Skip to content

LG-11695 enforce selfie capture performed#9846

Merged
soniaconnolly merged 8 commits intomainfrom
sonia-lg-11695-enforce-selfie-capture-performed
Jan 4, 2024
Merged

LG-11695 enforce selfie capture performed#9846
soniaconnolly merged 8 commits intomainfrom
sonia-lg-11695-enforce-selfie-capture-performed

Conversation

@soniaconnolly
Copy link
Contributor

@soniaconnolly soniaconnolly commented Jan 3, 2024
edited
Loading

🎫 Ticket

LG-11695

🛠 Summary of changes

This is Part 1 of several PRs for this ticket, and addresses AC1: If an SP requests a selfie check and the user has not performed a selfie check, we send the user back to the start of proofing before re-directing to the SP (edge case)

  • Add :unsupervised_with_selfie value to Profile idv_level enum
  • Add User#identity_verified_with_selfie? which checks the active profile idv_level
  • In completions_controller, add before_action that checks whether the user was verified with selfie if the SP requires it and doc_auth_selfie_capture_enabled is true.
  • In OpenidConnect::AuthorizationController#index, redirect to idv_url if a selfie is required and user did not verify at that level.
  • Leaving out SamlIdpController#auth for now because it's not wired up for biometric_comparison_needed.

📜 Testing Plan

Provide a checklist of steps to confirm the changes.

  • In application.yml, set doc_auth_selfie_capture_enabled: true
  • Starting from sample SP, sign in with biometric_comparison_required
  • Complete IdV
  • Expect to be redirected to idv_url (and then "Your identity has already been verified") without being redirected to SP, because idv_level is not yet being updated during proofing
  • Starting from sample SP, sign in with identity_verification required
  • Complete IdV
  • Expect to be redirected to SP
  • In application.yml, set doc_auth_selfie_capture_enabled: false
  • Starting from sample SP, sign in with biometric_comparison_required
  • Complete IdV
  • Expect to be redirected to SP

soniaconnolly and others added 4 commits January 3, 2024 08:57
@soniaconnolly @theabrad
Rename :verify_confirmed before action to confirm_identity_verified
f7e2c84 
Co-authored-by: Alex Bradley <alexander.bradley@gsa.gov>
@soniaconnolly
Add User#identity_verified_with_selfie? and Profile.idv_level value :…
fc9565d 
…unsupervised_with_selfie
@soniaconnolly
Add check for selfie to completions_controller
13d74a1 
This will only take effect if doc_auth_selfie_capture_enabled feature flag is on
@soniaconnolly
Allow browser_log for end_to_end_idv spec
3b62b21 
To get rid of:  Failure/Error: raise BrowserConsoleLogError.new(javascript_errors) if javascript_errors.present?

     BrowserConsoleLogError:
       Unexpected browser console logging:

       chrome-error://chromewebdata/ 6589:1640 "crbug/1173575, non-JS module files deprecated."
jmhooper
jmhooper reviewed Jan 3, 2024
View reviewed changes
app/controllers/sign_up/completions_controller.rb

before_action :confirm_two_factor_authenticated
before_action :verify_confirmed, if: :ial2?
before_action :confirm_identity_verified, if: :ial2?
Copy link
Contributor

@jmhooper jmhooper Jan 3, 2024

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I am not sure the completions controller is the correct place for this logic. The completions controller is not what is responsible for redirecting the user to the service provider or checking that the user has satisfied all of the requirements for being redirected. That is the OpenidConnect::AuthorizationController#index and the SamlIdpController#auth action.

Copy link
Contributor Author

@soniaconnolly soniaconnolly Jan 3, 2024

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The before_action on line 6 was already there. I just renamed it. Do you recommend removing that, or leaving it alone, or adding the before_action here and also modifying the places you mentioned?

Copy link
Contributor

@jmhooper jmhooper Jan 4, 2024

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I looked at the latest changes and I think it is probably fine to leave those checks in here. They are shortcutting the effect that an eventual redirect to the authorization controller or SAML IdP controller would have.

@soniaconnolly
changelog
ffeae92 
changelog: Upcoming Features, Identity Verification with Liveness Check (behind feature flag), Confirm that liveness check was performed before redirecting to Service Provider
@soniaconnolly soniaconnolly requested a review from a team January 3, 2024 22:39
@soniaconnolly soniaconnolly requested a review from jmhooper January 4, 2024 19:06
@soniaconnolly
Revert "Allow browser_log for end_to_end_idv spec"
577107b 
We're going to look into fixing this a different way for local test runs.

This reverts commit 3b62b21.
@soniaconnolly soniaconnolly merged commit ad9fad8 into main Jan 4, 2024
@soniaconnolly soniaconnolly deleted the sonia-lg-11695-enforce-selfie-capture-performed branch January 4, 2024 21:27
@soniaconnolly soniaconnolly mentioned this pull request Jan 5, 2024
Merged
11 tasks
@amirbey amirbey mentioned this pull request Jan 9, 2024
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

1 more reviewer

@jmhooper jmhooper jmhooper approved these changes

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@soniaconnolly @jmhooper