LG-11873: doc auth w/ selfie in non-prod hosted envs

[amirbey]

🎫 Ticket

LG-11873

🛠 Summary of changes

• determine if doc auth with selfie is required based on the SP Session
• only allow selfie to be sent to doc auth vendor if selfie FF is enabled
• do not allow selfie to be sent to doc auth vendor if host env is production
• indicate to the FE to display selfie field if hosted env is not production, selfie FF is enabled and requested by SP

📜 Testing Plan

Provide a checklist of steps to confirm the changes.

• Enable selfie feature flag

  • Using the OIDC Sample App, attempt to login with Level of Service Biometric Comparison
  • Verify selfie field is displayed on standard document capture form and complete document capture
  • Redo document capture and verify selfie field is displayed on standard document capture form and complete document capture
  • Complete IdV

• Disable selfie feature flag

  • Using the OIDC Sample App, attempt to login with Level of Service Biometric Comparison
  • Verify selfie field is NOT displayed on standard document capture form and complete document capture
  • Redo document capture and verify selfie field is NOT displayed on standard document capture form and complete document capture
  • Complete IdV

• Enable selfie feature flag

  • Using the OIDC Sample App, attempt to login with Level of Service Identity-verified
  • Verify selfie field is NOT displayed on standard document capture form and complete document capture
  • Redo document capture and verify selfie field is NOT displayed on standard document capture form and complete document capture
  • Complete IdV

[dawei-nava]

This does not consider config following?

return false if Identity::Hostdata.env == 'prod'
return false unless IdentityConfig.store.doc_auth_selfie_capture_enabled

[dawei-nava]

Oh, i see, it's in the form. But should we make decision in one place?

[amirbey]

fair point @dawei-nava 🤔 ...

consolidated ✅ 😄

[soniaconnolly]

If we put all the checks in decorated_sp_session.selfie_required?, then we don't have to duplicate this method here.

[dawei-nava]

I think the controller already checks the hostdata env stuff in the concern? Or we wanna double check.

[amirbey]

yes, it does ... but added check on the way out to FE be extra careful

[aduth]

I feel like the double-checking of both hostdata and config implies a distrust in our configuration, where we should be confident in using it? Assuming the default is false in production.

Suggested change

	return false if Identity::Hostdata.env == 'prod'
	return false unless IdentityConfig.store.doc_auth_selfie_capture_enabled
	decorated_sp_session.selfie_required?
	IdentityConfig.store.doc_auth_selfie_capture_enabled && decorated_sp_session.selfie_required?

[amirbey]

@aduth - I understand that the FF is there and reliable. However, given the sensitivity of selfie not yet ready for our higher envs, we want it to be impossible for this to go live in production as this is an explicit requirement. No matter what config changes are made, this hardcoding guards any mistakes from a config standpoint.

[soniaconnolly]

decorated_sp_session.selfie_required? will also return false if IdentityConfig.store.doc_auth_selfie_capture_enabled is not set to true. I understand about wanting to make triple-sure this doesn't go live accidentally, and at the same time code encapsulation is also useful. Maybe we could put any extra checks in selfie_required and just use that everywhere instead of having an extra method liveness_checking_enabled?. Happy to rename the method if that would help.

[eileen-nava]

I agree with Amir. Since this is such a sensitive feature, I think it's good to have an extra safeguard in place.

[soniaconnolly]

Great spec coverage! Overall looks good, some comments on repeated code. Commenting now, will approve later after running through the test plan.

[soniaconnolly]

decorated_sp_session.selfie_required? will also return false if IdentityConfig.store.doc_auth_selfie_capture_enabled is not set to true. I understand about wanting to make triple-sure this doesn't go live accidentally, and at the same time code encapsulation is also useful. Maybe we could put any extra checks in selfie_required and just use that everywhere instead of having an extra method liveness_checking_enabled?. Happy to rename the method if that would help.

[soniaconnolly]

If we put all the checks in decorated_sp_session.selfie_required?, then we don't have to duplicate this method here.

[soniaconnolly]

Does this method add value?

[amirbey]

@soniaconnolly - 👍🏿 ... it allows us to access liveness_checking_required for selfie validator

[eileen-nava]

I think it also works if you use the attr_reader method of :liveness_checking_required in the validator.

[amirbey]

i tried again to remove it and it worked 👍🏿

[soniaconnolly]

Same question as above: does this method add value? And if they both add value, let's call them the same thing.

[amirbey]

@soniaconnolly - i see what you mean ... upon your suggestion, i attempted changing it but soon realized that it will be too similar naming (liveness_checking_required vs liveness_checking_required?) to the existing attribute name and open the opportunity to a bad typo mistake where we evaluate whether or not to put a selfie in the payload

[soniaconnolly]

Do we need to repeat this method definition in the spec?

[amirbey]

@soniaconnolly - reusing the approach that was present but introducing the guards which we also want to test ... it allows us to reduce a lot of lines of coding in this test .... do you have any simple suggestions on how to improve this?

[soniaconnolly]

Paired on this and we ended up renaming the method to include_liveness_expected to make it clear that it's not overriding the method definition in code.

[dawei-nava]

Should we check the costs function actually adds the cost?

[amirbey]

you're right @dawei-nava ... we shouldn't forget about this ... i think that's out of scope for this ticket ... created LG-11965 so we won't lose track of this ... 👍🏿

[soniaconnolly]

Ran through the test plan, LGTM!

Additionally tested logging in at Identity Verified level with a Biometric Comparison verified account, and that worked too.

Couple additional notes from testing, not in scope for this PR:

• In development, I'm still seeing the "don't have a license" questionnaire at the end of Document Capture. As far as I know I don't have any relevant config flags set in my local application.yml. Maybe application.yml.default has it on in development? (Yep, that was it, putting in a PR to turn that off.)
• Should we add something to VerifyInfo that indicates a selfie was captured?

[eileen-nava]

This method looks very similar to liveness_checking_enabled? in DocumentCaptureConcern. Why not include the DocumentCaptureConcern at the top of the file and then call liveness_checking_enabled? here?

Putting all the checks in decorated_sp_session.selfie_required? would work, too. That also wouldn't require including DocumentCaptureConcern in this file. 🤔

[eileen-nava]

I think it also works if you use the attr_reader method of :liveness_checking_required in the validator.

[eileen-nava]

👍🏻

[eileen-nava]

👍🏻

[eileen-nava]

I think this should say 'does not request FE to display selfie'

[eileen-nava]

I know this predates this PR, but since you are working in this spec, do you mind combining the before statements on lines 32-40 into one before statement?

[eileen-nava]

👍🏻

[eileen-nava]

Nit: Should the context block also say required? Do we want to be consistent in which term we use?

[eileen-nava]

Thanks for including this spec! 🙏🏻

[eileen-nava]

🤔 I wonder if it's worth updating this shared example in order to pass liveness_checking_required to it as an argument? Thinking out loud here.