Merge pull request #11300 from 18F/stages/rc-2024-10-01

Deploy RC 418 to Production
18F · Oct 1, 2024 · e5e530f · e5e530f
2 parents 7750487 + 6d74fa1
commit e5e530f
Show file tree

Hide file tree

Showing 32 changed files with 1,027 additions and 122 deletions.
diff --git a/app/controllers/concerns/idv/verify_info_concern.rb b/app/controllers/concerns/idv/verify_info_concern.rb
@@ -31,7 +31,10 @@ def shared_update
 
       idv_session.verify_info_step_document_capture_session_uuid = document_capture_session.uuid
 
-      Idv::Agent.new(pii).proof_resolution(
+      user_pii = pii
+      user_pii[:best_effort_phone_number_for_socure] = best_effort_phone
+
+      Idv::Agent.new(user_pii).proof_resolution(
         document_capture_session,
         trace_id: amzn_trace_id,
         user_id: current_user.id,
@@ -48,6 +51,14 @@ def log_event_for_missing_threatmetrix_session_id
       analytics.idv_verify_info_missing_threatmetrix_session_id if idv_session.ssn_step_complete?
     end
 
+    def best_effort_phone
+      if idv_session.phone_for_mobile_flow
+        { source: :hybrid_handoff, phone: idv_session.phone_for_mobile_flow }
+      elsif current_user.default_phone_configuration
+        { source: :mfa, phone: current_user.default_phone_configuration.formatted_phone }
+      end
+    end
+
     private
 
     def ipp_enrollment_in_progress?
@@ -192,6 +203,15 @@ def async_state_done(current_async_state)
         },
       )
 
+      threatmetrix_reponse_body = form_response.extra.dig(
+        :proofing_results, :context, :stages, :threatmetrix, :response_body
+      )
+      if threatmetrix_reponse_body.present?
+        analytics.idv_threatmetrix_response_body(
+          response_body: threatmetrix_reponse_body,
+        )
+      end
+
       summarize_result_and_rate_limit(form_response)
       delete_async
 

diff --git a/app/forms/register_user_email_form.rb b/app/forms/register_user_email_form.rb
@@ -170,7 +170,7 @@ def send_sign_up_confirmed_email
       )
     else
       UserMailer.with(user: existing_user, email_address: email_address_record).
-        signup_with_your_email.deliver_now_or_later
+        signup_with_your_email(request_id: request_id).deliver_now_or_later
     end
   end
 

diff --git a/app/jobs/socure_shadow_mode_proofing_job.rb b/app/jobs/socure_shadow_mode_proofing_job.rb
@@ -42,6 +42,7 @@ def perform(
     analytics.idv_socure_shadow_mode_proofing_result(
       resolution_result: format_proofing_result_for_logs(proofing_result),
       socure_result: socure_result.to_h,
+      phone_source: applicant[:phone_source],
       user_id: user.uuid,
       pii_like_keypaths: [
         [:errors, :ssn],
@@ -91,6 +92,10 @@ def build_applicant(
     )
 
     applicant_pii = decrypted_arguments[:applicant_pii]
+    if applicant_pii[:phone].nil? && applicant_pii[:best_effort_phone_number_for_socure]
+      applicant_pii[:phone] = applicant_pii[:best_effort_phone_number_for_socure][:phone]
+      applicant_pii[:phone_source] = applicant_pii[:best_effort_phone_number_for_socure][:source]
+    end
 
     {
       **applicant_pii.slice(
@@ -102,6 +107,7 @@ def build_applicant(
         :state,
         :zipcode,
         :phone,
+        :phone_source,
         :dob,
         :ssn,
         :consent_given_at,

diff --git a/app/mailers/user_mailer.rb b/app/mailers/user_mailer.rb
@@ -73,9 +73,9 @@ def email_confirmation_instructions(token, request_id:)
     end
   end
 
-  def signup_with_your_email
+  def signup_with_your_email(request_id:)
     with_user_locale(user) do
-      @root_url = root_url(locale: locale_url_param)
+      @root_url = root_url(locale: locale_url_param, request_id: request_id)
       mail(to: email_address.email, subject: t('mailer.email_reuse_notice.subject'))
     end
   end
@@ -242,13 +242,16 @@ def add_email_associated_with_another_account
     end
   end
 
-  def account_verified(date_time:, sp_name:)
+  def account_verified(profile:)
+    attachments.inline['verified.png'] =
+      Rails.root.join('app/assets/images/email/user-signup-ial2.png').read
     with_user_locale(user) do
-      @date = I18n.l(date_time, format: :event_date)
-      @sp_name = sp_name
+      @presenter = Idv::AccountVerifiedEmailPresenter.new(profile:)
+      @hide_title = true
+      @date = I18n.l(profile.verified_at, format: :event_date)
       mail(
         to: email_address.email,
-        subject: t('user_mailer.account_verified.subject', sp_name: @sp_name),
+        subject: t('user_mailer.account_verified.subject', app_name: APP_NAME),
       )
     end
   end

diff --git a/app/presenters/idv/account_verified_email_presenter.rb b/app/presenters/idv/account_verified_email_presenter.rb
@@ -0,0 +1,43 @@
+# frozen_string_literal: true
+
+module Idv
+  class AccountVerifiedEmailPresenter
+    include Rails.application.routes.url_helpers
+
+    attr_reader :profile
+
+    def initialize(profile:)
+      @profile = profile
+    end
+
+    def service_provider
+      profile.initiating_service_provider
+    end
+
+    def show_cta?
+      !service_provider || service_provider_homepage_url.present?
+    end
+
+    def sign_in_url
+      service_provider_homepage_url || root_url
+    end
+
+    def service_provider_homepage_url
+      sp_return_url_resolver.homepage_url if service_provider
+    end
+
+    def sp_name
+      service_provider&.friendly_name || APP_NAME
+    end
+
+    def url_options
+      {}
+    end
+
+    private
+
+    def sp_return_url_resolver
+      SpReturnUrlResolver.new(service_provider: service_provider)
+    end
+  end
+end
diff --git a/app/services/analytics.rb b/app/services/analytics.rb
@@ -134,13 +134,28 @@ def sp_request_attributes
       [v.name.sub('http://idmanagement.gov/ns/assurance/', ''), true]
     end.to_h
     attributes.reject! { |_key, value| value == false }
+
+    if differentiator.present?
+      attributes[:app_differentiator] = differentiator
+    end
+
     attributes.transform_keys! do |key|
       key.to_s.chomp('?').to_sym
     end
 
     { sp_request: attributes }
   end
 
+  def differentiator
+    return @differentiator if defined?(@differentiator)
+    @differentiator ||= begin
+      sp_request_url = session&.dig(:sp, :request_url)
+      return nil if sp_request_url.blank?
+
+      UriService.params(sp_request_url)['login_gov_app_differentiator']
+    end
+  end
+
   def resolved_authn_context_result
     return nil if sp.nil? || session[:sp].blank?
     return @resolved_authn_context_result if defined?(@resolved_authn_context_result)

diff --git a/app/services/analytics_events.rb b/app/services/analytics_events.rb
@@ -4591,14 +4591,17 @@ def idv_session_error_visited(
   # Logs a Socure KYC result alongside a resolution result for later comparison.
   # @param [Hash] socure_result Result from Socure KYC API call
   # @param [Hash] resolution_result Result from resolution proofing
+  # @param [String,nil] phone_source Whether the phone number is from MFA or hybrid handoff
   def idv_socure_shadow_mode_proofing_result(
     socure_result:,
     resolution_result:,
+    phone_source:,
     **extra
   )
     track_event(
       :idv_socure_shadow_mode_proofing_result,
       resolution_result: resolution_result.to_h,
+      phone_source:,
       socure_result: socure_result.to_h,
       **extra,
     )
@@ -4654,6 +4657,19 @@ def idv_start_over(
     )
   end
 
+  # The JSON body of the response returned from Threatmetrix. PII has been removed.
+  # @param [Hash] response_body The response body returned by ThreatMetrix
+  def idv_threatmetrix_response_body(
+    response_body: nil,
+    **extra
+  )
+    track_event(
+      :idv_threatmetrix_response_body,
+      response_body: response_body,
+      **extra,
+    )
+  end
+
   # Track when USPS auth token refresh job completed
   def idv_usps_auth_token_refresh_job_completed(**extra)
     track_event(

diff --git a/app/services/idv/analytics_events_enhancer.rb b/app/services/idv/analytics_events_enhancer.rb
@@ -98,6 +98,7 @@ module AnalyticsEventsEnhancer
       idv_sdk_selfie_image_capture_opened
       idv_selfie_image_added
       idv_session_error_visited
+      idv_threatmetrix_response_body
       idv_usps_auth_token_refresh_job_completed
       idv_usps_auth_token_refresh_job_network_error
       idv_usps_auth_token_refresh_job_started

diff --git a/app/services/proofing/aamva/proofer.rb b/app/services/proofing/aamva/proofer.rb
@@ -28,6 +28,8 @@ class Proofer
         first_name
       ].freeze
 
+      REQUIRED_IF_PRESENT_ATTRIBUTES = [:state_id_expiration].freeze
+
       ADDRESS_ATTRIBUTES = [
         :address1,
         :address2,
@@ -56,6 +58,7 @@ def proof(applicant)
         ).send_verification_request(
           applicant: aamva_applicant,
         )
+
         build_result_from_response(response, applicant[:state])
       rescue => exception
         failed_result = Proofing::StateIdResult.new(
@@ -133,6 +136,11 @@ def successful?(verification_response)
           return false unless verification_response.verification_results[verification_attribute]
         end
 
+        REQUIRED_IF_PRESENT_ATTRIBUTES.each do |verification_attribute|
+          value = verification_response.verification_results[verification_attribute]
+          return false unless value.nil? || value == true
+        end
+
         true
       end
 

diff --git a/app/services/proofing/resolution/progressive_proofer.rb b/app/services/proofing/resolution/progressive_proofer.rb
@@ -32,7 +32,7 @@ def proof(
         ipp_enrollment_in_progress:,
         current_sp:
       )
-        @applicant_pii = applicant_pii
+        @applicant_pii = applicant_pii.except(:best_effort_phone_number_for_socure)
         @request_ip = request_ip
         @threatmetrix_session_id = threatmetrix_session_id
         @timer = timer

diff --git a/app/services/proofing/socure/id_plus/proofer.rb b/app/services/proofing/socure/id_plus/proofer.rb
@@ -33,7 +33,7 @@ def initialize(config)
         # @param [Hash] applicant
         # @return [Proofing::Resolution::Result]
         def proof(applicant)
-          input = Input.new(applicant)
+          input = Input.new(applicant.except(:phone_source))
 
           request = Request.new(config:, input:)
 

diff --git a/app/services/user_alerts/alert_user_about_account_verified.rb b/app/services/user_alerts/alert_user_about_account_verified.rb
@@ -4,11 +4,9 @@ module UserAlerts
   class AlertUserAboutAccountVerified
     def self.call(profile:)
       user = profile.user
-      sp_name = profile.initiating_service_provider&.friendly_name || APP_NAME
       user.confirmed_email_addresses.each do |email_address|
         UserMailer.with(user: user, email_address: email_address).account_verified(
-          date_time: profile.verified_at,
-          sp_name: sp_name,
+          profile: profile,
         ).deliver_now_or_later
       end
     end

diff --git a/app/views/user_mailer/account_verified.html.erb b/app/views/user_mailer/account_verified.html.erb
@@ -1,15 +1,67 @@
-<p class="lead">
+<%= image_tag(
+      attachments['verified.png'].url,
+      width: 140,
+      height: 177,
+      alt: '',
+      role: 'img',
+      class: 'float-center padding-bottom-4',
+    ) %>
+
+<h1><%= message.subject %></h1>
+
+<p>
+  <%= t('user_mailer.account_verified.greeting') %>
+</p>
+<p>
+  <%= t('user_mailer.account_verified.intro', date: @date) %>
+</p>
+
+<p>
+<% if @presenter.service_provider.present? %>
+  <% if @presenter.show_cta? %>
+    <%= t('user_mailer.account_verified.next_sign_in.with_sp.with_cta', sp_name: @presenter.service_provider.friendly_name) %>
+  <% else %>
+    <%= t('user_mailer.account_verified.next_sign_in.with_sp.without_cta', sp_name: @presenter.service_provider.friendly_name) %>
+  <% end %>
+<% else %>
+  <%= t('user_mailer.account_verified.next_sign_in.without_sp', app_name: APP_NAME) %>
+<% end %>
+</p>
+
+<% if @presenter.show_cta? %>
+  <table class="button expanded large radius">
+    <tbody>
+    <tr>
+      <td>
+        <table>
+          <tbody>
+          <tr>
+            <td>
+              <%= link_to t('user_mailer.account_verified.sign_in'), @presenter.sign_in_url,
+                          target: '_blank', class: 'btn-warn', rel: 'noopener' %>
+            </td>
+          </tr>
+          </tbody>
+        </table>
+      </td>
+    </tr>
+    </tbody>
+  </table>
+  <p>
+    <%= link_to(@presenter.sign_in_url, @presenter.sign_in_url, target: '_blank', rel: 'noopener') %>
+  </p>
+<% end %>
+
+<p>
   <%= t(
-        'user_mailer.account_verified.intro_html',
-        sp_name: @sp_name,
-        app_name: APP_NAME,
-        date: @date,
+        'user_mailer.account_verified.warning_contact_us_html',
         change_password_link_html: link_to(
           t('user_mailer.account_verified.change_password_link'),
           new_user_password_url,
         ),
-        contact_link_html: link_to(t('user_mailer.account_verified.contact_link'), MarketingSite.contact_url),
-      ) %>
+        contact_link_html: link_to(t('user_mailer.account_verified.contact_link', app_name: APP_NAME), MarketingSite.contact_url),
+      )
+  %>
 </p>
 
 <table class="spacer">

diff --git a/config/locales/en.yml b/config/locales/en.yml
@@ -1804,9 +1804,15 @@ user_mailer.account_reset_request.header: Your account will be deleted in %{inte
 user_mailer.account_reset_request.intro_html: 'As a security measure, %{app_name} requires a two-step process to delete your account:<br><br> Step One: There is a waiting period of %{waiting_period} if you have lost access to your authentication methods and need to delete your account. If you locate your authentication methods, you can sign in to your %{app_name} account to cancel this request.<br><br> Step Two: After the waiting period of %{waiting_period}, you will receive an email that will ask you to confirm the deletion of your %{app_name} account. Your account will not be deleted until you confirm.'
 user_mailer.account_reset_request.subject: How to delete your %{app_name} account
 user_mailer.account_verified.change_password_link: change your password
-user_mailer.account_verified.contact_link: contact us
-user_mailer.account_verified.intro_html: You successfully verified your identity with %{sp_name} on %{date} using %{app_name}. If you did not perform this action, please %{contact_link_html} and sign in to %{change_password_link_html}.
-user_mailer.account_verified.subject: You verified your identity with %{sp_name}.
+user_mailer.account_verified.contact_link: contact %{app_name} support
+user_mailer.account_verified.greeting: Hello,
+user_mailer.account_verified.intro: You successfully verified your identity on %{date}.
+user_mailer.account_verified.next_sign_in.with_sp.with_cta: Next, click the button or copy the link below to access %{sp_name} and sign in.
+user_mailer.account_verified.next_sign_in.with_sp.without_cta: You can now sign in from %{sp_name}’s website.
+user_mailer.account_verified.next_sign_in.without_sp: Next, click the button or copy the link below to sign in to %{app_name}.
+user_mailer.account_verified.sign_in: Sign in
+user_mailer.account_verified.subject: You successfully verified your identity with %{app_name}
+user_mailer.account_verified.warning_contact_us_html: If you did not attempt to verify your identity, please sign in to %{change_password_link_html}. To report this, %{contact_link_html}.
 user_mailer.add_email_associated_with_another_account.help_html: If you did not request a new email or suspect an error, please visit the %{app_name_html} %{help_link_html} or %{contact_link_html}.
 user_mailer.add_email_associated_with_another_account.intro_html: This email address is already associated with a %{app_name_html} account, so we can’t add it to another account. You must first delete or remove it from the account it is associated with. To do this, follow the link below and sign in with this email address. If you are not trying to add this email address to an account, you can ignore this message.
 user_mailer.add_email_associated_with_another_account.link_text: Go to %{app_name}