LG-11463 LG-11722 Allow browser Back button from Enter Password step

app/controllers/concerns/idv/document_capture_concern.rb

@@ -43,7 +43,6 @@ def extract_pii_from_doc(user, response, store_in_session: false)
         if store_in_session
           idv_session.pii_from_doc ||= {}
           idv_session.pii_from_doc.merge!(pii_from_doc)
-          idv_session.clear_applicant!
         end
       end
 

app/controllers/concerns/idv/verify_info_concern.rb

@@ -21,8 +21,6 @@ def shared_update
       document_capture_session.requested_at = Time.zone.now
 
       idv_session.verify_info_step_document_capture_session_uuid = document_capture_session.uuid
-      idv_session.vendor_phone_confirmation = false
-      idv_session.user_phone_confirmation = false
 
       # proof_resolution job expects these values
       pii[:uuid_prefix] = ServiceProvider.find_by(issuer: sp_session[:issuer])&.app_id
@@ -164,15 +162,13 @@ def process_async_state(current_async_state)
       return if confirm_not_rate_limited_after_doc_auth
 
       if current_async_state.none?
-        idv_session.invalidate_verify_info_step!
         render :show
       elsif current_async_state.missing?
         analytics.idv_proofing_resolution_result_missing
         flash.now[:error] = I18n.t('idv.failure.timeout')
         render :show
 
         delete_async
-        idv_session.invalidate_verify_info_step!
 
         log_idv_verification_submitted_event(
           success: false,
@@ -217,12 +213,9 @@ def async_state_done(current_async_state)
         save_threatmetrix_status(form_response)
         move_applicant_to_idv_session
         idv_session.mark_verify_info_step_complete!
-        idv_session.invalidate_steps_after_verify_info!
 
         flash[:success] = t('doc_auth.forms.doc_success')
         redirect_to next_step_url
-      else
-        idv_session.invalidate_verify_info_step!
       end
       analytics.idv_doc_auth_verify_proofing_results(**analytics_arguments, **form_response.to_h)
     end

app/controllers/concerns/idv_step_concern.rb

@@ -54,7 +54,7 @@ def redirect_for_mail_only
   end
 
   def pii_from_user
-    flow_session['pii_from_user']
+    user_session.dig('idv/in_person', 'pii_from_user')
   end
 
   def flow_path
@@ -78,27 +78,6 @@ def confirm_hybrid_handoff_needed
 
   private
 
-  def confirm_verify_info_step_complete
-    return if idv_session.verify_info_step_complete?
-
-    if current_user.has_in_person_enrollment?
-      redirect_to idv_in_person_verify_info_url
-    else
-      redirect_to idv_verify_info_url
-    end
-  end
-
-  def confirm_verify_info_step_needed
-    return unless idv_session.verify_info_step_complete?
-    redirect_to idv_enter_password_url
-  end
-
-  def confirm_address_step_complete
-    return if idv_session.phone_or_address_step_complete?
-
-    redirect_to idv_otp_verification_url
-  end
-
   def extra_analytics_properties
     extra = {
       pii_like_keypaths: [
@@ -136,7 +115,6 @@ def confirm_step_allowed
 
   def url_for_latest_step
     step_info = flow_policy.info_for_latest_step
-
     url_for(controller: step_info.controller, action: step_info.action)
   end
 

app/controllers/idv/address_controller.rb

@@ -5,7 +5,6 @@ class AddressController < ApplicationController
 
     before_action :confirm_not_rate_limited_after_doc_auth
     before_action :confirm_step_allowed
-    before_action :confirm_verify_info_step_needed
 
     def new
       analytics.idv_address_visit
@@ -28,9 +27,10 @@ def update
     def self.step_info
       Idv::StepInfo.new(
         key: :address,
-        controller: controller_name,
+        controller: self,
+        action: :new,
         next_steps: [:verify_info],
-        preconditions: ->(idv_session:, user:) { idv_session.document_capture_complete? },
+        preconditions: ->(idv_session:, user:) { idv_session.remote_document_capture_complete? },
         undo_step: ->(idv_session:, user:) {},
       )
     end

app/controllers/idv/agreement_controller.rb

@@ -6,7 +6,6 @@ class AgreementController < ApplicationController
 
     before_action :confirm_not_rate_limited
     before_action :confirm_step_allowed
-    before_action :confirm_verify_info_step_needed
 
     def show
       analytics.idv_doc_auth_agreement_visited(**analytics_arguments)
@@ -47,7 +46,7 @@ def update
     def self.step_info
       Idv::StepInfo.new(
         key: :agreement,
-        controller: controller_name,
+        controller: self,
         next_steps: [:hybrid_handoff, :document_capture, :phone_question, :how_to_verify],
         preconditions: ->(idv_session:, user:) { idv_session.welcome_visited },
         undo_step: ->(idv_session:, user:) do

app/controllers/idv/by_mail/request_letter_controller.rb

@@ -6,8 +6,8 @@ class RequestLetterController < ApplicationController
       skip_before_action :confirm_no_pending_gpo_profile
       include Idv::StepIndicatorConcern
 
-      before_action :confirm_user_completed_idv_profile_step
       before_action :confirm_mail_not_rate_limited
+      before_action :confirm_step_allowed
       before_action :confirm_profile_not_too_old
 
       def index
@@ -23,6 +23,7 @@ def index
       end
 
       def create
+        clear_future_steps!
         update_tracking
         idv_session.address_verification_mechanism = :gpo
 
@@ -41,6 +42,19 @@ def gpo_mail_service
         @gpo_mail_service ||= Idv::GpoMail.new(current_user)
       end
 
+      def self.step_info
+        Idv::StepInfo.new(
+          key: :request_letter,
+          controller: self,
+          action: :index,
+          next_steps: [:enter_password],
+          preconditions: ->(idv_session:, user:) do
+            idv_session.verify_info_step_complete? || user.gpo_verification_pending_profile?
+          end,
+          undo_step: ->(idv_session:, user:) { idv_session.address_verification_mechanism = nil },
+        )
+      end
+
       private
 
       def confirm_profile_not_too_old
@@ -85,15 +99,6 @@ def confirm_mail_not_rate_limited
         redirect_to idv_enter_password_url if gpo_mail_service.rate_limited?
       end
 
-      def confirm_user_completed_idv_profile_step
-        # If the user has a pending profile, they may have completed idv in a
-        # different session and need a letter resent now
-        return if current_user.gpo_verification_pending_profile?
-        return if idv_session.verify_info_step_complete?
-
-        redirect_to idv_verify_info_url
-      end
-
       def resend_letter
         analytics.idv_gpo_address_letter_enqueued(
           enqueued_at: Time.zone.now,

app/controllers/idv/document_capture_controller.rb

@@ -9,7 +9,6 @@ class DocumentCaptureController < ApplicationController
 
     before_action :confirm_not_rate_limited, except: [:update]
     before_action :confirm_step_allowed
-    before_action :confirm_verify_info_step_needed
     before_action :override_csp_to_allow_acuant
 
     def show
@@ -59,8 +58,8 @@ def extra_view_variables
     def self.step_info
       Idv::StepInfo.new(
         key: :document_capture,
-        controller: controller_name,
-        next_steps: [:ssn], # :ipp_state_id
+        controller: self,
+        next_steps: [:ssn, :ipp_ssn], # :ipp_state_id
         preconditions: ->(idv_session:, user:) { idv_session.flow_path == 'standard' },
         undo_step: ->(idv_session:, user:) do
           idv_session.pii_from_doc = nil

app/controllers/idv/enter_password_controller.rb

@@ -4,8 +4,7 @@ class EnterPasswordController < ApplicationController
     include IdvStepConcern
     include StepIndicatorConcern
 
-    before_action :confirm_verify_info_step_complete
-    before_action :confirm_address_step_complete
+    before_action :confirm_step_allowed
     before_action :confirm_no_profile_yet
     before_action :confirm_current_password, only: [:create]
 
@@ -29,6 +28,7 @@ def new
     end
 
     def create
+      clear_future_steps!
       irs_attempts_api_tracker.idv_password_entered(success: true)
 
       init_profile
@@ -72,6 +72,19 @@ def step_indicator_step
       :get_a_letter
     end
 
+    def self.step_info
+      Idv::StepInfo.new(
+        key: :enter_password,
+        controller: self,
+        action: :new,
+        next_steps: [FlowPolicy::FINAL],
+        preconditions: ->(idv_session:, user:) do
+          idv_session.phone_or_address_step_complete?
+        end,
+        undo_step: ->(idv_session:, user:) {},
+      )
+    end
+
     private
 
     def title

app/controllers/idv/how_to_verify_controller.rb

@@ -5,7 +5,6 @@ class HowToVerifyController < ApplicationController
     include RenderConditionConcern
 
     before_action :confirm_step_allowed
-    before_action :confirm_verify_info_step_needed
 
     check_or_render_not_found -> { self.class.enabled? }
 
@@ -47,7 +46,7 @@ def update
     def self.step_info
       Idv::StepInfo.new(
         key: :how_to_verify,
-        controller: controller_name,
+        controller: self,
         next_steps: [:hybrid_handoff, :document_capture],
         preconditions: ->(idv_session:, user:) do
           self.enabled? && idv_session.idv_consent_given

app/controllers/idv/hybrid_handoff_controller.rb

@@ -7,7 +7,6 @@ class HybridHandoffController < ApplicationController
     include PhoneQuestionAbTestConcern
 
     before_action :confirm_not_rate_limited
-    before_action :confirm_verify_info_step_needed
     before_action :confirm_step_allowed
     before_action :confirm_hybrid_handoff_needed, only: :show
     before_action :maybe_redirect_for_phone_question_ab_test, only: :show
@@ -40,7 +39,7 @@ def update
     def self.step_info
       Idv::StepInfo.new(
         key: :hybrid_handoff,
-        controller: controller_name,
+        controller: self,
         next_steps: [:link_sent, :document_capture],
         preconditions: ->(idv_session:, user:) { idv_session.idv_consent_given },
         undo_step: ->(idv_session:, user:) do

app/controllers/idv/in_person/ssn_controller.rb

@@ -8,7 +8,6 @@ class SsnController < ApplicationController
       include ThreatMetrixConcern
 
       before_action :confirm_not_rate_limited_after_doc_auth
-      before_action :confirm_verify_info_step_needed
       before_action :confirm_in_person_address_step_complete
       before_action :confirm_repeat_ssn, only: :show
       before_action :override_csp_for_threat_metrix
@@ -36,6 +35,7 @@ def show
       end
 
       def update
+        clear_future_steps!
         ssn_form = Idv::SsnFormatForm.new(idv_session.ssn)
         form_response = ssn_form.submit(params.require(:doc_auth).permit(:ssn))
         @ssn_presenter = Idv::SsnPresenter.new(
@@ -53,14 +53,26 @@ def update
 
         if form_response.success?
           idv_session.ssn = params[:doc_auth][:ssn]
-          idv_session.invalidate_steps_after_ssn!
           redirect_to next_url
         else
           flash[:error] = form_response.first_error_message
           render 'idv/shared/ssn', locals: threatmetrix_view_variables(ssn_presenter.updating_ssn?)
         end
       end
 
+      def self.step_info
+        Idv::StepInfo.new(
+          key: :ipp_ssn,
+          controller: self,
+          next_steps: [:ipp_verify_info],
+          preconditions: ->(idv_session:, user:) { idv_session.ipp_document_capture_complete? },
+          undo_step: ->(idv_session:, user:) do
+            idv_session.ssn = nil
+            idv_session.threatmetrix_session_id = nil
+          end,
+        )
+      end
+
       private
 
       def flow_session
@@ -88,7 +100,7 @@ def analytics_arguments
       end
 
       def confirm_in_person_address_step_complete
-        return if pii_from_user && pii_from_user[:address1].present?
+        return if flow_session[:pii_from_user] && flow_session[:pii_from_user][:address1].present?
         if IdentityConfig.store.in_person_residential_address_controller_enabled
           redirect_to idv_in_person_proofing_address_url
         else

app/controllers/idv/in_person/verify_info_controller.rb

@@ -9,11 +9,11 @@ class VerifyInfoController < ApplicationController
 
       before_action :confirm_not_rate_limited_after_doc_auth, except: [:show]
       before_action :confirm_ssn_step_complete
-      before_action :confirm_verify_info_step_needed
 
       def show
         @step_indicator_steps = step_indicator_steps
         @ssn = idv_session.ssn
+        @pii = pii
 
         analytics.idv_doc_auth_verify_visited(**analytics_arguments)
         Funnel::DocAuth::RegisterStep.new(current_user.id, sp_session[:issuer]).
@@ -23,13 +23,32 @@ def show
       end
 
       def update
+        clear_future_steps!
+        idv_session.invalidate_verify_info_step!
         success = shared_update
 
         if success
           redirect_to idv_in_person_verify_info_url
         end
       end
 
+      def self.step_info
+        Idv::StepInfo.new(
+          key: :ipp_verify_info,
+          controller: self,
+          next_steps: [:phone],
+          preconditions: ->(idv_session:, user:) do
+            idv_session.ssn && idv_session.ipp_document_capture_complete?
+          end,
+          undo_step: ->(idv_session:, user:) do
+            idv_session.resolution_successful = nil
+            idv_session.verify_info_step_document_capture_session_uuid = nil
+            idv_session.threatmetrix_review_status = nil
+            idv_session.applicant = nil
+          end,
+        )
+      end
+
       private
 
       def flow_param
@@ -41,19 +60,19 @@ def flow_param
       # between various ID types and driver's license is the most common one that will
       # be supported. See also LG-3852 and related findings document.
       def set_state_id_type
-        pii[:state_id_type] = 'drivers_license' unless invalid_state?
+        pii_from_user[:state_id_type] = 'drivers_license' unless invalid_state?
       end
 
       def invalid_state?
-        pii.blank?
+        pii_from_user.blank?
       end
 
       def prev_url
         idv_in_person_ssn_url
       end
 
       def pii
-        @pii = flow_session[:pii_from_user]
+        user_session.dig('idv/in_person', :pii_from_user)
       end
 
       # override IdvSession concern