Deploy RC 322 to Prod (#9369)

* LG-11082 Add Conditional Text To FullAddressSearch Component (#9331)

* Add conditional text to view

* add new tests

* Add period to display text

* package version increase from 3.1.0 to 3.1.1

* fix linter errors

* changelog: Upcoming feature, USPS Full Address Search, Added conditional logic to display/hide text on the Find a participating Post Office view that will display in Help Center only

* Integrate personal key feature specs into end_to_end_idv feature specs (#9336)

Since feature specs run slowly, it's better to check assertions as part of a single longer spec
rather than restart identity verification over and over. This removes several long-running feature
specs from the test suite.

[skip changelog]

* Update specs to initialize session as HashWithIndifferentAccess (#9347)

changelog: Internal, Automated Testing, Improve accuracy of session stubbing in tests

* Change `<b>` tags to `<strong>` for better accessibility and code consistency (#9349)

* Change `<b>` tags to `<strong>` for better accessibility and code consistency

changelog: User-facing Improvements, Accessibility, Use strong html tag instead of b for emphasis

* Enable RSpec/LeakyConstantDeclaration rubocop (#9348)

* Enable RSpec/LeakyConstantDeclaration rubocop

changelog: Internal, Source code, Enable RSpec rubocop

* Use let instead of defining new class

---------

Co-authored-by: Mitchell Henke <mitchell.henke@gsa.gov>

* Sync TypeScript-ESLint versions (#9352)

changelog: Internal, Dependencies, Update dependencies to their latest versions

* LG-10037: display warning banner on gpo welcome back page if number of gpo letter requests exceeded (#9303)

* display warning banner on gpo welcome back page if gpo letter requests are spammed

changelog: User-Facing Improvements, Identity Verification, display warning banner if user has sent max letter requests within a time window

* handle if user has no gpo confirmatio codes

* Update app/views/idv/by_mail/enter_code/index.html.erb

Co-authored-by: Andrew Duthie <andrew.duthie@gsa.gov>

* tests for alert banner for spammed gpo requesets

* happy linting

* fix extra space in alert_spam_warning_html i18n

* happy linting

* lintfix i18n

* lint line too long

* js tag removal from alert gpo spam banner spec

* integrate warning alert banner for spammed gpo letter requests into existing tests

* refactor test for gpo spam warning banner

* happy linting

* create before action to remove test order dependency

* happy linting

* define  gpo_verification_enabled in review app

* define  gpo_verification_enabled in review app

---------

Co-authored-by: Andrew Duthie <andrew.duthie@gsa.gov>

* Upgrade to Rails 7.1 (#9333)

* fix otp missing translations

* rails 7.1

changelog: Internal, Dependencies, Upgrade to Rails 7.1

* fix untranslated webauthn verification

* LG-10837: Add New Piv Cac Logging for login visited (#9294)

* changelog: Internal Fixes, Authentication LG-10837: Piv Cac Logging fixes

* changelog: Internal, Authentication, Add Login visited for pivcac/change logging names to be uniform

* uniform spec test

* fix naming convention for piv cac

* update rspec

* add previous name

* Add lint check for reasonable asset bundle sizes (#9353)

* Add lint check for reasonable asset bundle sizes

changelog: Internal, Automated Testing, Add test for reasonable asset bundle size

* TEMPORARY: Revert "Fix JavaScript dead code elimination (#9217)"

This reverts commit 0fcc3a7.

* Revert "TEMPORARY: Revert "Fix JavaScript dead code elimination (#9217)""

This reverts commit af166f2.

* Update changelog script to reflect non-security Dependabot usage (#9354)

changelog: Internal, Changelog, Update changelog script to reflect non-security Dependabot usage

* Revert "Upgrade to Rails 7.1 (#9333)" (#9356)

This reverts commit f9a0cd0.

* LG-10812 | Report on all-time user count (#9350)

changelog: Internal, Reporting, Monthly report includes all-time user count

* Reorganize combined invoice report for easier manual runs (#9358)

changelog: Internal, Reporting, Reorganize combined-invoice-supplement-report

* Exclude 'IRS Attempt API: Event metadata' events from log results (#9360)

changelog: Internal, Data Requests, Exclude 'IRS Attempt API: Event metadata' events from log results

* Remove Guardfile, guard dependencies (#9364)

changelog: Internal, Dependencies, Remove unused testing dependencies

* LG-11066 Do not redirect users at the phone step unless they are phone and address rate limited (#9345)

Users are being rate limited and encounting the phone error screen even if they can still verify by mail. This commit changes the rate limit logic to allow users to proceed to the phone step if they can still verify their phone or complete verification by mail.

A side-effect of this change is a bug is fixed where the following situation would exist:

1. A user proofed by mail after exhausting phone attempts
2. The user goes to GPO entry and chooses to cancel and start over
3. The user is redirected to the welcome step to start over
4. The welcome step before action observes the user is phone rate limited and sends the user to the phone errors controller
5. The phone errors controller has a before action to confirm the user has completed the phone errors step; the user has not since in this session so they are redirected to the welcome step
6. Steps 4 and 5 complete until there are too many redirects

[skip changelog]

Co-authored-by: Sonia Connolly <sonia.connolly@gsa.gov>

---------

Co-authored-by: gina-yamada <125507397+gina-yamada@users.noreply.github.com>
Co-authored-by: Sonia Connolly <sonia.connolly@gsa.gov>
Co-authored-by: Andrew Duthie <andrew.duthie@gsa.gov>
Co-authored-by: Zach Margolis <zachmargolis@users.noreply.github.com>
Co-authored-by: Mitchell Henke <mitchell.henke@gsa.gov>
Co-authored-by: Amir Reavis-Bey <amir.reavis-bey@gsa.gov>
Co-authored-by: Malick Diarra <malick.diarra@gsa.gov>
Co-authored-by: Matt Wagner <mattwagner@navapbc.com>
Co-authored-by: Jonathan Hooper <jonathan.hooper@gsa.gov>

.gitlab-ci.yml

@@ -243,6 +243,7 @@ js_build:
     - *bundle_install
     - *yarn_production_install
     - bundle exec rake assets:precompile
+    - make lint_asset_bundle_size
 
 js_tests:
   stage: test

.rubocop.yml

@@ -5,6 +5,7 @@
 # https://github.com/bbatsov/rubocop/blob/master/config/disabled.yml
 require:
   - rubocop-rails
+  - rubocop-rspec
   - rubocop-performance
   - ./lib/linters/analytics_event_name_linter.rb
   - ./lib/linters/localized_validation_message_linter.rb
@@ -997,6 +998,9 @@ Rails/WhereNot:
 Rails/WhereNotWithMultipleConditions:
   Enabled: true
 
+RSpec/LeakyConstantDeclaration:
+  Enabled: true
+
 Security/Eval:
   Enabled: true
 

Gemfile

@@ -87,7 +87,6 @@ gem 'zxcvbn', '0.1.9'
 group :development do
   gem 'better_errors', '>= 2.5.1'
   gem 'derailed_benchmarks'
-  gem 'guard-rspec', require: false
   gem 'irb'
   gem 'letter_opener', '~> 1.8'
   gem 'rack-mini-profiler', '>= 1.1.3', require: false
@@ -107,10 +106,12 @@ group :development, :test do
   gem 'pry-doc'
   gem 'pry-rails'
   gem 'psych'
+  gem 'rspec', '~> 3.12.0'
   gem 'rspec-rails', '~> 6.0'
   gem 'rubocop', '~> 1.55.1', require: false
   gem 'rubocop-performance', '~> 1.18.0', require: false
   gem 'rubocop-rails', '>= 2.5.2', require: false
+  gem 'rubocop-rspec', require: false
 end
 
 group :test do

Gemfile.lock

@@ -299,7 +299,6 @@ GEM
     ffi-compiler (1.0.1)
       ffi (>= 1.0.0)
       rake
-    formatador (0.2.5)
     foundation_emails (2.2.1.0)
     fugit (1.8.1)
       et-orbi (~> 1, >= 1.2.7)
@@ -318,20 +317,6 @@ GEM
       thor (>= 0.14.1)
       webrick (>= 1.3)
     google-protobuf (3.24.0)
-    guard (2.16.2)
-      formatador (>= 0.2.4)
-      listen (>= 2.7, < 4.0)
-      lumberjack (>= 1.0.12, < 2.0)
-      nenv (~> 0.1)
-      notiffany (~> 0.0)
-      pry (>= 0.9.12)
-      shellany (~> 0.0)
-      thor (>= 0.18.1)
-    guard-compat (1.2.1)
-    guard-rspec (4.7.3)
-      guard (~> 2.1)
-      guard-compat (~> 1.1)
-      rspec (>= 2.99.0, < 4.0)
     hashdiff (1.0.1)
     hashie (4.1.0)
     heapy (0.2.0)
@@ -394,7 +379,6 @@ GEM
       yard (~> 0.9.25)
       zeitwerk (~> 2.5)
     lru_redux (1.1.0)
-    lumberjack (1.2.9)
     mail (2.8.1)
       mini_mime (>= 0.1.1)
       net-imap
@@ -411,7 +395,6 @@ GEM
     minitest (5.19.0)
     msgpack (1.7.2)
     multiset (0.5.3)
-    nenv (0.3.0)
     net-imap (0.3.7)
       date
       net-protocol
@@ -429,9 +412,6 @@ GEM
     nokogiri (1.14.5)
       mini_portile2 (~> 2.8.0)
       racc (~> 1.4)
-    notiffany (0.1.3)
-      nenv (~> 0.1)
-      shellany (~> 0.0)
     openssl (3.0.2)
     openssl-signature_algorithm (1.2.1)
       openssl (> 2.0, < 3.1)
@@ -596,13 +576,21 @@ GEM
       unicode-display_width (>= 2.4.0, < 3.0)
     rubocop-ast (1.29.0)
       parser (>= 3.2.1.0)
+    rubocop-capybara (2.19.0)
+      rubocop (~> 1.41)
+    rubocop-factory_bot (2.24.0)
+      rubocop (~> 1.33)
     rubocop-performance (1.18.0)
       rubocop (>= 1.7.0, < 2.0)
       rubocop-ast (>= 0.4.0)
     rubocop-rails (2.20.2)
       activesupport (>= 4.2.0)
       rack (>= 1.1)
       rubocop (>= 1.33.0, < 2.0)
+    rubocop-rspec (2.24.1)
+      rubocop (~> 1.33)
+      rubocop-capybara (~> 2.17)
+      rubocop-factory_bot (~> 2.22)
     ruby-progressbar (1.13.0)
     ruby-saml (1.13.0)
       nokogiri (>= 1.10.5)
@@ -622,7 +610,6 @@ GEM
       rexml (~> 3.2, >= 3.2.5)
       rubyzip (>= 1.2.2, < 3.0)
       websocket (~> 1.0)
-    shellany (0.0.1)
     shoulda-matchers (4.5.1)
       activesupport (>= 4.2.0)
     simple_form (5.1.0)
@@ -748,7 +735,6 @@ DEPENDENCIES
   faraday-retry
   foundation_emails
   good_job (~> 3.0)
-  guard-rspec
   hashie (~> 4.1)
   http_accept_language
   i18n-tasks (~> 1.0)
@@ -799,12 +785,14 @@ DEPENDENCIES
   retries
   rotp (~> 6.1)
   rqrcode
+  rspec (~> 3.12.0)
   rspec-rails (~> 6.0)
   rspec-retry
   rspec_junit_formatter
   rubocop (~> 1.55.1)
   rubocop-performance (~> 1.18.0)
   rubocop-rails (>= 2.5.2)
+  rubocop-rspec
   ruby-progressbar
   ruby-saml
   safe_target_blank (>= 1.0.2)

Makefile

@@ -33,6 +33,7 @@ ARTIFACT_DESTINATION_FILE ?= ./tmp/idp.tar.gz
 	lint_tracker_events \
 	lint_yaml \
 	lint_yarn_workspaces \
+	lint_asset_bundle_size \
 	lintfix \
 	normalize_yaml \
 	optimize_assets \
@@ -113,6 +114,10 @@ lint_yaml: normalize_yaml ## Lints YAML files
 lint_yarn_workspaces: ## Lints Yarn workspace packages
 	scripts/validate-workspaces.js
 
+lint_asset_bundle_size: ## Lints JavaScript and CSS compiled bundle size
+	find app/assets/builds/application.css -size -350000c | grep .
+	find public/packs/js/application-*.digested.js -size -8000c | grep .
+
 lint_migrations:
 	scripts/migration_check
 

app/controllers/concerns/rate_limit_concern.rb

@@ -1,27 +1,36 @@
 module RateLimitConcern
   extend ActiveSupport::Concern
 
-  ALL_IDV_RATE_LIMITTERS = [:idv_resolution, :idv_doc_auth, :proof_address, :proof_ssn].freeze
+  ALL_IDV_RATE_LIMITERS = [:idv_resolution, :idv_doc_auth, :proof_ssn].freeze
 
-  def confirm_not_rate_limited(rate_limiters = ALL_IDV_RATE_LIMITTERS)
-    rate_limited = false
-    rate_limiters.each do |rate_limit_type|
-      if rate_limit_redirect!(rate_limit_type)
-        rate_limited = true
-        break
-      end
+  def confirm_not_rate_limited(rate_limiters = ALL_IDV_RATE_LIMITERS)
+    exceeded_rate_limits = check_for_exceeded_rate_limits(rate_limiters)
+    if exceeded_rate_limits.any?
+      rate_limit_redirect!(exceeded_rate_limits.first)
+      return true
     end
-    rate_limited
+    confirm_not_rate_limited_for_phone_and_letter_address_verification
   end
 
   def confirm_not_rate_limited_after_doc_auth
-    rate_limitters = [:idv_resolution, :proof_ssn, :proof_address]
-    confirm_not_rate_limited(rate_limitters)
+    rate_limiters = [:idv_resolution, :proof_ssn]
+    confirm_not_rate_limited(rate_limiters)
   end
 
-  def confirm_not_rate_limited_after_idv_resolution
-    rate_limitters = [:proof_address]
-    confirm_not_rate_limited(rate_limitters)
+  def confirm_not_rate_limited_for_phone_address_verification
+    if idv_attempter_rate_limited?(:proof_address)
+      rate_limit_redirect!(:proof_address)
+      return true
+    end
+  end
+
+  private
+
+  def confirm_not_rate_limited_for_phone_and_letter_address_verification
+    if idv_attempter_rate_limited?(:proof_address) && Idv::GpoMail.new(current_user).mail_spammed?
+      rate_limit_redirect!(:proof_address)
+      return true
+    end
   end
 
   def rate_limit_redirect!(rate_limit_type)
@@ -60,6 +69,12 @@ def rate_limited_redirect(rate_limit_type)
     end
   end
 
+  def check_for_exceeded_rate_limits(rate_limit_types)
+    rate_limit_types.select do |rate_limit_type|
+      idv_attempter_rate_limited?(rate_limit_type)
+    end
+  end
+
   def idv_attempter_rate_limited?(rate_limit_type)
     if rate_limit_type == :proof_ssn
       return unless pii_ssn

app/controllers/idv/by_mail/enter_code_controller.rb

@@ -24,12 +24,14 @@ def index
         end
 
         gpo_mail = Idv::GpoMail.new(current_user)
+        @gpo_mail_spammed = gpo_mail.mail_spammed?
+        @last_date_letter_was_sent = last_date_letter_was_sent
         @gpo_verify_form = GpoVerifyForm.new(user: current_user, pii: pii)
         @code = session[:last_gpo_confirmation_code] if FeatureManagement.reveal_gpo_code?
 
         @should_prompt_user_to_request_another_letter =
           FeatureManagement.gpo_verification_enabled? &&
-          !gpo_mail.mail_spammed? &&
+          !@gpo_mail_spammed &&
           !gpo_mail.profile_too_old?
 
         if pii_locked?
@@ -152,6 +154,11 @@ def threatmetrix_enabled?
       def pii_locked?
         !Pii::Cacher.new(current_user, user_session).exists_in_session?
       end
+
+      def last_date_letter_was_sent
+        current_user.gpo_verification_pending_profile&.gpo_confirmation_codes&.
+          pluck(:updated_at)&.max
+      end
     end
   end
 end

app/controllers/idv/phone_controller.rb

@@ -7,7 +7,7 @@ class PhoneController < ApplicationController
 
     attr_reader :idv_form
 
-    before_action :confirm_not_rate_limited_after_idv_resolution, except: [:new]
+    before_action :confirm_not_rate_limited_for_phone_address_verification, except: [:new]
     before_action :confirm_verify_info_step_complete
     before_action :confirm_step_needed
     before_action :set_idv_form
@@ -24,7 +24,7 @@ def new
 
       render 'shared/wait' and return if async_state.in_progress?
 
-      return if confirm_not_rate_limited_after_idv_resolution
+      return if confirm_not_rate_limited_for_phone_address_verification
 
       if async_state.none?
         Funnel::DocAuth::RegisterStep.new(current_user.id, current_sp&.issuer).

app/controllers/idv/phone_errors_controller.rb

@@ -6,7 +6,7 @@ class PhoneErrorsController < ApplicationController
 
     before_action :confirm_two_factor_authenticated
     before_action :confirm_idv_phone_step_needed
-    before_action :confirm_idv_phone_step_submitted
+    before_action :confirm_idv_phone_step_submitted, except: [:failure]
     before_action :set_gpo_letter_available
     before_action :ignore_form_step_wait_requests
 
@@ -32,6 +32,8 @@ def jobfail
     end
 
     def failure
+      return redirect_to(idv_phone_url) unless rate_limiter.limited?
+
       @expires_at = rate_limiter.expires_at
       track_event(type: :failure)
     end

app/controllers/users/piv_cac_authentication_setup_controller.rb

@@ -56,7 +56,7 @@ def submit_new_piv_cac
     private
 
     def track_piv_cac_setup_visit
-      analytics.piv_cac_setup_visit(**analytics_properties)
+      analytics.piv_cac_setup_visited(**analytics_properties)
     end
 
     def remove_piv_cac

app/controllers/users/piv_cac_login_controller.rb

@@ -37,7 +37,7 @@ def error
     private
 
     def render_prompt
-      analytics.piv_cac_setup_visit(in_account_creation_flow: false)
+      analytics.piv_cac_login_visited
       @presenter = PivCacAuthenticationLoginPresenter.new(piv_cac_login_form, url_options)
       render :new
     end

app/controllers/users/piv_cac_setup_from_sign_in_controller.rb

@@ -32,7 +32,7 @@ def decline
     private
 
     def render_prompt
-      analytics.piv_cac_setup_visit(in_account_creation_flow: false)
+      analytics.piv_cac_setup_visited(in_account_creation_flow: false)
       render :prompt
     end