Merge pull request #6464 from 18F/stages/rc-2022-06-09

Deploy RC 194 to Prod

app/controllers/account_reset/request_controller.rb

@@ -24,7 +24,7 @@ def create_account_reset_request
     def confirm_two_factor_enabled
       return if MfaPolicy.new(current_user).two_factor_enabled?
 
-      redirect_to two_factor_options_url
+      redirect_to authentication_methods_setup_url
     end
 
     def analytics_attributes

app/controllers/api/verify/base_controller.rb

@@ -0,0 +1,26 @@
+module Api
+  module Verify
+    class BaseController < ApplicationController
+      include RenderConditionConcern
+
+      class_attribute :required_step
+
+      check_or_render_not_found -> do
+        if self.class.required_step.blank?
+          raise NotImplementedError, 'Controller must define required_step'
+        end
+        IdentityConfig.store.idv_api_enabled_steps.include?(self.class.required_step)
+      end
+      before_action :confirm_two_factor_authenticated_for_api
+
+      respond_to :json
+
+      private
+
+      def confirm_two_factor_authenticated_for_api
+        return if user_fully_authenticated?
+        render json: { error: 'user is not fully authenticated' }, status: :unauthorized
+      end
+    end
+  end
+end

app/controllers/api/verify/password_confirm_controller.rb

@@ -1,6 +1,8 @@
 module Api
   module Verify
-    class PasswordConfirmController < Api::BaseController
+    class PasswordConfirmController < BaseController
+      self.required_step = 'password_confirm'
+
       def create
         result, personal_key = Api::ProfileCreationForm.new(
           password: verify_params[:password],
@@ -12,9 +14,10 @@ def create
         if result.success?
           user = User.find_by(uuid: result.extra[:user_uuid])
           add_proofing_component(user)
-          render json: { personal_key: personal_key,
-                         profile_pending: result.extra[:profile_pending] },
-                 status: :ok
+          render json: {
+            personal_key: personal_key,
+            completion_url: completion_url(result),
+          }
         else
           render json: { error: result.errors }, status: :bad_request
         end
@@ -29,6 +32,16 @@ def verify_params
       def add_proofing_component(user)
         ProofingComponent.create_or_find_by(user: user).update(verified_at: Time.zone.now)
       end
+
+      def completion_url(result)
+        if result.extra[:profile_pending]
+          idv_come_back_later_url
+        elsif current_sp
+          sign_up_completed_url
+        else
+          account_url
+        end
+      end
     end
   end
 end

app/controllers/api/verify/password_reset_controller.rb

@@ -1,6 +1,8 @@
 module Api
   module Verify
-    class PasswordResetController < Api::BaseController
+    class PasswordResetController < BaseController
+      self.required_step = 'password_confirm'
+
       def create
         analytics.idv_forgot_password_confirmed
         request_id = sp_session[:request_id]

app/controllers/application_controller.rb

@@ -186,7 +186,8 @@ def add_piv_cac_setup_url
   end
 
   def service_provider_mfa_setup_url
-    service_provider_mfa_policy.user_needs_sp_auth_method_setup? ? two_factor_options_url : nil
+    service_provider_mfa_policy.user_needs_sp_auth_method_setup? ?
+      authentication_methods_setup_url : nil
   end
 
   def fix_broken_personal_key_url
@@ -312,7 +313,7 @@ def prompt_to_sign_in_with_request_id(request_id)
   end
 
   def prompt_to_setup_mfa
-    redirect_to two_factor_options_url
+    redirect_to authentication_methods_setup_url
   end
 
   def prompt_to_verify_mfa

app/controllers/concerns/render_condition_concern.rb

@@ -3,7 +3,7 @@ module RenderConditionConcern
 
   module ClassMethods
     def check_or_render_not_found(callable, **kwargs)
-      before_action(**kwargs) { render_not_found if !callable.call }
+      before_action(**kwargs) { render_not_found if !instance_exec(&callable) }
     end
   end
 end

app/controllers/concerns/two_factor_authenticatable_methods.rb

@@ -18,14 +18,14 @@ def authenticate_user
   end
 
   def handle_second_factor_locked_user(type)
-    analytics.track_event(Analytics::MULTI_FACTOR_AUTH_MAX_ATTEMPTS)
+    analytics.multi_factor_auth_max_attempts
     event = PushNotification::MfaLimitAccountLockedEvent.new(user: current_user)
     PushNotification::HttpPush.deliver(event)
     handle_max_attempts(type + '_login_attempts')
   end
 
   def handle_too_many_otp_sends
-    analytics.track_event(Analytics::MULTI_FACTOR_AUTH_MAX_SENDS)
+    analytics.multi_factor_auth_max_sends
     handle_max_attempts('otp_requests')
   end
 

app/controllers/idv/review_controller.rb

@@ -120,16 +120,7 @@ def need_personal_key_confirmation?
     end
 
     def next_step
-      if idv_api_personal_key_step_enabled?
-        idv_app_url
-      else
-        idv_personal_key_url
-      end
-    end
-
-    def idv_api_personal_key_step_enabled?
-      return false if idv_session.address_verification_mechanism == 'gpo'
-      IdentityConfig.store.idv_api_enabled_steps.include?('personal_key')
+      idv_personal_key_url
     end
   end
 end

app/controllers/openid_connect/authorization_controller.rb

@@ -83,9 +83,7 @@ def track_authorize_analytics(result)
       analytics_attributes = result.to_h.except(:redirect_uri).
                              merge(user_fully_authenticated: user_fully_authenticated?)
 
-      analytics.track_event(
-        Analytics::OPENID_CONNECT_REQUEST_AUTHORIZATION, analytics_attributes
-      )
+      analytics.openid_connect_request_authorization(**analytics_attributes)
     end
 
     def identity_needs_verification?

app/controllers/openid_connect/token_controller.rb

@@ -8,7 +8,7 @@ def create
       @token_form = OpenidConnectTokenForm.new(token_params)
 
       result = @token_form.submit
-      analytics.track_event(Analytics::OPENID_CONNECT_TOKEN, result.to_h)
+      analytics.openid_connect_token(**result.to_h)
 
       render json: @token_form.response,
              status: (result.success? ? :ok : :bad_request)

app/controllers/openid_connect/user_info_controller.rb

@@ -16,7 +16,7 @@ def show
     def authenticate_identity_via_bearer_token
       verifier = AccessTokenVerifier.new(request.env['HTTP_AUTHORIZATION'])
       response = verifier.submit
-      analytics.track_event(Analytics::OPENID_CONNECT_BEARER_TOKEN, response.to_h)
+      analytics.openid_connect_bearer_token(**response.to_h)
 
       if response.success?
         @current_identity = verifier.identity

app/controllers/sign_up/passwords_controller.rb

@@ -75,7 +75,7 @@ def process_unsuccessful_password_creation
 
     def sign_in_and_redirect_user
       sign_in @user
-      redirect_to two_factor_options_url
+      redirect_to authentication_methods_setup_url
     end
   end
 end

app/controllers/two_factor_authentication/options_controller.rb

@@ -26,13 +26,13 @@ class OptionsController < ApplicationController
     def index
       @two_factor_options_form = TwoFactorLoginOptionsForm.new(current_user)
       @presenter = two_factor_options_presenter
-      analytics.track_event(Analytics::MULTI_FACTOR_AUTH_OPTION_LIST_VISIT)
+      analytics.multi_factor_auth_option_list_visit
     end
 
     def create
       @two_factor_options_form = TwoFactorLoginOptionsForm.new(current_user)
       result = @two_factor_options_form.submit(two_factor_options_form_params)
-      analytics.track_event(Analytics::MULTI_FACTOR_AUTH_OPTION_LIST, result.to_h)
+      analytics.multi_factor_auth_option_list(**result.to_h)
 
       if result.success?
         process_valid_form

app/controllers/two_factor_authentication/otp_verification_controller.rb

@@ -78,9 +78,7 @@ def form_params
 
     def post_analytics(result)
       properties = result.to_h.merge(analytics_properties)
-      if context == 'confirmation'
-        analytics.track_event(Analytics::MULTI_FACTOR_AUTH_SETUP, properties)
-      end
+      analytics.multi_factor_auth_setup(**properties) if context == 'confirmation'
 
       analytics.track_mfa_submit_event(properties)
     end

app/controllers/two_factor_authentication/personal_key_verification_controller.rb

@@ -26,7 +26,7 @@ def create
     def check_personal_key_enabled
       return if TwoFactorAuthentication::PersonalKeyPolicy.new(current_user).enabled?
 
-      redirect_to two_factor_options_url
+      redirect_to authentication_methods_setup_url
     end
 
     def presenter_for_two_factor_authentication_method
@@ -97,7 +97,7 @@ def handle_valid_otp
       elsif MfaPolicy.new(current_user).two_factor_enabled?
         redirect_to after_mfa_setup_path
       else
-        redirect_to two_factor_options_url
+        redirect_to authentication_methods_setup_url
       end
       reset_otp_session_data
     end

app/controllers/two_factor_authentication/sms_opt_in_controller.rb

@@ -65,7 +65,7 @@ def load_phone
 
     def other_options_mfa_url
       if new_user?
-        two_factor_options_path
+        authentication_methods_setup_path
       elsif has_other_auth_methods? && !user_fully_authenticated?
         login_two_factor_options_path
       end

app/controllers/two_factor_authentication/webauthn_verification_controller.rb

@@ -100,7 +100,8 @@ def credential_ids
     end
 
     def analytics_properties
-      auth_method = if form&.webauthn_configuration&.platform_authenticator || params[:platform]
+      auth_method = if form&.webauthn_configuration&.platform_authenticator ||
+                       params[:platform].to_s == 'true'
                       'webauthn_platform'
                     else
                       'webauthn'

app/controllers/users/mfa_selection_controller.rb

@@ -9,6 +9,7 @@ class MfaSelectionController < ApplicationController
 
     def index
       @two_factor_options_form = TwoFactorOptionsForm.new(current_user)
+      @after_setup_path = after_mfa_setup_path
       @presenter = two_factor_options_presenter
       analytics.user_registration_2fa_additional_setup_visit
     end

app/controllers/users/phone_setup_controller.rb

@@ -16,7 +16,7 @@ def index
     def create
       @new_phone_form = NewPhoneForm.new(current_user)
       result = @new_phone_form.submit(new_phone_form_params)
-      analytics.track_event(Analytics::MULTI_FACTOR_AUTH_PHONE_SETUP, result.to_h)
+      analytics.multi_factor_auth_phone_setup(**result.to_h)
 
       if result.success?
         handle_create_success(@new_phone_form.phone)

app/controllers/users/piv_cac_authentication_setup_controller.rb

@@ -75,7 +75,7 @@ def piv_cac_service_url_with_redirect
 
     def process_piv_cac_setup
       result = user_piv_cac_form.submit
-      analytics.track_event(Analytics::MULTI_FACTOR_AUTH_SETUP, result.to_h)
+      analytics.multi_factor_auth_setup(**result.to_h)
       if result.success?
         process_valid_submission
       else

app/controllers/users/piv_cac_setup_from_sign_in_controller.rb

@@ -35,7 +35,7 @@ def render_prompt
 
     def process_piv_cac_setup
       result = user_piv_cac_form.submit
-      analytics.track_event(Analytics::MULTI_FACTOR_AUTH_SETUP, result.to_h)
+      analytics.multi_factor_auth_setup(**result.to_h)
       if result.success?
         process_valid_submission
       else

app/controllers/users/totp_setup_controller.rb

@@ -22,7 +22,7 @@ def new
     def confirm
       result = totp_setup_form.submit
 
-      analytics.track_event(Analytics::MULTI_FACTOR_AUTH_SETUP, result.to_h)
+      analytics.multi_factor_auth_setup(**result.to_h)
 
       if result.success?
         process_valid_code

app/controllers/users/two_factor_authentication_controller.rb

@@ -14,7 +14,7 @@ def show
 
     def send_code
       result = otp_delivery_selection_form.submit(delivery_params)
-      analytics.track_event(Analytics::OTP_DELIVERY_SELECTION, result.to_h)
+      analytics.otp_delivery_selection(**result.to_h)
       if result.success?
         handle_valid_otp_params(user_select_delivery_preference, user_selected_default_number)
         update_otp_delivery_preference_if_needed
@@ -54,7 +54,7 @@ def redirect_on_nothing_enabled
       if MfaPolicy.new(current_user).two_factor_enabled?
         redirect_to login_two_factor_options_path
       else
-        redirect_to two_factor_options_url
+        redirect_to authentication_methods_setup_url
       end
     end
 
@@ -68,7 +68,7 @@ def phone_configuration
 
     def validate_otp_delivery_preference_and_send_code
       result = otp_delivery_selection_form.submit(otp_delivery_preference: delivery_preference)
-      analytics.track_event(Analytics::OTP_DELIVERY_SELECTION, result.to_h)
+      analytics.otp_delivery_selection(**result.to_h)
       phone_is_confirmed = UserSessionContext.authentication_context?(context)
       phone_capabilities = PhoneNumberCapabilities.new(
         parsed_phone,
@@ -180,7 +180,7 @@ def handle_valid_otp_params(method, default = nil)
     end
 
     def handle_telephony_result(method:, default:)
-      track_events
+      track_events(otp_delivery_preference: method)
       if @telephony_result.success?
         redirect_to login_two_factor_url(
           otp_delivery_preference: method,
@@ -197,8 +197,17 @@ def handle_telephony_result(method:, default:)
       end
     end
 
-    def track_events
-      analytics.track_event(Analytics::TELEPHONY_OTP_SENT, @telephony_result.to_h)
+    def track_events(otp_delivery_preference:)
+      analytics.telephony_otp_sent(
+        area_code: parsed_phone.area_code,
+        country_code: parsed_phone.country_code,
+        phone_fingerprint: Pii::Fingerprinter.fingerprint(parsed_phone.e164),
+        context: context,
+        otp_delivery_preference: otp_delivery_preference,
+        resend: params.dig(:otp_delivery_selection_form, :resend),
+        telephony_response: @telephony_result.to_h,
+        success: @telephony_result.success?,
+      )
     end
 
     def exceeded_otp_send_limit?
@@ -308,7 +317,7 @@ def handle_too_many_confirmation_sends
       if user_fully_authenticated?
         redirect_to account_url
       else
-        redirect_to two_factor_options_url
+        redirect_to authentication_methods_setup_url
       end
     end
   end

app/controllers/users/two_factor_authentication_setup_controller.rb

@@ -22,14 +22,14 @@ def create
       elsif (result.errors[:selection].include? 'phone') ||
             IdentityConfig.store.kantara_2fa_phone_restricted
         flash[:phone_error] = t('errors.two_factor_auth_setup.must_select_additional_option')
-        redirect_to two_factor_options_path(anchor: 'select_phone')
+        redirect_to authentication_methods_setup_path(anchor: 'select_phone')
       else
         @presenter = two_factor_options_presenter
         render :index
       end
     rescue ActionController::ParameterMissing
       flash[:error] = t('errors.two_factor_auth_setup.must_select_option')
-      redirect_back(fallback_location: two_factor_options_path, allow_other_host: false)
+      redirect_back(fallback_location: authentication_methods_setup_path, allow_other_host: false)
     end
 
     private