {}
       irs_attempts_api_tracker.idv_verification_submitted(
         success: success,
@@ -305,7 +308,6 @@ def log_idv_verification_submitted_event(success: false, failure_reason: nil)
         date_of_birth: pii_from_doc[:dob],
         address: pii_from_doc[:address1],
         ssn: idv_session.ssn,
-        failure_reason: failure_reason,
       )
     end
 

diff --git a/app/controllers/concerns/idv_step_concern.rb b/app/controllers/concerns/idv_step_concern.rb
@@ -110,7 +110,10 @@ def confirm_address_step_complete
 
   def extra_analytics_properties
     extra = {
-      pii_like_keypaths: [[:same_address_as_id], [:state_id, :state_id_jurisdiction]],
+      pii_like_keypaths: [
+        [:same_address_as_id],
+        [:proofing_results, :context, :stages, :state_id, :state_id_jurisdiction],
+      ],
     }
 
     unless flow_session.dig(:pii_from_user, :same_address_as_id).nil?

diff --git a/app/controllers/concerns/unconfirmed_user_concern.rb b/app/controllers/concerns/unconfirmed_user_concern.rb
@@ -28,7 +28,6 @@ def track_user_already_confirmed_event
     irs_attempts_api_tracker.user_registration_email_confirmation(
       email: @email_address.email,
       success: false,
-      failure_reason: { email: [:already_confirmed] },
     )
   end
 
@@ -39,7 +38,6 @@ def stop_if_invalid_token
     irs_attempts_api_tracker.user_registration_email_confirmation(
       email: @email_address&.email,
       success: false,
-      failure_reason: irs_attempts_api_tracker.parse_failure_reason(result),
     )
     process_unsuccessful_confirmation
   end

diff --git a/app/controllers/idv/by_mail/enter_code_controller.rb b/app/controllers/idv/by_mail/enter_code_controller.rb
@@ -58,7 +58,6 @@ def create
         analytics.idv_verify_by_mail_enter_code_submitted(**result.to_h)
         irs_attempts_api_tracker.idv_gpo_verification_submitted(
           success: result.success?,
-          failure_reason: irs_attempts_api_tracker.parse_failure_reason(result),
         )
 
         if !result.success?

diff --git a/app/controllers/idv/hybrid_handoff_controller.rb b/app/controllers/idv/hybrid_handoff_controller.rb
@@ -54,18 +54,15 @@ def handle_phone_submission
       telephony_result = send_link
       telephony_form_response = build_telephony_form_response(telephony_result)
 
-      failure_reason = nil
       if !telephony_result.success?
-        failure_reason = { telephony: [telephony_result.error.class.name.demodulize] }
         failure(telephony_form_response.errors[:message])
       end
       irs_attempts_api_tracker.idv_phone_upload_link_sent(
         success: telephony_result.success?,
         phone_number: formatted_destination_phone,
-        failure_reason: failure_reason,
       )
 
-      if !failure_reason
+      if telephony_result.success?
         redirect_to idv_link_sent_url
       else
         redirect_to idv_hybrid_handoff_url

diff --git a/app/controllers/idv/otp_verification_controller.rb b/app/controllers/idv/otp_verification_controller.rb
@@ -20,14 +20,9 @@ def update
       result = phone_confirmation_otp_verification_form.submit(code: params[:code])
       analytics.idv_phone_confirmation_otp_submitted(**result.to_h)
 
-      parsed_failure_reason =
-        (result.extra.slice(:code_expired) if result.extra[:code_expired]) ||
-        (result.extra.slice(:code_matches) if !result.success? && !result.extra[:code_matches]) ||
-        {}
       irs_attempts_api_tracker.idv_phone_otp_submitted(
         success: result.success?,
         phone_number: idv_session.user_phone_confirmation_session.phone,
-        failure_reason: parsed_failure_reason,
       )
 
       if result.success?

diff --git a/app/controllers/idv/phone_controller.rb b/app/controllers/idv/phone_controller.rb
@@ -48,7 +48,6 @@ def create
       irs_attempts_api_tracker.idv_phone_submitted(
         success: result.success?,
         phone_number: step_params[:phone],
-        failure_reason: irs_attempts_api_tracker.parse_failure_reason(result),
       )
       if result.success?
         submit_proofing_attempt
@@ -96,7 +95,6 @@ def send_phone_confirmation_otp_and_handle_result
         phone_number: @idv_phone,
         success: result.success?,
         otp_delivery_method: idv_session.previous_phone_step_params[:otp_delivery_preference],
-        failure_reason: result.success? ? {} : otp_sent_tracker_error(result),
       )
       if result.success?
         redirect_to idv_otp_verification_url

diff --git a/app/controllers/sign_up/email_confirmations_controller.rb b/app/controllers/sign_up/email_confirmations_controller.rb
@@ -26,7 +26,6 @@ def process_successful_confirmation
       irs_attempts_api_tracker.user_registration_email_confirmation(
         email: @email_address&.email,
         success: true,
-        failure_reason: nil,
       )
       redirect_to sign_up_enter_password_url(confirmation_token: @confirmation_token)
     end

diff --git a/app/controllers/sign_up/passwords_controller.rb b/app/controllers/sign_up/passwords_controller.rb
@@ -39,12 +39,9 @@ def render_page
     end
 
     def track_analytics(result)
-      failure_reason = irs_attempts_api_tracker.parse_failure_reason(result)
-
       analytics.password_creation(**result.to_h)
       irs_attempts_api_tracker.user_registration_password_submitted(
         success: result.success?,
-        failure_reason: failure_reason,
       )
     end
 

diff --git a/app/controllers/sign_up/registrations_controller.rb b/app/controllers/sign_up/registrations_controller.rb
@@ -30,7 +30,6 @@ def create
       irs_attempts_api_tracker.user_registration_email_submitted(
         email: permitted_params[:email],
         success: result.success?,
-        failure_reason: irs_attempts_api_tracker.parse_failure_reason(result),
       )
 
       if result.success?

diff --git a/app/controllers/two_factor_authentication/personal_key_verification_controller.rb b/app/controllers/two_factor_authentication/personal_key_verification_controller.rb
@@ -45,7 +45,7 @@ def handle_result(result)
       if result.success?
         _event, disavowal_token = create_user_event_with_disavowal(:personal_key_used)
         alert_user_about_personal_key_sign_in(disavowal_token)
-        generate_new_personal_key_for_verified_users_otherwise_retire_the_key_and_ensure_two_mfa
+        remove_personal_key
         handle_valid_otp
       else
         handle_invalid_otp(context: context, type: 'personal_key')
@@ -57,45 +57,17 @@ def alert_user_about_personal_key_sign_in(disavowal_token)
       analytics.personal_key_alert_about_sign_in(**response.to_h)
     end
 
-    def generate_new_personal_key_for_verified_users_otherwise_retire_the_key_and_ensure_two_mfa
-      if password_reset_profile.present?
-        re_encrypt_profile_recovery_pii
-      elsif current_user.identity_verified?
-        user_session[:personal_key] = PersonalKeyGenerator.new(current_user).create
-      else
-        remove_personal_key
-      end
-    end
-
     def remove_personal_key
       # for now we will regenerate a key and not show it to them so retire personal key page shows
       current_user.personal_key = PersonalKeyGenerator.new(current_user).create
       current_user.save!
       user_session.delete(:personal_key)
     end
 
-    def re_encrypt_profile_recovery_pii
-      analytics.personal_key_reactivation_sign_in
-      Pii::ReEncryptor.new(pii: pii, profile: password_reset_profile).perform
-      user_session[:personal_key] = password_reset_profile.personal_key
-    end
-
-    def password_reset_profile
-      @password_reset_profile ||= current_user.password_reset_profile
-    end
-
-    def pii
-      @pii ||= password_reset_profile.recover_pii(normalized_personal_key)
-    end
-
     def personal_key_param
       params[:personal_key_form][:personal_key]
     end
 
-    def normalized_personal_key
-      @personal_key_form.personal_key
-    end
-
     def handle_valid_otp
       handle_valid_verification_for_authentication_context(
         auth_method: TwoFactorAuthenticatable::AuthMethod::PERSONAL_KEY,

diff --git a/app/controllers/two_factor_authentication/piv_cac_verification_controller.rb b/app/controllers/two_factor_authentication/piv_cac_verification_controller.rb
@@ -33,7 +33,6 @@ def process_token
       irs_attempts_api_tracker.mfa_login_piv_cac(
         success: result.success?,
         subject_dn: piv_cac_verification_form.x509_dn,
-        failure_reason: irs_attempts_api_tracker.parse_failure_reason(result),
       )
       if result.success?
         handle_valid_piv_cac

diff --git a/app/controllers/two_factor_authentication/webauthn_verification_controller.rb b/app/controllers/two_factor_authentication/webauthn_verification_controller.rb
@@ -36,7 +36,7 @@ def handle_webauthn_result(result)
       if result.success?
         handle_valid_webauthn
       else
-        handle_invalid_webauthn
+        handle_invalid_webauthn(result)
       end
     end
 
@@ -54,24 +54,12 @@ def handle_valid_webauthn
       redirect_to after_sign_in_path_for(current_user)
     end
 
-    def handle_invalid_webauthn
+    def handle_invalid_webauthn(result)
+      flash[:error] = result.first_error_message
+
       if platform_authenticator?
-        flash[:error] = t(
-          'two_factor_authentication.webauthn_error.try_again',
-          link: view_context.link_to(
-            t('two_factor_authentication.webauthn_error.additional_methods_link'),
-            login_two_factor_options_path,
-          ),
-        )
         redirect_to login_two_factor_webauthn_url(platform: 'true')
       else
-        flash[:error] = t(
-          'two_factor_authentication.webauthn_error.connect_html',
-          link_html: view_context.link_to(
-            t('two_factor_authentication.webauthn_error.additional_methods_link'),
-            login_two_factor_options_path,
-          ),
-        )
         redirect_to login_two_factor_webauthn_url
       end
     end
@@ -124,6 +112,8 @@ def analytics_properties
     def form
       @form ||= WebauthnVerificationForm.new(
         user: current_user,
+        platform_authenticator: platform_authenticator?,
+        url_options:,
         challenge: user_session[:webauthn_challenge],
         protocol: request.protocol,
         authenticator_data: params[:authenticator_data],

diff --git a/app/controllers/users/passwords_controller.rb b/app/controllers/users/passwords_controller.rb
@@ -22,7 +22,6 @@ def update
       analytics.password_changed(**result.to_h)
       irs_attempts_api_tracker.logged_in_password_change(
         success: result.success?,
-        failure_reason: irs_attempts_api_tracker.parse_failure_reason(result),
       )
 
       if result.success?

diff --git a/app/controllers/users/piv_cac_authentication_setup_controller.rb b/app/controllers/users/piv_cac_authentication_setup_controller.rb
@@ -88,7 +88,6 @@ def process_piv_cac_setup
       irs_attempts_api_tracker.mfa_enroll_piv_cac(
         success: result.success?,
         subject_dn: user_piv_cac_form.x509_dn,
-        failure_reason: irs_attempts_api_tracker.parse_failure_reason(result),
       )
       if result.success?
         process_valid_submission

diff --git a/app/controllers/users/piv_cac_setup_from_sign_in_controller.rb b/app/controllers/users/piv_cac_setup_from_sign_in_controller.rb
@@ -43,7 +43,6 @@ def process_piv_cac_setup
       irs_attempts_api_tracker.mfa_enroll_piv_cac(
         success: result.success?,
         subject_dn: user_piv_cac_form.x509_dn,
-        failure_reason: irs_attempts_api_tracker.parse_failure_reason(result),
       )
       if result.success?
         process_valid_submission

diff --git a/app/controllers/users/reset_passwords_controller.rb b/app/controllers/users/reset_passwords_controller.rb
@@ -31,7 +31,6 @@ def edit
         analytics.password_reset_token(**result.to_h)
         irs_attempts_api_tracker.forgot_password_email_confirmed(
           success: result.success?,
-          failure_reason: irs_attempts_api_tracker.parse_failure_reason(result),
         )
         if result.success?
           @reset_password_form = ResetPasswordForm.new(build_user)
@@ -52,7 +51,6 @@ def update
       analytics.password_reset_password(**result.to_h)
       irs_attempts_api_tracker.forgot_password_new_password_submitted(
         success: result.success?,
-        failure_reason: irs_attempts_api_tracker.parse_failure_reason(result),
       )
 
       if result.success?
@@ -117,7 +115,6 @@ def create_account_if_email_not_found
       irs_attempts_api_tracker.user_registration_email_submitted(
         email: email,
         success: result.success?,
-        failure_reason: irs_attempts_api_tracker.parse_failure_reason(result),
       )
       create_user_event(:account_created, user)
     end

diff --git a/app/controllers/users/two_factor_authentication_controller.rb b/app/controllers/users/two_factor_authentication_controller.rb
@@ -232,15 +232,13 @@ def track_events(otp_delivery_preference:, otp_delivery_selection_result:)
           reauthentication: true,
           phone_number: parsed_phone.e164,
           otp_delivery_method: otp_delivery_preference,
-          failure_reason: irs_attempts_api_tracker.parse_failure_reason(@telephony_result),
         )
       elsif UserSessionContext.authentication_or_reauthentication_context?(context)
         irs_attempts_api_tracker.mfa_login_phone_otp_sent(
           success: @telephony_result.success?,
           reauthentication: false,
           phone_number: parsed_phone.e164,
           otp_delivery_method: otp_delivery_preference,
-          failure_reason: irs_attempts_api_tracker.parse_failure_reason(@telephony_result),
         )
       elsif UserSessionContext.confirmation_context?(context)
         irs_attempts_api_tracker.mfa_enroll_phone_otp_sent(