Deploy RC 350 to Production

Gemfile

@@ -34,7 +34,7 @@ gem 'foundation_emails'
 gem 'good_job', '~> 3.0'
 gem 'hashie', '~> 4.1'
 gem 'http_accept_language'
-gem 'identity-hostdata', github: '18F/identity-hostdata', tag: 'v3.4.2'
+gem 'identity-hostdata', github: '18F/identity-hostdata', tag: 'v3.4.3'
 gem 'identity-logging', github: '18F/identity-logging', tag: 'v0.1.0'
 gem 'identity_validations', github: '18F/identity-validations', tag: 'v0.7.2'
 gem 'jsbundling-rails', '~> 1.1.2'
@@ -69,7 +69,7 @@ gem 'rqrcode'
 gem 'ruby-progressbar'
 gem 'ruby-saml'
 gem 'safe_target_blank', '>= 1.0.2'
-gem 'saml_idp', github: '18F/saml_idp', tag: '0.18.2-18f'
+gem 'saml_idp', github: '18F/saml_idp', tag: '0.18.3-18f'
 gem 'scrypt'
 gem 'simple_form', '>= 5.0.2'
 gem 'stringex', require: false

Gemfile.lock

@@ -1,9 +1,9 @@
 GIT
   remote: https://github.com/18F/identity-hostdata.git
-  revision: 9e2e0441cd93307cbfc5d5b8d4b3b7b4219394fb
-  tag: v3.4.2
+  revision: 42027a05a3827177d473a0f2d998771011fc4fd6
+  tag: v3.4.3
   specs:
-    identity-hostdata (3.4.2)
+    identity-hostdata (3.4.3)
       activesupport (>= 6.1, < 8)
       aws-sdk-s3 (~> 1.8)
 
@@ -34,10 +34,10 @@ GIT
 
 GIT
   remote: https://github.com/18F/saml_idp.git
-  revision: 5d9a9b0411e3bd79bf1159c94293ec55053884d4
-  tag: 0.18.2-18f
+  revision: 26d550cd249e52304aecbb53add32cbec4001e2f
+  tag: 0.18.3-18f
   specs:
-    saml_idp (0.18.2.pre.18f)
+    saml_idp (0.18.3.pre.18f)
       activesupport
       builder
       faraday

app/assets/stylesheets/components/_index.scss

@@ -16,7 +16,6 @@
 @forward 'modal';
 @forward 'nav';
 @forward 'page-heading';
-@forward 'password';
 @forward 'profile-section';
 @forward 'personal-key';
 @forward 'radio-button';

app/components/password_confirmation_component.html.erb

@@ -43,4 +43,5 @@
   >
     <%= t('components.password_confirmation.toggle_label') %>
   </label>
+  <%= render PasswordStrengthComponent.new(input_id:, forbidden_passwords:) %>
 <% end %>

app/components/password_confirmation_component.rb

@@ -1,17 +1,19 @@
 class PasswordConfirmationComponent < BaseComponent
-  attr_reader :form, :field_options, :tag_options
+  attr_reader :form, :field_options, :forbidden_passwords, :tag_options
 
   def initialize(
     form:,
     password_label: nil,
     confirmation_label: nil,
     field_options: {},
+    forbidden_passwords: [],
     **tag_options
   )
     @form = form
     @password_label = password_label
     @confirmation_label = confirmation_label
     @field_options = field_options
+    @forbidden_passwords = forbidden_passwords
     @tag_options = tag_options
   end
 

app/components/password_strength_component.html.erb

@@ -0,0 +1,18 @@
+<%= content_tag(
+      :'lg-password-strength',
+      'input-id': input_id,
+      'minimum-length': minimum_length,
+      'forbidden-passwords': forbidden_passwords.to_json,
+      **tag_options,
+      class: [*tag_options[:class], 'display-none'],
+    ) do %>
+  <div class="password-strength__meter">
+    <div class="password-strength__meter-bar"></div>
+    <div class="password-strength__meter-bar"></div>
+    <div class="password-strength__meter-bar"></div>
+    <div class="password-strength__meter-bar"></div>
+  </div>
+  <%= t('instructions.password.strength.intro') %>
+  <span class="password-strength__strength"></span>
+  <div class="password-strength__feedback"></div>
+<% end %>

app/components/password_strength_component.rb

@@ -0,0 +1,15 @@
+class PasswordStrengthComponent < BaseComponent
+  attr_reader :input_id, :forbidden_passwords, :minimum_length, :tag_options
+
+  def initialize(
+    input_id:,
+    minimum_length: Devise.password_length.min,
+    forbidden_passwords: [],
+    **tag_options
+  )
+    @input_id = input_id
+    @minimum_length = minimum_length
+    @forbidden_passwords = forbidden_passwords
+    @tag_options = tag_options
+  end
+end

app/assets/stylesheets/components/_password.scss → app/components/password_strength_component.scss

@@ -16,19 +16,27 @@
     margin-left: units(1);
   }
 
-  .pw-weak &:nth-child(-n + 1) {
+  lg-password-strength[score='1'] &:nth-child(-n + 1) {
     background-color: color('error');
   }
 
-  .pw-average &:nth-child(-n + 2) {
+  lg-password-strength[score='2'] &:nth-child(-n + 2) {
     background-color: color('warning');
   }
 
-  .pw-good &:nth-child(-n + 3) {
+  lg-password-strength[score='3'] &:nth-child(-n + 3) {
     background-color: color('success-light');
   }
 
-  .pw-great &:nth-child(-n + 4) {
+  lg-password-strength[score='4'] &:nth-child(-n + 4) {
     background-color: color('success');
   }
 }
+
+.password-strength__strength {
+  @include u-text(bold);
+}
+
+.password-strength__feedback {
+  @include u-text(italic);
+}

app/components/password_strength_component.ts

@@ -0,0 +1 @@
+import '@18f/identity-password-strength/password-strength-element';

app/components/password_toggle_component.rb

@@ -28,6 +28,6 @@ def toggle_id
   end
 
   def input_id
-    "password-toggle-input-#{unique_id}"
+    field_options.dig(:input_html, :id) || "password-toggle-input-#{unique_id}"
   end
 end

app/controllers/concerns/saml_idp_auth_concern.rb

@@ -5,7 +5,7 @@ module SamlIdpAuthConcern
 
   included do
     # rubocop:disable Rails/LexicallyScopedActionFilter
-    before_action :validate_saml_request, only: :auth
+    before_action :validate_and_create_saml_request_object, only: :auth
     before_action :validate_service_provider_and_authn_context, only: :auth
     before_action :check_sp_active, only: :auth
     before_action :log_external_saml_auth_request, only: [:auth]
@@ -45,21 +45,29 @@ def check_sp_active
   end
 
   def validate_service_provider_and_authn_context
-    @saml_request_validator = SamlRequestValidator.new
+    return if result.success?
+
+    analytics.saml_auth(
+      **result.to_h.merge(request_signed: saml_request.signed?),
+    )
+    render 'saml_idp/auth/error', status: :bad_request
+  end
 
-    @result = @saml_request_validator.call(
+  def result
+    @result ||= @saml_request_validator.call(
       service_provider: saml_request_service_provider,
       authn_context: requested_authn_contexts,
       authn_context_comparison: saml_request.requested_authn_context_comparison,
       nameid_format: name_id_format,
     )
+  end
 
-    return if @result.success?
-
-    analytics.saml_auth(
-      **@result.to_h.merge(request_signed: saml_request.signed?),
-    )
-    render 'saml_idp/auth/error', status: :bad_request
+  def validate_and_create_saml_request_object
+    # this saml_idp method creates the saml_request object used for validations
+    validate_saml_request
+    @saml_request_validator = SamlRequestValidator.new
+  rescue SamlIdp::XMLSecurity::SignedDocument::ValidationError
+    @saml_request_validator = SamlRequestValidator.new(blank_cert: true)
   end
 
   def name_id_format

app/controllers/saml_idp_controller.rb

@@ -118,7 +118,7 @@ def pii_requested_but_locked?
   end
 
   def capture_analytics
-    analytics_payload = @result.to_h.merge(
+    analytics_payload = result.to_h.merge(
       endpoint: api_saml_auth_path(path_year: params[:path_year]),
       idv: identity_needs_verification?,
       finish_profile: user_has_pending_profile?,

app/controllers/users/webauthn_controller.rb

@@ -6,6 +6,7 @@ class WebauthnController < ApplicationController
     before_action :confirm_recently_authenticated_2fa
     before_action :set_form
     before_action :validate_configuration_exists
+    before_action :set_presenter
 
     def edit; end
 
@@ -15,7 +16,7 @@ def update
       analytics.webauthn_update_name_submitted(**result.to_h)
 
       if result.success?
-        flash[:success] = t('two_factor_authentication.webauthn_platform.renamed')
+        flash[:success] = presenter.rename_success_alert_text
         redirect_to account_path
       else
         flash.now[:error] = result.first_error_message
@@ -29,7 +30,7 @@ def destroy
       analytics.webauthn_delete_submitted(**result.to_h)
 
       if result.success?
-        flash[:success] = t('two_factor_authentication.webauthn_platform.deleted')
+        flash[:success] = presenter.delete_success_alert_text
         create_user_event(:webauthn_key_removed)
         revoke_remember_device(current_user)
         event = PushNotification::RecoveryInformationChangedEvent.new(user: current_user)
@@ -49,6 +50,14 @@ def form
 
     alias_method :set_form, :form
 
+    delegate :configuration, to: :form
+
+    def presenter
+      @presenter ||= TwoFactorAuthentication::WebauthnEditPresenter.new(configuration:)
+    end
+
+    alias_method :set_presenter, :presenter
+
     def form_class
       case action_name
       when 'edit', 'update'
@@ -59,7 +68,7 @@ def form_class
     end
 
     def validate_configuration_exists
-      render_not_found if form.configuration.blank?
+      render_not_found if configuration.blank?
     end
   end
 end

app/controllers/users/webauthn_setup_controller.rb

@@ -156,15 +156,19 @@ def handle_successful_delete
       else
         flash[:success] = t('notices.webauthn_deleted')
       end
-      track_delete(true)
+      track_delete(success: true, platform_authenticator: webauthn.platform_authenticator?)
     end
 
     def handle_failed_delete
-      track_delete(false)
+      track_delete(success: false, platform_authenticator: nil)
     end
 
-    def track_delete(success)
-      analytics.webauthn_delete_submitted(success:, configuration_id: delete_params[:id])
+    def track_delete(success:, platform_authenticator:)
+      analytics.webauthn_delete_submitted(
+        success:,
+        configuration_id: delete_params[:id],
+        platform_authenticator:,
+      )
     end
 
     def save_challenge_in_session

app/forms/two_factor_authentication/webauthn_delete_form.rb

@@ -51,7 +51,10 @@ def validate_has_multiple_mfa
     end
 
     def extra_analytics_attributes
-      { configuration_id: }
+      {
+        configuration_id:,
+        platform_authenticator: configuration&.platform_authenticator?,
+      }
     end
   end
 end

app/forms/two_factor_authentication/webauthn_update_form.rb

@@ -62,7 +62,10 @@ def validate_unique_name
     end
 
     def extra_analytics_attributes
-      { configuration_id: }
+      {
+        configuration_id:,
+        platform_authenticator: configuration&.platform_authenticator?,
+      }
     end
   end
 end

app/javascript/packages/build-sass/CHANGELOG.md

@@ -7,6 +7,8 @@
 ### Improvements
 
 - `--out-dir` is now optional. If omitted, files will be output in the same directory as their source files.
+- The command-line tool now uses [Sass Shared Resources API](https://github.com/sass/sass/blob/main/accepted/shared-resources.d.ts.md), improving performance when compiling multiple files that share common resources.
+  - In Login.gov's identity provider application, this reduced compilation times by an average of 66%!
 
 ## 2.0.0
 

app/javascript/packages/build-sass/README.md

@@ -44,6 +44,7 @@ function buildFile(
   options: {
     outDir: string,
     optimize: boolean,
+    sassCompiler: SassAsyncCompiler,
     ...sassOptions: SassOptions<'sync'>,
   },
 ): Promise<SassCompileResult>;

app/javascript/packages/build-sass/cli.js

@@ -4,8 +4,9 @@
 
 import { mkdir } from 'node:fs/promises';
 import { parseArgs } from 'node:util';
+import { fileURLToPath } from 'node:url';
 import { watch } from 'chokidar';
-import { fileURLToPath } from 'url';
+import { initAsyncCompiler as initAsyncSassCompiler } from 'sass-embedded';
 import { buildFile } from './index.js';
 import getDefaultLoadPaths from './get-default-load-paths.js';
 import getErrorSassStackPaths from './get-error-sass-stack-paths.js';
@@ -29,8 +30,10 @@ const { values: flags, positionals: fileArgs } = parseArgs({
 const { watch: isWatching, 'out-dir': outDir, 'load-path': loadPaths = [] } = flags;
 loadPaths.push(...getDefaultLoadPaths());
 
+const sassCompiler = await initAsyncSassCompiler();
+
 /** @type {BuildOptions & SyncSassOptions} */
-const options = { outDir, loadPaths, optimize: isProduction };
+const options = { outDir, loadPaths, sassCompiler, optimize: isProduction };
 
 /**
  * Watches given file path(s), triggering the callback on the first change.
@@ -89,4 +92,8 @@ try {
 } catch (error) {
   console.error(error);
   process.exitCode = 1;
+} finally {
+  if (!isWatching) {
+    await sassCompiler.dispose();
+  }
 }