LG-14282 | Pass phone number to Socure proofer

[n1zyy]

🎫 Ticket

Link to the relevant ticket:
LG-14282

🛠 Summary of changes

When Socure is running in shadow mode (to allow us to evaluate Socure without gating results on it), this will send our best guess for the user's phone number to also be proofed.

It is very possible for there to not be a phone number available yet in the flow, and the story suggested variable naming to reflect that it should not be treated as a reliable indicator of phone number.

Privacy

Most privacy concerns are mooted by the fact that all of Socure is feature-flagged off in all environments (except my laptop), and all that work is undergoing detailed security+privacy review before it can be enabled. This Socure code is unreachable in production.

There is a trivial change in that we are sourcing the phone number from a different (less reliable) user input. Normally, on the page after this code executes, the user is prompted for a phone number to verify. Because the Socure call happens before that, we rely on the number provided for MFA or the hybrid-handoff flow. The user has to have consented to sharing data with a proofing provider to get this far, so this shouldn't have a privacy impact.

📜 Testing Plan

You can enable Socure locally in application.yml(.default) with creds from their sandbox dashboard to test this. (Be sure to not submit any actual PII!)

When doing so, you should then receive a beautiful event in events.log like this one:

{"name":"idv_socure_shadow_mode_proofing_result","properties":{"event_properties":{"resolution_result":{"success":true,"errors":{},"exception":null,"timed_out":false,"threatmetrix_review_status":"pass","context":{"device_profiling_adjudication_reason":"device_profiling_result_pass","resolution_adjudication_reason":"pass_resolution_and_state_id","should_proof_state_id":true,"stages":{"resolution":{"success":true,"errors":{},"exception":null,"timed_out":false,"transaction_id":"resolution-mock-transaction-id-123","reference":"aaa-bbb-ccc","can_pass_with_additional_verification":false,"attributes_requiring_additional_verification":[],"vendor_name":"ResolutionMock","vendor_workflow":null,"verified_attributes":null},"residential_address":{"success":true,"errors":{},"exception":null,"timed_out":false,"transaction_id":"","reference":"","can_pass_with_additional_verification":false,"attributes_requiring_additional_verification":[],"vendor_name":"ResidentialAddressNotRequired","vendor_workflow":null,"verified_attributes":null},"state_id":{"success":true,"errors":{},"exception":null,"mva_exception":null,"requested_attributes":{},"timed_out":false,"transaction_id":"state-id-mock-transaction-id-456","vendor_name":"StateIdMock","verified_attributes":[],"jurisdiction_in_maintenance_window":false},"threatmetrix":{"client":null,"success":true,"errors":{},"exception":null,"timed_out":false,"transaction_id":"ddp-mock-transaction-id-123","review_status":"pass","account_lex_id":"super-cool-test-lex-id","session_id":"super-cool-test-session-id"}}},"biographical_info":{"state":"MT","identity_doc_address_state":null,"state_id_jurisdiction":"ND","state_id_number":"#############","same_address_as_id":null},"ssn_is_unique":true},"phone_source":"mfa","socure_result":{"success":true,"errors":{"reason_codes":["I919"]},"exception":null,"timed_out":false,"transaction_id":"71db11df-86f5-4b8e-881c-8191efa6fe5f","reference":"","can_pass_with_additional_verification":false,"attributes_requiring_additional_verification":[],"vendor_name":"socure_kyc","vendor_workflow":null,"verified_attributes":["address","first_name","last_name","phone","ssn","dob"]}},"new_event":true,"path":null,"session_duration":null,"user_id":"2167e49a-5366-4678-8856-da1c7009a018","locale":"en"},"time":"2024-09-24T19:09:01.246Z","id":"b46a83e2-1741-4557-8575-7817175e8e61","visitor_id":"86498e6e-5836-46bf-a34a-514437d82a2d","visit_id":"9cd41eb6-2dc9-4803-95ce-a6540726fe0c","log_filename":"events.log"}

You are specifically looking for socure_result to include 'phone' in verified_attributes indicating that it was passed successfully.

Another option...

...is to litter `puts` statements all throughout the code. Just hypothetically. Why doesn't Markdown work in here?

[n1zyy]

Because we're doing something slightly unusual, we tack this onto the PII bundle so it's available for Socure, but omit it other places it might be used.

The naming is meant to convey that we accept that the phone number may not be present and shouldn't be relied on for other purposes.

[n1zyy]

Note that, in actuality, nothing is passing :phone into the Socure proofer today, so this conditional isn't strictly necessary. But it feels cleaner, and IMHO makes clearer what we're doing. (Plus it frees me from needing nil-safe operators on applicant_pii[:best_effort_phone_number_for_socure] and keeps phone and phone_source together.)

[n1zyy]

AAMVA and LexisNexis are not expecting this key.

[n1zyy]

And phone_source is just along for the ride into logs.

[matthinz]

Maybe one more test in this file asserting that phone_source makes it into the logged event

[matthinz]

Probably want test coverage for this method. I don't think we have a spec for VerifyInfoConcern, but you could either write one or put a test in the VerifyInfoController spec.

[n1zyy]

@matthinz I did end up adding this in the controller spec based on your feedback. I set out to add a test for VerifyInfoConcern but it was turtles all the way down.