Merge pull request #10529 from 18F/stages/rc-2024-04-30

Deploy RC 375 to Production

Gemfile

@@ -32,7 +32,7 @@ gem 'faraday-retry'
 gem 'foundation_emails'
 gem 'good_job', '~> 3.0'
 gem 'http_accept_language'
-gem 'identity-hostdata', github: '18F/identity-hostdata', tag: 'v3.4.3'
+gem 'identity-hostdata', github: '18F/identity-hostdata', tag: 'v4.0.0'
 gem 'identity-logging', github: '18F/identity-logging', tag: 'v0.1.0'
 gem 'identity_validations', github: '18F/identity-validations', tag: 'v0.7.2'
 gem 'jsbundling-rails', '~> 1.1.2'

Gemfile.lock

@@ -1,11 +1,12 @@
 GIT
   remote: https://github.com/18F/identity-hostdata.git
-  revision: 42027a05a3827177d473a0f2d998771011fc4fd6
-  tag: v3.4.3
+  revision: 9574e05398833c531f450c3da99a6afde4ce68fc
+  tag: v4.0.0
   specs:
-    identity-hostdata (3.4.3)
+    identity-hostdata (4.0.0)
       activesupport (>= 6.1, < 8)
       aws-sdk-s3 (~> 1.8)
+      redacted_struct (>= 2.0)
 
 GIT
   remote: https://github.com/18F/identity-logging.git
@@ -181,7 +182,7 @@ GEM
     aws-sdk-pinpointsmsvoice (1.29.0)
       aws-sdk-core (~> 3, >= 3.122.0)
       aws-sigv4 (~> 1.1)
-    aws-sdk-s3 (1.132.0)
+    aws-sdk-s3 (1.132.1)
       aws-sdk-core (~> 3, >= 3.179.0)
       aws-sdk-kms (~> 1)
       aws-sigv4 (~> 1.6)

app/controllers/application_controller.rb

@@ -5,7 +5,6 @@ class ApplicationController < ActionController::Base
   include BackupCodeReminderConcern
   include LocaleHelper
   include VerifySpAttributesConcern
-  include EffectiveUser
   include SecondMfaReminderConcern
   include TwoFactorAuthenticatableMethods
 
@@ -73,7 +72,7 @@ def analytics
   end
 
   def analytics_user
-    effective_user || AnonymousUser.new
+    current_user || AnonymousUser.new
   end
 
   def irs_attempts_api_tracker

app/controllers/concerns/idv/hybrid_mobile/hybrid_mobile_concern.rb

@@ -8,6 +8,20 @@ module HybridMobileConcern
       include AcuantConcern
       include Idv::AbTestAnalyticsConcern
 
+      def analytics_user
+        current_or_hybrid_user || AnonymousUser.new
+      end
+
+      def current_or_hybrid_user
+        return User.find_by(id: session[:doc_capture_user_id]) if !current_user && hybrid_user?
+
+        current_user
+      end
+
+      def hybrid_user?
+        session[:doc_capture_user_id].present?
+      end
+
       def check_valid_document_capture_session
         if !document_capture_user
           # The user has not "logged in" to document capture via the EntryController

app/controllers/concerns/remember_device_concern.rb

@@ -19,7 +19,7 @@ def check_remember_device_preference
     return unless UserSessionContext.authentication_context?(context)
     return if remember_device_cookie.nil?
 
-    expiration_time = decorated_sp_session.mfa_expiration_interval
+    expiration_time = mfa_expiration_interval
     return unless remember_device_cookie.valid_for_user?(
       user: current_user,
       expiration_interval: expiration_time,
@@ -39,7 +39,7 @@ def remember_device_cookie
   def remember_device_expired_for_sp?
     expired_for_interval?(
       current_user,
-      decorated_sp_session.mfa_expiration_interval,
+      mfa_expiration_interval,
     )
   end
 
@@ -53,8 +53,27 @@ def revoke_remember_device(user)
     )
   end
 
+  def mfa_expiration_interval
+    aal_1_expiration = IdentityConfig.store.remember_device_expiration_hours_aal_1.hours
+    aal_2_expiration = IdentityConfig.store.remember_device_expiration_minutes_aal_2.minutes
+
+    return aal_2_expiration if sp_aal > 1
+    return aal_2_expiration if sp_ial > 1
+    return aal_2_expiration if resolved_authn_context_result&.aal2?
+
+    aal_1_expiration
+  end
+
   private
 
+  def sp_aal
+    current_sp&.default_aal || 1
+  end
+
+  def sp_ial
+    current_sp&.ial || 1
+  end
+
   def expired_for_interval?(user, interval)
     return false unless has_remember_device_auth_event?
     remember_cookie = remember_device_cookie

app/controllers/frontend_log_controller.rb

@@ -1,6 +1,7 @@
 # frozen_string_literal: true
 
 class FrontendLogController < ApplicationController
+  include Idv::HybridMobile::HybridMobileConcern
   respond_to :json
 
   skip_before_action :verify_authenticity_token
@@ -54,6 +55,7 @@ class FrontendLogController < ApplicationController
     idv_sdk_selfie_image_capture_initialized
     idv_sdk_selfie_image_capture_opened
     idv_sdk_selfie_image_re_taken
+    idv_sdk_selfie_image_taken
     idv_selfie_image_added
     idv_selfie_image_clicked
     phone_input_country_changed

app/controllers/idv/in_person/usps_locations_controller.rb

@@ -6,9 +6,9 @@ module Idv
   module InPerson
     class UspsLocationsController < ApplicationController
       include Idv::AvailabilityConcern
+      include Idv::HybridMobile::HybridMobileConcern
       include RenderConditionConcern
       include UspsInPersonProofing
-      include EffectiveUser
 
       check_or_render_not_found -> { InPersonConfig.enabled? }
 
@@ -59,7 +59,7 @@ def proofer
 
       def add_proofing_component
         ProofingComponent.
-          create_or_find_by(user: effective_user).
+          create_or_find_by(user: current_or_hybrid_user).
           update(document_check: Idp::Constants::Vendors::USPS)
       end
 
@@ -84,12 +84,12 @@ def handle_error(err)
       end
 
       def confirm_authenticated_for_api
-        render json: { success: false }, status: :unauthorized if !effective_user
+        render json: { success: false }, status: :unauthorized if !current_or_hybrid_user
       end
 
       def enrollment
         InPersonEnrollment.find_or_initialize_by(
-          user: effective_user,
+          user: current_or_hybrid_user,
           status: :establishing,
           profile: nil,
         )

app/decorators/null_service_provider_session.rb

@@ -17,10 +17,6 @@ def cancel_link_url
     view_context.root_url
   end
 
-  def mfa_expiration_interval
-    IdentityConfig.store.remember_device_expiration_hours_aal_1.hours
-  end
-
   def remember_device_default
     true
   end

app/decorators/service_provider_session.rb

@@ -90,16 +90,6 @@ def sp_alert(section)
     end
   end
 
-  def mfa_expiration_interval
-    aal_1_expiration = IdentityConfig.store.remember_device_expiration_hours_aal_1.hours
-    aal_2_expiration = IdentityConfig.store.remember_device_expiration_minutes_aal_2.minutes
-    return aal_2_expiration if sp_aal > 1
-    return aal_2_expiration if sp_ial > 1
-    return aal_2_expiration if resolved_authn_context_result.aal2?
-
-    aal_1_expiration
-  end
-
   def requested_more_recent_verification?
     unless IdentityConfig.store.allowed_verified_within_providers.include?(sp_issuer)
       return false
@@ -132,24 +122,14 @@ def current_user
     view_context&.current_user
   end
 
-  private
+  attr_reader :sp, :sp_session
 
-  attr_reader :sp, :view_context, :sp_session, :service_provider_request
+  private
 
-  def resolved_authn_context_result
-    @resolved_authn_context_result ||= AuthnContextResolver.new(
-      service_provider: sp,
-      vtr: sp_session[:vtr],
-      acr_values: sp_session[:acr_values],
-    ).resolve
-  end
+  attr_reader :view_context, :service_provider_request
 
   def sp_aal
-    sp.default_aal || 1
-  end
-
-  def sp_ial
-    sp.ial || 1
+    sp&.default_aal || 1
   end
 
   def request_url

app/forms/idv/api_image_upload_form.rb

@@ -95,8 +95,8 @@ def post_images_to_client
       end
 
       response.extra.merge!(extra_attributes)
-      response.extra[:state] = response.pii_from_doc[:state]
-      response.extra[:state_id_type] = response.pii_from_doc[:state_id_type]
+      response.extra[:state] = response.pii_from_doc.to_h[:state]
+      response.extra[:state_id_type] = response.pii_from_doc.to_h[:state_id_type]
 
       update_analytics(
         client_response: response,
@@ -119,7 +119,7 @@ def selfie_image_bytes
 
     def validate_pii_from_doc(client_response)
       response = Idv::DocPiiForm.new(
-        pii: client_response.pii_from_doc,
+        pii: client_response.pii_from_doc.to_h,
         attention_with_barcode: client_response.attention_with_barcode?,
       ).submit
       response.extra.merge!(extra_attributes)
@@ -452,7 +452,7 @@ def rate_limited?
     end
 
     def track_event(response)
-      pii_from_doc = response.pii_from_doc || {}
+      pii_from_doc = response.pii_from_doc.to_h || {}
       stored_image_result = store_encrypted_images_if_required
 
       irs_attempts_api_tracker.idv_document_upload_submitted(

app/javascript/packages/document-capture/components/acuant-capture.tsx

@@ -713,6 +713,10 @@ function AcuantCapture(
 
   function onSelfieTaken() {
     selfieAttempts.current += 1;
+    trackEvent('idv_sdk_selfie_image_taken', {
+      captureAttempts,
+      selfie_attempts: selfieAttempts.current,
+    });
   }
 
   function onImageCaptureInitialized() {

app/jobs/gpo_reminder_job.rb

@@ -1,7 +1,7 @@
 # frozen_string_literal: true
 
 class GpoReminderJob < ApplicationJob
-  queue_as :low
+  queue_as :long_running
 
   # Send email reminders to people with USPS proofing letters whose
   # letters were sent a while ago, and haven't yet entered their code

app/models/document_capture_session.rb

@@ -16,7 +16,7 @@ def store_result_from_response(doc_auth_response)
       id: generate_result_id,
     )
     session_result.success = doc_auth_response.success?
-    session_result.pii = doc_auth_response.pii_from_doc
+    session_result.pii = doc_auth_response.pii_from_doc.to_h
     session_result.captured_at = Time.zone.now
     session_result.attention_with_barcode = doc_auth_response.attention_with_barcode?
     session_result.doc_auth_success = doc_auth_response.doc_auth_success?

app/presenters/image_upload_response_presenter.rb

@@ -88,7 +88,7 @@ def attention_with_barcode?
   def ocr_pii
     return unless success?
     return unless attention_with_barcode? && @form_response.respond_to?(:pii_from_doc)
-    @form_response.pii_from_doc&.slice(:first_name, :last_name, :dob)
+    @form_response.pii_from_doc.to_h.slice(:first_name, :last_name, :dob)
   end
 
   def doc_type_supported?

app/services/analytics_events.rb

@@ -334,6 +334,12 @@ def contact_redirect(redirect_url:, step: nil, location: nil, flow: nil, **extra
     )
   end
 
+  # New device sign-in alerts sent after expired notification timeframe
+  # @param [Integer] count Number of emails sent
+  def create_new_device_alert_job_emails_sent(count:, **extra)
+    track_event(:create_new_device_alert_job_emails_sent, count:, **extra)
+  end
+
   # @param [String] message the warning
   # Logged when there is a non-user-facing error in the doc auth process, such as an unrecognized
   # field from a vendor
@@ -3295,6 +3301,25 @@ def idv_sdk_selfie_image_re_taken(
       **extra,
     )
   end
+
+  # User opened the SDK to take a selfie
+  # @param [String] acuant_version
+  # @param [Integer] captureAttempts number of attempts to capture / upload an image
+  # @param [Integer] selfie_attempts number of selfie captured by SDK
+  def idv_sdk_selfie_image_taken(
+    acuant_version:,
+    captureAttempts: nil,
+    selfie_attempts: nil,
+    **extra
+  )
+    track_event(
+      :idv_sdk_selfie_image_taken,
+      acuant_version: acuant_version,
+      captureAttempts: captureAttempts,
+      selfie_attempts: selfie_attempts,
+      **extra,
+    )
+  end
   # rubocop:enable Naming/VariableName,Naming/MethodParameterName
 
   # User took a selfie image with the SDK, or uploaded a selfie using the file picker

app/services/create_new_device_alert.rb

@@ -12,11 +12,17 @@ def perform(now)
       emails_sent += 1 if expire_sign_in_notification_timeframe_and_send_alert(user)
     end
 
+    analytics.create_new_device_alert_job_emails_sent(count: emails_sent)
+
     emails_sent
   end
 
   private
 
+  def analytics
+    @analytics ||= Analytics.new(user: AnonymousUser.new, request: nil, sp: nil, session: {})
+  end
+
   def sql_query_for_users_with_new_device
     <<~SQL
       sign_in_new_device_at IS NOT NULL AND