Merge pull request #6430 from 18F/stages/rc-2022-06-02

Deploy RC 193 to Production

Gemfile

@@ -41,6 +41,7 @@ gem 'pg'
 gem 'phonelib'
 gem 'premailer-rails', '>= 1.11.1'
 gem 'profanity_filter'
+gem 'rack', '>= 2.2.3.1'
 gem 'rack-attack', '>= 6.2.1'
 gem 'rack-cors', '>= 1.0.5', require: 'rack/cors'
 gem 'rack-headers_filter'

Gemfile.lock

@@ -448,7 +448,7 @@ GEM
       nio4r (~> 2.0)
     raabro (1.4.0)
     racc (1.6.0)
-    rack (2.2.3)
+    rack (2.2.3.1)
     rack-attack (6.5.0)
       rack (>= 1.0, < 3)
     rack-cors (1.1.1)
@@ -762,6 +762,7 @@ DEPENDENCIES
   pry-rails
   psych
   puma
+  rack (>= 2.2.3.1)
   rack-attack (>= 6.2.1)
   rack-cors (>= 1.0.5)
   rack-headers_filter

app/components/javascript_required_component.html.erb

@@ -0,0 +1,28 @@
+<noscript>
+  <%= render StatusPageComponent.new(status: :error) do |c| %>
+    <% c.header { header } %>
+
+    <% if intro %>
+      <p><%= intro %></p>
+    <% end %>
+
+    <p><%= t('components.javascript_required.browser_instructions') %></p>
+
+    <ul class="usa-list">
+      <% browser_resources.each do |resource| %>
+        <li><%= new_window_link_to resource[:name], resource[:url] %></li>
+      <% end %>
+    </ul>
+
+    <p><strong><%= t('components.javascript_required.next_step') %></strong></p>
+  <% end %>
+  <link rel="stylesheet" href="<%= no_js_detect_css_path %>">
+</noscript>
+<div class="js">
+  <% if was_no_js? %>
+    <%= render AlertComponent.new(type: :success, class: 'margin-bottom-4') do %>
+      <%= t('components.javascript_required.enabled_alert') %>
+    <% end %>
+  <% end %>
+  <%= content %>
+</div>

app/components/javascript_required_component.rb

@@ -0,0 +1,25 @@
+class JavascriptRequiredComponent < BaseComponent
+  include LinkHelper
+
+  attr_reader :header, :intro
+
+  BROWSER_RESOURCES = [
+    { name: 'Google Chrome', url: 'https://support.google.com' },
+    { name: 'Mozilla Firefox', url: 'https://support.mozilla.org/en-US' },
+    { name: 'Microsoft Edge', url: 'https://support.microsoft.com/en-us/microsoft-edge' },
+    { name: 'Apple Safari', url: 'https://support.apple.com/safari' },
+  ].to_set.freeze
+
+  def initialize(header:, intro: nil)
+    @header = header
+    @intro = intro
+  end
+
+  def browser_resources
+    BROWSER_RESOURCES
+  end
+
+  def was_no_js?
+    session.delete(NoJsController::SESSION_KEY) == true
+  end
+end

app/controllers/application_controller.rb

@@ -246,8 +246,7 @@ def reauthn_param
 
   def invalid_auth_token(_exception)
     controller_info = "#{controller_path}##{action_name}"
-    analytics.track_event(
-      Analytics::INVALID_AUTHENTICITY_TOKEN,
+    analytics.invalid_authenticity_token(
       controller: controller_info,
       user_signed_in: user_signed_in?,
     )

app/controllers/concerns/idv_session.rb

@@ -41,7 +41,7 @@ def idv_session
   end
 
   def idv_attempter_throttled?
-    Throttle.for(
+    Throttle.new(
       user: effective_user,
       throttle_type: :idv_resolution,
     ).throttled?

app/controllers/concerns/mfa_setup_concern.rb

@@ -3,16 +3,18 @@ module MfaSetupConcern
 
   def next_setup_path
     if user_needs_confirmation_screen?
-      auth_method_confirmation_url(next_setup_choice: next_setup_choice)
+      auth_method_confirmation_url
+    elsif next_setup_choice
+      confirmation_path
     else
       user_session.delete(:mfa_selections)
       nil
     end
   end
 
-  def confirmation_path(next_mfa_selection_choice)
-    user_session[:next_mfa_selection_choice] = next_mfa_selection_choice
-    case next_mfa_selection_choice
+  def confirmation_path(next_mfa_selection_choice = nil)
+    user_session[:next_mfa_selection_choice] = next_mfa_selection_choice || next_setup_choice
+    case user_session[:next_mfa_selection_choice]
     when 'voice', 'sms', 'phone'
       phone_setup_url
     when 'auth_app'
@@ -36,12 +38,12 @@ def confirm_user_authenticated_for_2fa_setup
   end
 
   def user_needs_confirmation_screen?
-    (next_setup_choice.present? || suggest_second_mfa?) &&
+    suggest_second_mfa? &&
       IdentityConfig.store.select_multiple_mfa_options
   end
 
   def suggest_second_mfa?
-    MfaContext.new(current_user).enabled_mfa_methods_count < 2
+    current_mfa_selection_count < 2 && MfaContext.new(current_user).enabled_mfa_methods_count < 2
   end
 
   def current_mfa_selection_count

app/controllers/concerns/personal_key_concern.rb

@@ -20,8 +20,7 @@ def create_new_code
 
   def redirect_to_signin
     controller_info = "#{controller_path}##{action_name}"
-    analytics.track_event(
-      Analytics::INVALID_AUTHENTICITY_TOKEN,
+    analytics.invalid_authenticity_token(
       controller: controller_info,
       user_signed_in: user_signed_in?,
     )

app/controllers/concerns/saml_idp_logout_concern.rb

@@ -53,8 +53,7 @@ def logout_response
 
   def track_logout_event
     sp_initiated = saml_request.present?
-    analytics.track_event(
-      Analytics::LOGOUT_INITIATED,
+    analytics.logout_initiated(
       sp_initiated: sp_initiated,
       oidc: false,
       saml_request_valid: sp_initiated ? valid_saml_request? : true,

app/controllers/frontend_log_controller.rb

@@ -6,6 +6,8 @@ class FrontendLogController < ApplicationController
   before_action :validate_parameter_types
 
   EVENT_MAP = {
+    'IdV: password confirm visited' => :idv_password_confirm_visited,
+    'IdV: password confirm submitted' => :idv_password_confirm_submitted,
     'IdV: personal key visited' => :idv_personal_key_visited,
     'IdV: personal key submitted' => :idv_personal_key_submitted,
     'IdV: personal key confirm visited' => :idv_personal_key_confirm_visited,

app/controllers/idv/capture_doc_status_controller.rb

@@ -50,7 +50,7 @@ def document_capture_session
     end
 
     def throttled?
-      Throttle.for(
+      Throttle.new(
         user: document_capture_session.user,
         throttle_type: :idv_doc_auth,
       ).throttled?

app/controllers/idv/gpo_controller.rb

@@ -164,11 +164,11 @@ def idv_throttle_params
     end
 
     def idv_attempter_increment
-      Throttle.for(**idv_throttle_params).increment
+      Throttle.new(**idv_throttle_params).increment!
     end
 
     def idv_attempter_throttled?
-      Throttle.for(**idv_throttle_params).throttled?
+      Throttle.new(**idv_throttle_params).throttled?
     end
 
     def throttle_failure

app/controllers/idv/gpo_verify_controller.rb

@@ -6,7 +6,7 @@ class GpoVerifyController < ApplicationController
     before_action :confirm_verification_needed
 
     def index
-      analytics.track_event(Analytics::IDV_GPO_VERIFICATION_VISITED)
+      analytics.idv_gpo_verification_visited
       gpo_mail = Idv::GpoMail.new(current_user)
       @mail_spammed = gpo_mail.mail_spammed?
       @gpo_verify_form = GpoVerifyForm.new(user: current_user)
@@ -48,7 +48,7 @@ def create
     private
 
     def throttle
-      @throttle ||= Throttle.for(
+      @throttle ||= Throttle.new(
         user: current_user,
         throttle_type: :verify_gpo_key,
       )

app/controllers/idv/phone_controller.rb

@@ -39,7 +39,7 @@ def create
     private
 
     def throttle
-      @throttle ||= Throttle.for(user: current_user, throttle_type: :proof_address)
+      @throttle ||= Throttle.new(user: current_user, throttle_type: :proof_address)
     end
 
     def max_attempts_reached

app/controllers/idv/phone_errors_controller.rb

@@ -28,7 +28,7 @@ def failure
     private
 
     def throttle
-      Throttle.for(user: idv_session.current_user, throttle_type: :proof_address)
+      Throttle.new(user: idv_session.current_user, throttle_type: :proof_address)
     end
 
     def confirm_idv_phone_step_needed

app/controllers/idv/session_errors_controller.rb

@@ -7,19 +7,22 @@ class SessionErrorsController < ApplicationController
     before_action :confirm_idv_session_step_needed
 
     def warning
-      @remaining_attempts = Throttle.for(
+      @remaining_attempts = Throttle.new(
         user: effective_user,
         throttle_type: :idv_resolution,
       ).remaining_count
     end
 
     def failure
-      @expires_at = Throttle.for(user: effective_user, throttle_type: :idv_resolution).expires_at
+      @expires_at = Throttle.new(
+        user: effective_user,
+        throttle_type: :idv_resolution,
+      ).expires_at
     end
 
     def ssn_failure
       if ssn_from_doc
-        @expires_at = Throttle.for(
+        @expires_at = Throttle.new(
           target: Pii::Fingerprinter.fingerprint(ssn_from_doc),
           throttle_type: :proof_ssn,
         ).expires_at
@@ -29,7 +32,7 @@ def ssn_failure
     end
 
     def throttled
-      @expires_at = Throttle.for(user: effective_user, throttle_type: :idv_doc_auth).expires_at
+      @expires_at = Throttle.new(user: effective_user, throttle_type: :idv_doc_auth).expires_at
     end
 
     private

app/controllers/mfa_confirmation_controller.rb

@@ -3,12 +3,7 @@ class MfaConfirmationController < ApplicationController
   before_action :confirm_two_factor_authenticated, except: [:show]
 
   def show
-    @presenter = MfaConfirmationShowPresenter.new(
-      current_user: current_user,
-      next_path: next_path,
-      final_path: after_mfa_setup_path,
-      suggest_second_mfa: check_if_select_mfa_needed?,
-    )
+    @next_path = second_mfa_setup_path
   end
 
   def skip
@@ -35,20 +30,6 @@ def password
     params.require(:user)[:password]
   end
 
-  def next_mfa_selection_choice
-    params[:next_setup_choice] ||
-      user_session[:next_mfa_selection_choice]
-  end
-
-  def next_path
-    return second_mfa_setup_path if check_if_select_mfa_needed?
-    confirmation_path(next_mfa_selection_choice)
-  end
-
-  def check_if_select_mfa_needed?
-    suggest_second_mfa? && current_mfa_selection_count == 1
-  end
-
   def handle_valid_password
     if current_user.auth_app_configurations.any?
       redirect_to login_two_factor_authenticator_url(reauthn: true)

app/controllers/no_js_controller.rb

@@ -0,0 +1,8 @@
+class NoJsController < ApplicationController
+  SESSION_KEY = :no_js_css
+
+  def index
+    session[SESSION_KEY] = true
+    render body: '', content_type: 'text/css'
+  end
+end

app/controllers/openid_connect/logout_controller.rb

@@ -9,7 +9,7 @@ def index
 
       result = @logout_form.submit
 
-      analytics.track_event(Analytics::LOGOUT_INITIATED, result.to_h.except(:redirect_uri))
+      analytics.logout_initiated(**result.to_h.except(:redirect_uri))
 
       if result.success? && (redirect_uri = result.extra[:redirect_uri])
         sign_out

app/controllers/sign_out_controller.rb

@@ -2,7 +2,7 @@ class SignOutController < ApplicationController
   include FullyAuthenticatable
 
   def destroy
-    analytics.track_event(Analytics::LOGOUT_INITIATED, method: 'cancel link')
+    analytics.logout_initiated(method: 'cancel link')
     url_after_cancellation = decorated_session.cancel_link_url
     sign_out
     flash[:success] = t('devise.sessions.signed_out')

app/controllers/sign_up/cancellations_controller.rb

@@ -1,21 +1,67 @@
 module SignUp
   class CancellationsController < ApplicationController
+    before_action :find_user
     before_action :ensure_in_setup
+    before_action :ensure_valid_confirmation_token
 
     def new
       properties = ParseControllerFromReferer.new(request.referer).call
       analytics.track_event(Analytics::USER_REGISTRATION_CANCELLATION, properties)
       @presenter = CancellationPresenter.new(referer: request.referer, url_options: url_options)
     end
 
+    def destroy
+      track_account_deletion_event
+      url_after_cancellation = decorated_session.cancel_link_url
+      destroy_user
+      flash[:success] = t('sign_up.cancel.success')
+      redirect_to url_after_cancellation
+    end
+
     private
 
+    def track_account_deletion_event
+      properties = ParseControllerFromReferer.new(request.referer).call
+      analytics.account_deletion(**properties)
+    end
+
+    def destroy_user
+      @user&.destroy!
+      sign_out if @user
+    end
+
+    def find_user
+      @user = current_user
+      return if current_user
+
+      confirmation_token = session[:user_confirmation_token]
+      email_address = EmailAddress.find_with_confirmation_token(confirmation_token)
+      @token_validator = EmailConfirmationTokenValidator.new(email_address, current_user)
+      result = @token_validator.submit
+
+      if result.success?
+        @user = email_address.user
+      else
+        @user = nil
+      end
+    end
+
     def ensure_in_setup
-      redirect_to root_url if !session[:user_confirmation_token] && two_factor_enabled
+      redirect_to root_url if @user && MfaPolicy.new(@user).two_factor_enabled?
+    end
+
+    def ensure_valid_confirmation_token
+      return if @user
+      flash[:error] = error_message(@token_validator)
+      redirect_to sign_up_email_resend_url(request_id: params[:_request_id])
     end
 
-    def two_factor_enabled
-      current_user && MfaPolicy.new(current_user).two_factor_enabled?
+    def error_message(token_validator)
+      if token_validator.confirmation_period_expired?
+        t('errors.messages.confirmation_period_expired')
+      else
+        t('errors.messages.confirmation_invalid_token')
+      end
     end
   end
 end