Deploy RC 368 to Prod #10349
Merged
Deploy RC 368 to Prod #10349
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
…10311) * LG-12674 Ensure requested VTR is logged in SAML and OIDC endpoints This commit adds logging to ensure we have visibility into the VTR param that is sent by a service provider using SAML or OIDC. When the param is sent it is expanded to include implied components. For example, “Pb” will be expanded into “C1.C2.P1.Pb”. For debugging purposes we will want visibility into what the service provider actually requests. Additionally, when looking at SP redirects that are served it may be helpful to see the VTR and ACR values that were operated on. This addresses this concern on the following events: - OpenID Connect: authorization request - SAML Auth - SAML Auth Request - SP redirect initiated This commit also updates the SAML request logging params in `analytics_events` to be inclusive of what is actually logged. ### OpenID Connect: authorization request This request already has a `vtr` value that is logged. However this is the parsed VTR value. If the VTR cannot be parsed this value is nil. This commit adds a new `vtr_param` value that includes the raw, unparsed `vtr` param. ### SAML Auth This event logs the result from `SamlRequestValidator#call` which includes the AuthnContext as an extra analytic attribute. This is where the raw VTR is read from. No changes were necessary here besides better documentation of the params. ### SAML Auth Request This commit added logging of the AuthnContext here to include both the raw ACR values and VTR param that are requested. ### SP redirect initiated This commit added logging of the `vtr` and `acr_values` that are present in `sp_session`. This will allow us to see the ACR and VTR values that were operated on. [skip changelog]
#10324) We have serveral rate limits that are enforced when the user visits the verify-by-mail code entry screen: 1. _OTP Rate-Limit_: This limit applies to OTP entries. After the user has entered too many OTPs this is enforced and the user is redirected to an error screen. 2. _Letter request limit_: This limit applies to letter requests. After the user has requested too many letters or if the users profile is too old the user no longer sees the option to request a new letter. The enter code screen enforced these limits but did not add any indicator to the logs that it was doing so. This commit adds properties to the analytics event for each of these cases so we can monitor how the app is behaving. [skip changelog]
The `Idv::ByMail::EnterCodeController` is responsible for rendering a screen where the user can enter their code. It renders a form for the user to enter a code in 2 contexts: 1. When the user signs in with a pending GPO profile 2. When the user clicks on the “sign in to request another letter” link on the “Finish verifying your identity” reminder email These contexts are conveyed to the view using the `@user_did_not_receive_letter` and several changes are made accordingly. In [LG-11753](https://cm-jira.usa.gov/browse/LG-11753) and [LG-12064](https://cm-jira.usa.gov/browse/LG-12064) we are making dramatic changes to these screens. Both contexts look very different so this commit breaks them into partials so they can be done independently. There is some shared code that is moved into the partials that can be moved out when this work is finished. Namely the alert that a user cannot send more letters and the “Return to your profile” link on the bottom of the page. I have opted to move everything into the partials so we can modify the screens separately and then break out shared content in a follow up. [skip changelog]
Bumps [libphonenumber-js](https://gitlab.com/catamphetamine/libphonenumber-js) from 1.10.58 to 1.10.59. - [Changelog](https://gitlab.com/catamphetamine/libphonenumber-js/blob/master/CHANGELOG.md) - [Commits](https://gitlab.com/catamphetamine/libphonenumber-js/compare/v1.10.58...v1.10.59) --- updated-dependencies: - dependency-name: libphonenumber-js dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
…0283) * changelog: User-Facing Improvements, Doc Auth, Add Acuant SDK v11.9.3 files + update docs * Add 11.9.3 files * Updating docs about testing the SDK
* Add spec capturing behavior of have_logged_event No functionality changes, just a spec documenting what it is currently doing. This requires (kind of awkwardly) putting a _spec.rb file in the support/ dir, so I had to modify what rails_helper.rb does (to prevent spec from running on _every_ rspec run) [skip changelog] * Update generated comment Mostly removing this comment, since we're now doing the thing it warns about. * Use named subject in spec * Move PiiAlerter specs into fake_analytics_spec.rb * Move UndocumentedParamsChecker specs into fake_analytics_spec.rb * Attempt to clarify the expect-and-expect to do something code * Fix stray reference to `subject` * Remove tests from analytics_spec.rb * Simplify passing of proc to expect() Co-authored-by: Zach Margolis <zachary.margolis@gsa.gov> --------- Co-authored-by: Zach Margolis <zachary.margolis@gsa.gov>
* Remove legacy, first crack at adding total pending * Break results out of events * Removes USPS line and updates spec changelog: Internal, Data Reporting, Adds Workflow Complete - Total Pending to the Drop Off Report * Make lint happy * Let’s be friend rubocop. * Update lib/reporting/drop_off_report.rb Co-authored-by: Andrew Duthie <1779930+aduth@users.noreply.github.com> --------- Co-authored-by: Andrew Duthie <1779930+aduth@users.noreply.github.com>
changelog: Internal, Bug Fix, Remove Rack::ContentLength from being loaded outside of Rails
Prior to this commit the verify-by-mail OTP submission would add errors to the flash and redirect to the OTP entry path. This lead to a couple problems: 1. The error for the OTP appeared in the flash instead of on the OTP field 2. The `did_not_receive_letter` param was not sticky i.e. when a user submitted the OTP it would switch back to the “Welcome back” UI. This was because the param was not present on the redirected URL. This commit changes the implementation to closer match what we would expect from a controller using the [Form Object Pattern](https://dev.to/drbragg/rails-design-patterns-form-object-4d47). Specifically the `#create` action no longer redirects, but renders the `index` template with the `GpoVerifyForm` that was used for submission and thus has all of the errors and context for the submission. One wrinkle with this approach is I had to set the `@can_request_another_letter`, `@user_did_not_receive_letter`, and `@last_date_letter_was_sent` ivars in the create action and in the index action. I opted to add a `#render_enter_code_form` method which handles setting up these ivars and rendering the index template. I also had to add a hidden input to the form with the `did_not_receive_letter` param so it appears in the params on submission. [skip changelog]
* LG-12756 Spell canceled consistently **Why**: - Use the standard TTS practice of American English spelling everywhere. **How**: - Change the user-facing text and i18n keys - Add a test to check for commonly misspelled words - Refactor `locale` variable assignment in spec/i18n_spec.rb changelog: User-Facing Improvements, Messages, Use the American spelling of canceled consistently
* Add cancel button to how to verify view * specs for how to verify view * changelog: Upcoming Features, In-person proofing, Added Cancel link to the how to verify view that is currently turned off * fix linter violation
* Refactor failure messages out into methods + heredoc strings * Refactor out failure_message_with_diff Provide a general-purpose method for displaying an event mismatch with an attribute diff. * Improve failure messages for hash_including * Always report event name using .inspect Distinguish strings from symbols * Don't say 'with nil' * Refactor have_logged_event matcher into a class Apparently these class matchers have additional flexibility. * Add CountExpectation to HaveLoggedEventMatcher Enables stuff like expect(analytics).to have_logged_event(:whatever).thrice * Improve formatting of failure messages Try and say 'include()' or 'hash_including()' in failure messages * Fix hash_including usage in get_usps_proofing_results_job_spec.rb * changelog: Internal, Analytics, Additional features for analytics log testing
* LG-12631: WIP * LG-12631: deal with back button on ipp prepare page. * LG-12631: UI update and tests. * LG-12631: translation format. * LG-12631: Use conditional action. changelog: User-Facing Improvements, Doc Auth, Allow user select IPP if available from handoff page. * LG-12631: test update. * LG-12631: erb template test update. * LG-12631: explicitly allow skip handoff in test. * LG-12631: introduce dedicated flag for choosing IPP from handoff page. * LG-12631: set step indicator correctly. * LG-12631: rename controller var to avoid confusion. * LG-12631: update tests WIP. * LG-12631: update tests WIP. * LG-12631: update tests WIP. * LG-12631: update tests for various scenarios. * LG-12631: update tests for various scenarios. * LG-12631: update based on comments. * LG-12631: fix tests. * LG-12631: some minor changes. * LG-12631: extra character. * LG-12631: check whether the consent was given upon direct access of ipp. * LG-12631: update test to confirm IPP from how to verify page. * LG-12631: minor change.
changelog: Internal, Performance, Refactor component values into constant Co-authored-by: Zach Margolis <zachary.margolis@gsa.gov>
* Convert a few classes to be more thread-safe changelog: Internal, Performance, Convert a few classes to be more thread-safe * Update app/services/profanity_detector.rb Co-authored-by: Zach Margolis <zachmargolis@users.noreply.github.com> --------- Co-authored-by: Zach Margolis <zachmargolis@users.noreply.github.com>
…ure div (#10339) * Move the hint text inside the capture div * changelog: Bug Fixes, Selfie, Show missing hint text for users on Android/Chrome
* Fix slightly weird error message when has extra arg It was showing the "attributes ignored by the matcher:" thing when we're not using a matcher. Also added a spec to check that it fails when extra args are logged that are not in the hash * [skip changelog] * Update spec/support/have_logged_event_matcher.rb Co-authored-by: Zach Margolis <zachmargolis@users.noreply.github.com> --------- Co-authored-by: Zach Margolis <zachmargolis@users.noreply.github.com>
* Update IdvController spec to use have_logged_event and remove allowed_extra_analytics: [:*] [skip changelog] * Remove step_name from spec
#10270) * Add active_profile_idv_level and pending_profile_idv_level to logging * Add profile_history to IdV analytics events Summarize the history of a user's profiles in IdV analytics events changelog: Internal, Identity verification, Include profile metadata in analytics logs * Rework active_profile / pending_profile a little Just return the levels, and use .presence to ensure falsey values are nil so they're compacted properly * Only send profile_history to certain methods It's a lot of data and we want to keep average event payload size low. * Add arguments to analytics_events.rb Adding the following to covered methods: - active_profile_idv_level - pending_profile_idv_level - profile_history Also making sure proofing_components is documented appropriately. * Update analytics feature spec Sprinkle all these new args around a little. * Update controller specs Rather than add `active_profile_idv_level: nil, pending_profile_idv_level: nil` everywhere, I moved many of these over to using hash_including, which I think makes it clearer what these specs actually _care_ about checking. * Update cancel idv feature spec
* update layout and remove radio buttons * fix routing on submission and add en strings * add es and fr strings * update hash syntax * lint fix * update navigation test case * remove helper method and use new btns * update helper function * remove unused keys * update html to comply with a11y * changelog: User-Facing Improvements, how to verify page, update content * update es translation and remove comments * delete erroneous class * moved btn out of label and added aria labels to forms * update en text and use h2 * update fr translations * move button * fix lint issues
* User-Facing Improvements, Piv/Cac, add Migration to add piv visited at column * update schema * put back pgcrypto * changelog: User-Facing Improvements, PIV/CAC, Piv Migration for added check on user * update schema and change to dismissed at * remove unneeded migration * fix schema * rename method to to instead of on
* changelog: Upcoming Features, Account reset, Dont let account reset fraud users * rubocop * login options presenter * pending controller specs * Account Reset spec * update pending specs * LG-11784: users will see over again * fix spec * spanish and french * normalize_yaml * use nil instead of 0 for check * change to use specific hours rather than whether featuere is on * refactor account reset concern * fraud period * fix concern * account reset concern fix * fix user mailer * use the reset concern in pending presenter * pending presenter spec * en * normalize_yaml * make sure to use proper naming * move over to grant request * grant request * change method to work * commenting presenter to use proper language * add spec for grant request * leverage reset concern * Add spec for find pending request fraud check * make sure second step can handle the new step language * LG-11784: add check for when wait period for fraud isnt set * Regular wait period check for fraud users resetting * Add spec checks for when account reset is nil
* added new redirection for case when user fails ipp with fraud review pending * add new method on user to handle some logic done elsewhere but shared * changelog: Bug Fixes, In-Person Proofing, show the user the correct screen when they fail ipp with fraud review pending * lintered
* fixing small spec issues related to how to verify page changes * Bug Fixes, In-Person Proofing, fix spec failures related to changes to how to verify page * changelog: Bug Fixes, In-Person Proofing, fix spec failures related to changes to how to verify page
aduth
requested review from
matthinz,
zachmargolis,
jmhooper,
mitchellhenke and
vrajmohan
aduth
requested review from
Jeremy1026,
charleyf,
JackRyan1989,
svalexander,
mdiarra3,
night-jellyfish,
gina-yamada and
dawei-nava
mdiarra3
approved these changes
Apr 2, 2024
JackRyan1989
approved these changes
Apr 2, 2024
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
User-Facing Improvements
Bug Fixes
Internal
Upcoming Features