18F · theabrad · Nov 15, 2023 · Nov 14, 2023 · Nov 14, 2023 · Nov 14, 2023
diff --git a/app/controllers/concerns/idv_step_concern.rb b/app/controllers/concerns/idv_step_concern.rb
@@ -134,4 +134,8 @@ def url_for_latest_step
     step_info = flow_policy.info_for_latest_step
     url_for(controller: step_info.controller, action: step_info.action)
   end
+
+  def clear_invalid_steps!
+    flow_policy.undo_steps_from_controller!(controller: self.class)
+  end
 end
diff --git a/app/controllers/idv/agreement_controller.rb b/app/controllers/idv/agreement_controller.rb
@@ -21,6 +21,7 @@ def show
     end
 
     def update
+      clear_invalid_steps!
       skip_to_capture if params[:skip_hybrid_handoff]
 
       result = Idv::ConsentForm.new.submit(consent_form_params)
@@ -48,6 +49,7 @@ def self.step_info
         controller: controller_name,
         next_steps: [:hybrid_handoff, :document_capture, :phone_question, :how_to_verify],
         preconditions: ->(idv_session:, user:) { idv_session.welcome_visited },
+        undo_step: ->(idv_session:, user:) { idv_session.idv_consent_given = nil },
       )
     end
 

diff --git a/app/controllers/idv/document_capture_controller.rb b/app/controllers/idv/document_capture_controller.rb
@@ -22,6 +22,7 @@ def show
     end
 
     def update
+      clear_invalid_steps!
       idv_session.redo_document_capture = nil # done with this redo
       # Not used in standard flow, here for data consistency with hybrid flow.
       document_capture_session.confirm_ocr
@@ -60,6 +61,10 @@ def self.step_info
         controller: controller_name,
         next_steps: [:success], # [:ssn],
         preconditions: ->(idv_session:, user:) { idv_session.flow_path == 'standard' },
+        undo_step: ->(idv_session:, user:) do
+          idv_session.pii_from_doc = nil
+          idv_session.invalidate_in_person_pii_from_user!
+        end,
       )
     end
 

diff --git a/app/controllers/idv/how_to_verify_controller.rb b/app/controllers/idv/how_to_verify_controller.rb
@@ -13,6 +13,7 @@ def show
     end
 
     def update
+      clear_invalid_steps!
       result = Idv::HowToVerifyForm.new.submit(how_to_verify_form_params)
 
       analytics.idv_doc_auth_how_to_verify_submitted(
@@ -39,6 +40,7 @@ def self.step_info
         preconditions: ->(idv_session:, user:) do
           self.enabled?
         end,
+        undo_step: ->(idv_session:, user:) {}, # clear any saved data
       )
     end
 

diff --git a/app/controllers/idv/hybrid_handoff_controller.rb b/app/controllers/idv/hybrid_handoff_controller.rb
@@ -24,6 +24,7 @@ def show
     end
 
     def update
+      clear_invalid_steps!
       irs_attempts_api_tracker.idv_document_upload_method_selected(
         upload_method: params[:type],
       )
@@ -41,6 +42,7 @@ def self.step_info
         controller: controller_name,
         next_steps: [:link_sent, :document_capture],
         preconditions: ->(idv_session:, user:) { idv_session.idv_consent_given },
+        undo_step: ->(idv_session:, user:) { idv_session.flow_path = nil },
       )
     end
 

diff --git a/app/controllers/idv/link_sent_controller.rb b/app/controllers/idv/link_sent_controller.rb
@@ -20,6 +20,7 @@ def show
     end
 
     def update
+      clear_invalid_steps!
       analytics.idv_doc_auth_link_sent_submitted(**analytics_arguments)
 
       return render_document_capture_cancelled if document_capture_session&.cancelled_at
@@ -46,6 +47,10 @@ def self.step_info
         controller: controller_name,
         next_steps: [:success], # [:ssn],
         preconditions: ->(idv_session:, user:) { idv_session.flow_path == 'hybrid' },
+        undo_step: ->(idv_session:, user:) do
+          idv_session.pii_from_doc = nil
+          idv_session.invalidate_in_person_pii_from_user!
+        end,
       )
     end
 

diff --git a/app/controllers/idv/phone_question_controller.rb b/app/controllers/idv/phone_question_controller.rb
@@ -16,13 +16,15 @@ def show
     end
 
     def phone_with_camera
+      clear_invalid_steps!
       idv_session.phone_with_camera = true
       analytics.idv_doc_auth_phone_question_submitted(**analytics_arguments)
 
       redirect_to idv_hybrid_handoff_url
     end
 
     def phone_without_camera
+      clear_invalid_steps!
       idv_session.flow_path = 'standard'
       idv_session.phone_with_camera = false
       analytics.idv_doc_auth_phone_question_submitted(**analytics_arguments)
@@ -39,6 +41,7 @@ def self.step_info
           AbTests::IDV_PHONE_QUESTION.bucket(user.uuid) == :show_phone_question &&
             idv_session.idv_consent_given
         end,
+        undo_step: ->(idv_session:, user:) { idv_session.phone_with_camera = nil },
       )
     end
 

diff --git a/app/controllers/idv/welcome_controller.rb b/app/controllers/idv/welcome_controller.rb
@@ -23,6 +23,7 @@ def show
     end
 
     def update
+      clear_invalid_steps!
       analytics.idv_doc_auth_welcome_submitted(**analytics_arguments)
 
       create_document_capture_session
@@ -39,6 +40,7 @@ def self.step_info
         controller: controller_name,
         next_steps: [:agreement],
         preconditions: ->(idv_session:, user:) { true },
+        undo_step: ->(idv_session:, user:) { idv_session.welcome_visited = nil },
       )
     end
 

diff --git a/app/policies/idv/flow_policy.rb b/app/policies/idv/flow_policy.rb
@@ -18,6 +18,13 @@ def info_for_latest_step
       steps[latest_step]
     end
 
+    def undo_steps_from_controller!(controller:)
+      controller_name = controller.ancestors.include?(ApplicationController) ?
+                        controller.controller_name : controller
-      controller_name = controller.ancestors.include?(ApplicationController) ?
-                        controller.controller_name : controller
+      controller_name = controller < ApplicationController ?
+                        controller.controller_name : controller
-      controller_name = controller.ancestors.include?(ApplicationController) ?
-                        controller.controller_name : controller
+      controller_name = controller < ApplicationController ?
+                        controller.controller_name : controller
+      key = controller_to_key(controller: controller_name)
+      undo_steps_from!(key: key)
+    end
+
     private
 
     def latest_step(current_step: :root)
@@ -39,6 +46,7 @@ def steps
           controller: AccountsController.controller_name,
           next_steps: [:welcome],
           preconditions: ->(idv_session:, user:) { true },
+          undo_step: ->(idv_session:, user:) { true },
         ),
         welcome: Idv::WelcomeController.step_info,
         agreement: Idv::AgreementController.step_info,
@@ -54,6 +62,16 @@ def step_allowed?(key:)
       steps[key].preconditions.call(idv_session: idv_session, user: user)
     end
 
+    def undo_steps_from!(key:)
+      return if key == :success
+
+      steps[key].undo_step.call(idv_session: idv_session, user: user)
+
+      steps[key].next_steps.each do |next_step|
+        undo_steps_from!(key: next_step)
+      end
+    end
+
     def controller_to_key(controller:)
       steps.keys.each do |key|
         return key if steps[key].controller == controller

diff --git a/app/policies/idv/step_info.rb b/app/policies/idv/step_info.rb
@@ -2,18 +2,19 @@ module Idv
   class StepInfo
     include ActiveModel::Validations
 
-    attr_reader :key, :controller, :action, :next_steps, :preconditions
+    attr_reader :key, :controller, :action, :next_steps, :preconditions, :undo_step
 
     validates :controller, presence: true
     validates :action, presence: true
-    validate :next_steps_validation, :preconditions_validation
+    validate :next_steps_validation, :preconditions_validation, :undo_step_validation
 
-    def initialize(key:, controller:, next_steps:, preconditions:, action: :show)
+    def initialize(key:, controller:, next_steps:, preconditions:, undo_step:, action: :show)
       @key = key
       @controller = controller
       @action = action
       @next_steps = next_steps
       @preconditions = preconditions
+      @undo_step = undo_step
 
       raise ArgumentError unless valid?
     end
@@ -29,5 +30,11 @@ def preconditions_validation
         errors.add(:preconditions, type: :invalid_argument, message: 'preconditions must be a Proc')
       end
     end
+
+    def undo_step_validation
+      unless undo_step.is_a?(Proc)
+        errors.add(:undo_step, type: :invalid_argument, message: 'undo_step must be a Proc')
+      end
+    end
   end
 end
diff --git a/app/services/idv/session.rb b/app/services/idv/session.rb
@@ -143,6 +143,12 @@ def has_pii_from_user_in_flow_session
       user_session.dig('idv/in_person', :pii_from_user)
     end
 
+    def invalidate_in_person_pii_from_user!
+      if user_session.dig('idv/in_person', :pii_from_user)
+        user_session['idv/in_person'][:pii_from_user] = nil
+      end
+    end
+
     def document_capture_complete?
       pii_from_doc || has_pii_from_user_in_flow_session || verify_info_step_complete?
     end

diff --git a/spec/controllers/idv/agreement_controller_spec.rb b/spec/controllers/idv/agreement_controller_spec.rb
@@ -124,6 +124,12 @@
       }.compact
     end
 
+    it 'invalidates future steps' do
+      expect(subject).to receive(:clear_invalid_steps!)
+
+      put :update, params: params
+    end
+
     it 'sends analytics_submitted event with consent given' do
       put :update, params: params
 

diff --git a/spec/controllers/idv/document_capture_controller_spec.rb b/spec/controllers/idv/document_capture_controller_spec.rb
@@ -165,6 +165,12 @@
     end
     let(:result) { { success: true, errors: {} } }
 
+    it 'invalidates future steps' do
+      expect(subject).to receive(:clear_invalid_steps!)
+
+      put :update
+    end
+
     it 'sends analytics_submitted event' do
       allow(result).to receive(:success?).and_return(true)
       allow(subject).to receive(:handle_stored_result).and_return(result)

diff --git a/spec/controllers/idv/how_to_verify_controller_spec.rb b/spec/controllers/idv/how_to_verify_controller_spec.rb
@@ -33,4 +33,12 @@
       expect(response).to render_template :show
     end
   end
+
+  describe '#update' do
+    it 'invalidates future steps' do
+      expect(subject).to receive(:clear_invalid_steps!)
+
+      put :update
+    end
+  end
 end
diff --git a/spec/controllers/idv/hybrid_handoff_controller_spec.rb b/spec/controllers/idv/hybrid_handoff_controller_spec.rb
@@ -90,15 +90,15 @@
     end
 
     context 'hybrid_handoff already visited' do
-      it 'shows hybrid_handoff' do
+      it 'shows hybrid_handoff for standard' do
         subject.idv_session.flow_path = 'standard'
 
         get :show
 
         expect(response).to render_template :show
       end
 
-      it 'shows hybrid_handoff' do
+      it 'shows hybrid_handoff for hybrid' do
         subject.idv_session.flow_path = 'hybrid'
 
         get :show
@@ -220,6 +220,12 @@
 
       let(:document_capture_session_uuid) { '09228b6d-dd39-4925-bf82-b69104095517' }
 
+      it 'invalidates future steps' do
+        expect(subject).to receive(:clear_invalid_steps!)
+
+        put :update, params: params
+      end
+
       it 'sends analytics_submitted event for hybrid' do
         put :update, params: params
 

diff --git a/spec/controllers/idv/link_sent_controller_spec.rb b/spec/controllers/idv/link_sent_controller_spec.rb
@@ -123,6 +123,12 @@
       }.merge(ab_test_args)
     end
 
+    it 'invalidates future steps' do
+      expect(subject).to receive(:clear_invalid_steps!)
+
+      put :update
+    end
+
     it 'sends analytics_submitted event' do
       put :update
 

diff --git a/spec/controllers/idv/phone_question_controller_spec.rb b/spec/controllers/idv/phone_question_controller_spec.rb
@@ -144,6 +144,12 @@
   describe '#phone_with_camera' do
     let(:analytics_name) { :idv_doc_auth_phone_question_submitted }
 
+    it 'invalidates future steps' do
+      expect(subject).to receive(:clear_invalid_steps!)
+
+      get :phone_with_camera
+    end
+
     it 'redirects to hybrid handoff' do
       get :phone_with_camera
 
@@ -166,6 +172,12 @@
   describe '#phone_without_camera' do
     let(:analytics_name) { :idv_doc_auth_phone_question_submitted }
 
+    it 'invalidates future steps' do
+      expect(subject).to receive(:clear_invalid_steps!)
+
+      get :phone_without_camera
+    end
+
     it 'redirects to document_capture' do
       get :phone_without_camera
 

diff --git a/spec/controllers/idv/welcome_controller_spec.rb b/spec/controllers/idv/welcome_controller_spec.rb
@@ -139,6 +139,12 @@
       expect(@analytics).to have_logged_event(analytics_name, analytics_args)
     end
 
+    it 'invalidates future steps' do
+      expect(subject).to receive(:clear_invalid_steps!)
+
+      put :update
+    end
+
     it 'creates a document capture session' do
       expect { put :update }.
         to change { subject.idv_session.document_capture_session_uuid }.from(nil)

diff --git a/spec/features/idv/doc_auth/redo_document_capture_spec.rb b/spec/features/idv/doc_auth/redo_document_capture_spec.rb
@@ -76,7 +76,9 @@
       complete_hybrid_handoff_step
 
       visit idv_verify_info_url
-
+      expect(page).to have_current_path(idv_document_capture_path)
+      DocAuth::Mock::DocAuthMockClient.reset!
+      attach_and_submit_images
       complete_verify_step
 
       expect(page).to have_current_path(idv_phone_path)

diff --git a/spec/features/idv/end_to_end_idv_spec.rb b/spec/features/idv/end_to_end_idv_spec.rb
@@ -378,7 +378,7 @@ def try_to_go_back_from_hybrid_handoff
     expect(current_path).to eql(idv_welcome_path)
     complete_welcome_step
     expect(page).to have_current_path(idv_agreement_path)
-    expect(page).to have_checked_field(
+    expect(page).not_to have_checked_field(
       t('doc_auth.instructions.consent', app_name: APP_NAME),
       visible: :all,
     )

diff --git a/spec/policies/idv/flow_policy_spec.rb b/spec/policies/idv/flow_policy_spec.rb
@@ -24,6 +24,24 @@
     end
   end
 
+  context '#undo_steps_from_controller!' do
+    context 'user is on document_capture step' do
+      before do
+        idv_session.welcome_visited = true
+        idv_session.idv_consent_given = true
+        idv_session.flow_path = 'standard'
+      end
+
+      it 'user goes back and submits welcome' do
+        subject.undo_steps_from_controller!(controller: Idv::WelcomeController)
+
+        expect(idv_session.welcome_visited).to be_nil
+        expect(idv_session.idv_consent_given).to be_nil
+        expect(idv_session.flow_path).to be_nil
+      end
+    end
+  end
+
   context 'each step in the flow' do
     before do
       allow(Idv::PhoneConfirmationSession).to receive(:from_h).