Merge pull request #11824 from 18F/stages/rc-2025-01-30

Deploy RC 448 to Production

app/controllers/api/internal/two_factor_authentication/auth_app_controller.rb

@@ -6,6 +6,7 @@ module TwoFactorAuthentication
       class AuthAppController < ApplicationController
         include CsrfTokenConcern
         include ReauthenticationRequiredConcern
+        include MfaDeletionConcern
 
         before_action :render_unauthorized, unless: :recently_authenticated_2fa?
 
@@ -37,10 +38,7 @@ def destroy
           analytics.auth_app_delete_submitted(**result)
 
           if result.success?
-            create_user_event(:authenticator_disabled)
-            revoke_remember_device(current_user)
-            event = PushNotification::RecoveryInformationChangedEvent.new(user: current_user)
-            PushNotification::HttpPush.deliver(event)
+            handle_successful_mfa_deletion(event_type: :authenticator_disabled)
             render json: { success: true }
           else
             render json: { success: false, error: result.first_error_message }, status: :bad_request

app/controllers/api/internal/two_factor_authentication/piv_cac_controller.rb

@@ -7,6 +7,7 @@ class PivCacController < ApplicationController
         include CsrfTokenConcern
         include ReauthenticationRequiredConcern
         include PivCacConcern
+        include MfaDeletionConcern
 
         before_action :render_unauthorized, unless: :recently_authenticated_2fa?
 
@@ -38,9 +39,7 @@ def destroy
           analytics.piv_cac_delete_submitted(**result)
 
           if result.success?
-            create_user_event(:piv_cac_disabled)
-            revoke_remember_device(current_user)
-            deliver_push_notification
+            handle_successful_mfa_deletion(event_type: :piv_cac_disabled)
             clear_piv_cac_information
             render json: { success: true }
           else
@@ -50,11 +49,6 @@ def destroy
 
         private
 
-        def deliver_push_notification
-          event = PushNotification::RecoveryInformationChangedEvent.new(user: current_user)
-          PushNotification::HttpPush.deliver(event)
-        end
-
         def render_unauthorized
           render json: { error: 'Unauthorized' }, status: :unauthorized
         end

app/controllers/api/internal/two_factor_authentication/webauthn_controller.rb

@@ -6,6 +6,7 @@ module TwoFactorAuthentication
       class WebauthnController < ApplicationController
         include CsrfTokenConcern
         include ReauthenticationRequiredConcern
+        include MfaDeletionConcern
 
         before_action :render_unauthorized, unless: :recently_authenticated_2fa?
 
@@ -37,10 +38,7 @@ def destroy
           analytics.webauthn_delete_submitted(**result)
 
           if result.success?
-            create_user_event(:webauthn_key_removed)
-            revoke_remember_device(current_user)
-            event = PushNotification::RecoveryInformationChangedEvent.new(user: current_user)
-            PushNotification::HttpPush.deliver(event)
+            handle_successful_mfa_deletion(event_type: :webauthn_key_removed)
             render json: { success: true }
           else
             render json: { success: false, error: result.first_error_message }, status: :bad_request

app/controllers/concerns/idv/doc_auth_vendor_concern.rb

@@ -6,17 +6,17 @@ module DocAuthVendorConcern
 
     # @returns[String] String identifying the vendor to use for doc auth.
     def doc_auth_vendor
-      if resolved_authn_context_result.facial_match?
-        if doc_auth_vendor_enabled?(Idp::Constants::Vendors::LEXIS_NEXIS)
-          bucket = :lexis_nexis
-        elsif doc_auth_vendor_enabled?(Idp::Constants::Vendors::MOCK)
-          bucket = :mock
-        else
-          return nil
-        end
+      if resolved_authn_context_result.facial_match? || socure_user_set.maxed_users?
+        bucket = choose_non_socure_bucket
       else
         bucket = ab_test_bucket(:DOC_AUTH_VENDOR)
       end
+
+      if bucket == :socure
+        if !add_user_to_socure_set
+          bucket = choose_non_socure_bucket # force to lexis_nexis if max user reached
+        end
+      end
       DocAuthRouter.doc_auth_vendor_for_bucket(bucket)
     end
 
@@ -33,5 +33,23 @@ def doc_auth_vendor_enabled?(vendor)
         false
       end
     end
+
+    private
+
+    def choose_non_socure_bucket
+      if doc_auth_vendor_enabled?(Idp::Constants::Vendors::LEXIS_NEXIS)
+        :lexis_nexis
+      elsif doc_auth_vendor_enabled?(Idp::Constants::Vendors::MOCK)
+        :mock
+      end
+    end
+
+    def socure_user_set
+      @socure_user_set ||= SocureUserSet.new
+    end
+
+    def add_user_to_socure_set
+      socure_user_set.add_user!(user_uuid: current_user.uuid)
+    end
   end
 end

app/controllers/concerns/idv/document_capture_concern.rb

@@ -76,8 +76,9 @@ def redirect_to_correct_vendor(vendor, in_hybrid_mobile:)
         when Idp::Constants::Vendors::LEXIS_NEXIS, Idp::Constants::Vendors::MOCK
           in_hybrid_mobile ? idv_hybrid_mobile_document_capture_path
                            : idv_document_capture_path
+        else
+          return
         end
-
       redirect_to correct_path
     end
 

app/controllers/concerns/mfa_deletion_concern.rb

@@ -4,7 +4,7 @@ module MfaDeletionConcern
   include RememberDeviceConcern
 
   def handle_successful_mfa_deletion(event_type:)
-    create_user_event(event_type)
+    create_user_event(event_type) if event_type
     revoke_remember_device(current_user)
     event = PushNotification::RecoveryInformationChangedEvent.new(user: current_user)
     PushNotification::HttpPush.deliver(event)

app/controllers/idv/how_to_verify_controller.rb

@@ -41,7 +41,7 @@ def update
           idv_session.opted_in_to_in_person_proofing = true
           idv_session.flow_path = 'standard'
           idv_session.skip_doc_auth_from_how_to_verify = true
-          redirect_to idv_document_capture_url
+          redirect_to idv_document_capture_url(step: :how_to_verify)
         end
       else
         render :show, locals: { error: result.first_error_message }

app/controllers/idv/hybrid_mobile/socure/document_capture_controller.rb

@@ -19,6 +19,8 @@ class DocumentCaptureController < ApplicationController
         before_action :fetch_test_verification_data, only: [:update]
 
         def show
+          session[:socure_docv_wait_polling_started_at] = nil
+
           Funnel::DocAuth::RegisterStep.new(document_capture_user.id, sp_session[:issuer])
             .call('hybrid_mobile_socure_document_capture', :view, true)
 

app/controllers/users/auth_app_controller.rb

@@ -3,6 +3,7 @@
 module Users
   class AuthAppController < ApplicationController
     include ReauthenticationRequiredConcern
+    include MfaDeletionConcern
 
     before_action :confirm_two_factor_authenticated
     before_action :confirm_recently_authenticated_2fa
@@ -32,10 +33,7 @@ def destroy
 
       if result.success?
         flash[:success] = t('two_factor_authentication.auth_app.deleted')
-        create_user_event(:authenticator_disabled)
-        revoke_remember_device(current_user)
-        event = PushNotification::RecoveryInformationChangedEvent.new(user: current_user)
-        PushNotification::HttpPush.deliver(event)
+        handle_successful_mfa_deletion(event_type: :authenticator_disabled)
         redirect_to account_path
       else
         flash[:error] = result.first_error_message

app/controllers/users/backup_code_setup_controller.rb

@@ -4,6 +4,7 @@ module Users
   class BackupCodeSetupController < ApplicationController
     include TwoFactorAuthenticatableMethods
     include MfaSetupConcern
+    include MfaDeletionConcern
     include SecureHeadersConcern
     include ReauthenticationRequiredConcern
 
@@ -58,10 +59,8 @@ def refreshed
 
     def delete
       current_user.backup_code_configurations.destroy_all
-      event = PushNotification::RecoveryInformationChangedEvent.new(user: current_user)
-      PushNotification::HttpPush.deliver(event)
+      handle_successful_mfa_deletion(event_type: nil)
       flash[:success] = t('notices.backup_codes_deleted')
-      revoke_remember_device(current_user)
       if in_multi_mfa_selection_flow?
         redirect_to authentication_methods_setup_path
       else

app/controllers/users/edit_phone_controller.rb

@@ -4,6 +4,7 @@ module Users
   class EditPhoneController < ApplicationController
     include RememberDeviceConcern
     include ReauthenticationRequiredConcern
+    include MfaDeletionConcern
 
     before_action :confirm_two_factor_authenticated
     before_action :confirm_user_can_edit_phone
@@ -29,9 +30,7 @@ def update
     def destroy
       track_deletion_analytics_event
       phone_configuration.destroy!
-      event = PushNotification::RecoveryInformationChangedEvent.new(user: current_user)
-      PushNotification::HttpPush.deliver(event)
-      revoke_remember_device(current_user)
+      handle_successful_mfa_deletion(event_type: :phone_removed)
       flash[:success] = t('two_factor_authentication.phone.delete.success')
       redirect_to account_url
     end
@@ -55,7 +54,6 @@ def track_deletion_analytics_event
         success: true,
         phone_configuration_id: phone_configuration.id,
       )
-      create_user_event(:phone_removed)
     end
 
     def phone_configuration

app/controllers/users/emails_controller.rb

@@ -9,9 +9,10 @@ class EmailsController < ApplicationController
     before_action :check_max_emails_per_account, only: %i[show add]
     before_action :retain_confirmed_emails, only: %i[delete]
     before_action :confirm_recently_authenticated_2fa
+    before_action :validate_session_email, only: [:verify]
 
     def show
-      session[:in_select_email_flow] = true if params[:in_select_email_flow]
+      session[:in_select_email_flow] = in_select_email_flow_param
       analytics.add_email_visit(in_select_email_flow: in_select_email_flow?)
       @add_user_email_form = AddUserEmailForm.new
       @pending_completions_consent = pending_completions_consent?
@@ -42,11 +43,11 @@ def resend
         analytics.resend_add_email_request(success: true)
         SendAddEmailConfirmation.new(current_user).call(email_address:, request_id:)
         flash[:success] = t('notices.resend_confirmation_email.success')
-        redirect_to add_email_verify_email_url
+        redirect_to add_email_verify_email_url(in_select_email_flow: in_select_email_flow_param)
       else
         analytics.resend_add_email_request(success: false)
         flash[:error] = t('errors.general')
-        redirect_to add_email_url
+        redirect_to add_email_url(in_select_email_flow: in_select_email_flow_param)
       end
     end
 
@@ -71,16 +72,22 @@ def pending_completions_consent?
     end
 
     def verify
-      if session_email.blank?
-        redirect_to add_email_url
-      else
-        render :verify,
-               locals: { email: session_email, in_select_email_flow: params[:in_select_email_flow] }
-      end
+      @email = session_email
+      @in_select_email_flow = in_select_email_flow_param
+      @pending_completions_consent = pending_completions_consent?
     end
 
     private
 
+    def validate_session_email
+      return if session_email.present?
+      redirect_to add_email_url
+    end
+
+    def in_select_email_flow_param
+      true if params[:in_select_email_flow].present?
+    end
+
     def in_select_email_flow?
       session[:in_select_email_flow] == true
     end

app/controllers/users/piv_cac_controller.rb

@@ -4,6 +4,7 @@ module Users
   class PivCacController < ApplicationController
     include ReauthenticationRequiredConcern
     include PivCacConcern
+    include MfaDeletionConcern
 
     before_action :confirm_two_factor_authenticated
     before_action :confirm_recently_authenticated_2fa
@@ -33,9 +34,7 @@ def destroy
       analytics.piv_cac_delete_submitted(**result)
 
       if result.success?
-        create_user_event(:piv_cac_disabled)
-        revoke_remember_device(current_user)
-        deliver_push_notification
+        handle_successful_mfa_deletion(event_type: :piv_cac_disabled)
         clear_piv_cac_information
 
         flash[:success] = presenter.delete_success_alert_text
@@ -48,11 +47,6 @@ def destroy
 
     private
 
-    def deliver_push_notification
-      event = PushNotification::RecoveryInformationChangedEvent.new(user: current_user)
-      PushNotification::HttpPush.deliver(event)
-    end
-
     def form
       @form ||= form_class.new(user: current_user, configuration_id: params[:id])
     end

app/controllers/users/webauthn_controller.rb

@@ -3,6 +3,7 @@
 module Users
   class WebauthnController < ApplicationController
     include ReauthenticationRequiredConcern
+    include MfaDeletionConcern
 
     before_action :confirm_two_factor_authenticated
     before_action :confirm_recently_authenticated_2fa
@@ -33,10 +34,7 @@ def destroy
 
       if result.success?
         flash[:success] = presenter.delete_success_alert_text
-        create_user_event(:webauthn_key_removed)
-        revoke_remember_device(current_user)
-        event = PushNotification::RecoveryInformationChangedEvent.new(user: current_user)
-        PushNotification::HttpPush.deliver(event)
+        handle_successful_mfa_deletion(event_type: :webauthn_key_removed)
         redirect_to account_path
       else
         flash[:error] = result.first_error_message

app/controllers/users/webauthn_setup_controller.rb

@@ -134,7 +134,7 @@ def process_valid_webauthn(form)
         success: true,
       )
       handle_remember_device_preference(params[:remember_device])
-      if form.platform_authenticator?
+      if form.setup_as_platform_authenticator?
         handle_valid_verification_for_confirmation_context(
           auth_method: TwoFactorAuthenticatable::AuthMethod::WEBAUTHN_PLATFORM,
         )
@@ -144,7 +144,7 @@ def process_valid_webauthn(form)
           analytics,
           threatmetrix_attrs,
         )
-        flash[:success] = t('notices.webauthn_platform_configured')
+        flash[:success] = t('notices.webauthn_platform_configured') if !form.transports_mismatch?
       else
         handle_valid_verification_for_confirmation_context(
           auth_method: TwoFactorAuthenticatable::AuthMethod::WEBAUTHN,
@@ -155,9 +155,15 @@ def process_valid_webauthn(form)
           analytics,
           threatmetrix_attrs,
         )
-        flash[:success] = t('notices.webauthn_configured')
+        flash[:success] = t('notices.webauthn_configured') if !form.transports_mismatch?
+      end
+
+      if form.transports_mismatch?
+        user_session[:webauthn_mismatch_id] = form.webauthn_configuration.id
+        redirect_to webauthn_setup_mismatch_path
+      else
+        redirect_to next_setup_path || after_mfa_setup_path
       end
-      redirect_to next_setup_path || after_mfa_setup_path
     end
 
     def analytics_properties

app/forms/idv/doc_pii_form.rb

@@ -109,6 +109,10 @@ def dob_valid?
     end
 
     def state_id_expired?
+      # temporary fix, tracked for removal in LG-15600
+      return if IdentityConfig.store.socure_docv_verification_data_test_mode &&
+                DateParser.parse_legacy(state_id_expiration) == Date.parse('2020-01-01')
+
       if state_id_expiration && DateParser.parse_legacy(state_id_expiration).past?
         errors.add(:state_id_expiration, generic_error, type: :state_id_expiration)
       end