LG-11997 | Conditionally marks users as fraudulent

app/jobs/get_usps_proofing_results_job.rb

@@ -99,7 +99,6 @@ def check_enrollment(enrollment)
 
     status_check_attempted_at = Time.zone.now
     enrollment_outcomes[:enrollments_checked] += 1
-    response = nil
 
     response = proofer.request_proofing_results(
       enrollment.unique_id, enrollment.enrollment_code
@@ -305,6 +304,15 @@ def handle_expired_status_update(enrollment, response, response_message)
     end
   end
 
+  def handle_fraud_review_pending(enrollment)
+    enrollment.profile.deactivate_for_fraud_review
+
+    analytics(user: enrollment.user).
+      idv_in_person_usps_proofing_results_job_user_sent_to_fraud_review(
+        **enrollment_analytics_attributes(enrollment, complete: true),
+      )
+  end
+
   def handle_unexpected_response(enrollment, response_message, reason:, cancel: true)
     enrollment.cancelled! if cancel
 
@@ -363,21 +371,24 @@ def handle_successful_status_update(enrollment, response)
       reason: 'Successful status update',
       job_name: self.class.name,
     )
-    enrollment.profile.activate_after_passing_in_person
     enrollment.update(
       status: :passed,
       proofed_at: proofed_at,
       status_check_completed_at: Time.zone.now,
     )
 
-    # send SMS and email
-    send_enrollment_status_sms_notification(enrollment: enrollment)
-    send_verified_email(enrollment.user, enrollment)
-    analytics(user: enrollment.user).idv_in_person_usps_proofing_results_job_email_initiated(
-      **email_analytics_attributes(enrollment),
-      email_type: 'Success',
-      job_name: self.class.name,
-    )
+    unless fraud_result_pending?(enrollment)
+      enrollment.profile&.activate_after_passing_in_person
+
+      # send SMS and email
+      send_enrollment_status_sms_notification(enrollment: enrollment)
+      send_verified_email(enrollment.user, enrollment)
+      analytics(user: enrollment.user).idv_in_person_usps_proofing_results_job_email_initiated(
+        **email_analytics_attributes(enrollment),
+        email_type: 'Success',
+        job_name: self.class.name,
+      )
+    end
   end
 
   def handle_unsupported_secondary_id(enrollment, response)
@@ -405,12 +416,23 @@ def handle_unsupported_secondary_id(enrollment, response)
     )
   end
 
+  def fraud_result_pending?(enrollment)
+    IdentityConfig.store.in_person_proofing_enforce_tmx &&
+      enrollment.profile&.fraud_pending_reason.present?
+  end
+
   def process_enrollment_response(enrollment, response)
     unless response.is_a?(Hash)
       handle_response_is_not_a_hash(enrollment)
       return
     end
 
+    # We want to deactivate them regardless of status, but then allow the
+    # case statement below to pick up the correct flow.
+    if fraud_result_pending?(enrollment)
+      handle_fraud_review_pending(enrollment)
+    end
+
     case response['status']
     when IPP_STATUS_PASSED
       if passed_with_unsupported_secondary_id_type?(response)

app/services/analytics_events.rb

@@ -2246,6 +2246,19 @@ def idv_in_person_usps_proofing_results_job_unexpected_response(
     )
   end
 
+  # A user has been moved to fraud review after completing proofing at the USPS
+  # @param [String] enrollment_id
+  def idv_in_person_usps_proofing_results_job_user_sent_to_fraud_review(
+    enrollment_id:,
+    **extra
+  )
+    track_event(
+      :idv_in_person_usps_proofing_results_job_user_sent_to_fraud_review,
+      enrollment_id: enrollment_id,
+      **extra,
+    )
+  end
+
   # Tracks if USPS in-person proofing enrollment request fails
   # @param [String] context
   # @param [String] reason

app/services/idv/profile_maker.rb

@@ -35,7 +35,8 @@ def save_profile(
 
       profile.save!
       profile.deactivate_for_gpo_verification if gpo_verification_needed
-      if fraud_pending_reason.present? && !gpo_verification_needed
+
+      if fraud_pending_reason.present? && !gpo_verification_needed && !in_person_verification_needed
         profile.deactivate_for_fraud_review
       end
       profile

config/application.yml.default

@@ -133,6 +133,7 @@ in_person_email_reminder_early_benchmark_in_days: 11
 in_person_email_reminder_final_benchmark_in_days: 1
 in_person_email_reminder_late_benchmark_in_days: 4
 in_person_proofing_enabled: false
+in_person_proofing_enforce_tmx: false
 in_person_proofing_opt_in_enabled: false
 in_person_enrollment_validity_in_days: 30
 in_person_enrollments_ready_job_email_body_pattern: '\A\s*(?<enrollment_code>\d{16})\s*\Z'
@@ -392,6 +393,7 @@ development:
   hmac_fingerprinter_key_queue: '["11111111111111111111111111111111", "22222222222222222222222222222222"]'
   identity_pki_local_dev: true
   in_person_proofing_enabled: true
+  in_person_proofing_enforce_tmx: true
   in_person_send_proofing_notifications_enabled: true
   logins_per_ip_limit: 5
   logo_upload_enabled: true

lib/identity_config.rb

@@ -257,6 +257,7 @@ def self.build_store(config_map)
     config.add(:in_person_outage_expected_update_date, type: :string)
     config.add(:in_person_outage_message_enabled, type: :boolean)
     config.add(:in_person_proofing_enabled, type: :boolean)
+    config.add(:in_person_proofing_enforce_tmx, type: :boolean)
     config.add(:in_person_proofing_opt_in_enabled, type: :boolean)
     config.add(:in_person_public_address_search_enabled, type: :boolean)
     config.add(:in_person_results_delay_in_hours, type: :integer)

spec/jobs/get_usps_proofing_results_job_spec.rb

@@ -1148,6 +1148,94 @@
             error_type: Faraday::NilStatusError,
           )
         end
+
+        context 'when a user was flagged with fraud_pending_reason' do
+          before(:each) do
+            pending_enrollment.profile.update!(fraud_pending_reason: 'threatmetrix_review')
+            stub_request_passed_proofing_results
+          end
+
+          it 'updates the enrollment' do
+            freeze_time do
+              expect(pending_enrollment.status).to eq 'pending'
+              job.perform(Time.zone.now)
+              expect(pending_enrollment.reload.status).to eq 'passed'
+            end
+          end
+
+          context 'when the in_person_proofing_enforce_tmx flag is false' do
+            before do
+              allow(IdentityConfig.store).to receive(:in_person_proofing_enforce_tmx).
+                and_return(false)
+            end
+
+            it 'activates the profile' do
+              job.perform(Time.zone.now)
+              profile = pending_enrollment.reload.profile
+              expect(profile).to be_active
+            end
+
+            it 'does not mark the user as fraud_review_pending_at' do
+              job.perform(Time.zone.now)
+
+              profile = pending_enrollment.reload.profile
+              expect(profile).not_to be_fraud_review_pending
+            end
+
+            it 'does not log a user_sent_to_fraud_review analytics event' do
+              job.perform(Time.zone.now)
+
+              expect(job_analytics).not_to have_logged_event(
+                :idv_in_person_usps_proofing_results_job_user_sent_to_fraud_review,
+              )
+            end
+          end
+
+          context 'when the in_person_proofing_enforce_tmx flag is true' do
+            before do
+              allow(IdentityConfig.store).to receive(:in_person_proofing_enforce_tmx).
+                and_return(true)
+            end
+
+            it 'preserves the fraud_pending_reason attribute' do
+              job.perform(Time.zone.now)
+
+              expect(pending_enrollment.profile.fraud_pending_reason).to eq 'threatmetrix_review'
+            end
+
+            it 'logs a user_sent_to_fraud_review analytics event' do
+              job.perform(Time.zone.now)
+
+              expect(job_analytics).to have_logged_event(
+                :idv_in_person_usps_proofing_results_job_user_sent_to_fraud_review,
+                hash_including(
+                  enrollment_code: pending_enrollment.enrollment_code,
+                ),
+              )
+            end
+
+            it 'does not send a success email' do
+              user = pending_enrollment.user
+
+              freeze_time do
+                expect do
+                  job.perform(Time.zone.now)
+                end.not_to have_enqueued_mail(UserMailer, :in_person_verified).with(
+                  params: { user: user, email_address: user.email_addresses.first },
+                  args: [{ enrollment: pending_enrollment }],
+                )
+              end
+            end
+
+            it 'marks the user as fraud_review_pending_at' do
+              job.perform(Time.zone.now)
+
+              profile = pending_enrollment.reload.profile
+              expect(profile.fraud_review_pending_at).not_to be_nil
+              expect(profile).not_to be_active
+            end
+          end
+        end
       end
 
       describe 'Proofed with secondary id' do

spec/services/idv/profile_maker_spec.rb

@@ -65,15 +65,18 @@
     end
 
     context 'with fraud review needed' do
+      let(:gpo_verification_needed) { false }
+      let(:in_person_verification_needed) { false }
       let(:profile) do
         subject.save_profile(
           fraud_pending_reason: 'threatmetrix_review',
-          gpo_verification_needed: false,
+          gpo_verification_needed: gpo_verification_needed,
           deactivation_reason: nil,
-          in_person_verification_needed: false,
+          in_person_verification_needed: in_person_verification_needed,
           selfie_check_performed: false,
         )
       end
+
       it 'creates a pending profile for fraud review' do
         expect(profile.activated_at).to be_nil
         expect(profile.active).to eq(false)
@@ -84,9 +87,26 @@
         expect(profile.initiating_service_provider).to eq(nil)
         expect(profile.verified_at).to be_nil
       end
+
       it 'marks the profile as legacy_unsupervised' do
         expect(profile.idv_level).to eql('legacy_unsupervised')
       end
+
+      context 'when GPO verification is needed' do
+        let(:gpo_verification_needed) { true }
+
+        it 'is not fraud_review_pending?' do
+          expect(profile.fraud_review_pending?).to eq(false)
+        end
+      end
+
+      context 'when IPP is needed' do
+        let(:in_person_verification_needed) { true }
+
+        it 'is not fraud_review_pending?' do
+          expect(profile.fraud_review_pending?).to eq(false)
+        end
+      end
     end
 
     context 'with gpo_verification_needed' do