Merge branch 'feat/DC-153-request-replacement-card-flow' into feat/DC-160-address-validation-errors

Author: Nick Campanini

packages/design-system/content/scripts/generate-locales.js

@@ -301,10 +301,11 @@ function parseContentKey(contentKey) {
 function buildStateLocaleData(rows, state) {
   const [headerRow, ...dataRows] = rows;
 
-  // Find column indices (handle emoji prefixes like "🟡 Content")
-  const contentIdx = headerRow.findIndex((h) =>
-    h.toLowerCase().includes('content')
-  );
+  // Find column indices (handle emoji prefixes like "🟡 Content" and renamed headers like "Variable Name/Key")
+  const contentIdx = headerRow.findIndex((h) => {
+    const lower = h.toLowerCase()
+    return lower.includes('content') || lower.includes('variable name')
+  });
   const englishIdx = headerRow.findIndex((h) =>
     h.toLowerCase().includes('english')
   );

packages/design-system/content/scripts/generate-locales.test.js

@@ -65,5 +65,28 @@ assert.ok(!enrollmentContent.includes('dashboard'), 'enrollment barrel must NOT
 // Test: locale JSON was written to --out-dir (not to script's own directory)
 assert.ok(existsSync(join(tmpDir, 'locales', 'en', 'co', 'landing.json')), 'locale JSON must be written to --out-dir')
 
+// Test: new CSV column headers ("Variable Name/Key", "🟢 CO English", "🟢 CO Español")
+setup()
+const csvNewHeaders = [
+  'Variable Name/Key,🟢 CO English,⚪ SOURCE English,🟢 CO Español,⚪ SOURCE Español,Notes',
+  'GLOBAL - Button Continue,Continue,,Continuar,,',
+  'S1 - Landing Page - Title,New Header Landing,,New Header Landing ES,,',
+].join('\n')
+writeFileSync(join(tmpDir, 'states', 'co.csv'), csvNewHeaders)
+
+execFileSync('node', [
+  script,
+  '--csv-dir', join(tmpDir, 'states'),
+  '--out-dir', join(tmpDir, 'locales'),
+  '--ts-out',  join(tmpDir, 'ts-out', 'new-header-resources.ts'),
+  '--app',     'portal',
+], { stdio: 'inherit' })
+
+const newHeaderLanding = JSON.parse(readFileSync(join(tmpDir, 'locales', 'en', 'co', 'landing.json'), 'utf8'))
+assert.equal(newHeaderLanding.title, 'New Header Landing', 'must parse content from "Variable Name/Key" column header')
+
+const newHeaderCommon = JSON.parse(readFileSync(join(tmpDir, 'locales', 'es', 'co', 'common.json'), 'utf8'))
+assert.equal(newHeaderCommon.buttonContinue, 'Continuar', 'must parse Spanish from state-prefixed Español column')
+
 console.log('✅ All generate-locales CLI arg tests passed')
 teardown()

packages/design-system/content/states/co.csv

@@ -110,7 +110,10 @@ public async Task<IActionResult> CompleteLogin(
             ValidateAudience = false,
             ValidateLifetime = true,
             ClockSkew = TimeSpan.FromMinutes(1),
-            IssuerSigningKey = key
+            // Use resolver instead of IssuerSigningKey to bypass kid-matching;
+            // jose (Next.js) signs without a kid header, which causes IDX10517
+            // when JwtSecurityTokenHandler tries to match by kid.
+            IssuerSigningKeyResolver = (token, securityToken, kid, parameters) => [key]
         };
         var handler = new JwtSecurityTokenHandler();
         handler.MapInboundClaims = false; // Preserve original JWT claim names (sub, email)

packages/design-system/content/states/dc.csv

@@ -0,0 +1,33 @@
+using System.Security.Claims;
+
+namespace SEBT.Portal.Core.Models.Auth;
+
+/// <summary>
+/// Extension methods for resolving authentication-related claims from a ClaimsPrincipal.
+/// </summary>
+public static class ClaimsPrincipalExtensions
+{
+    /// <summary>
+    /// Resolves the user's Identity Assurance Level from the IAL claim.
+    /// Returns <see cref="UserIalLevel.None"/> if the claim is missing or unrecognized.
+    /// </summary>
+    public static UserIalLevel GetIalLevel(this ClaimsPrincipal user)
+    {
+        var ialClaim = user.FindFirst(JwtClaimTypes.Ial)?.Value;
+
+        if (string.IsNullOrWhiteSpace(ialClaim))
+        {
+            return UserIalLevel.None;
+        }
+
+        var normalized = ialClaim.Trim().ToLowerInvariant();
+        return normalized switch
+        {
+            "1" => UserIalLevel.IAL1,
+            "1plus" => UserIalLevel.IAL1plus,
+            "2" => UserIalLevel.IAL2,
+            "0" => UserIalLevel.None,
+            _ => UserIalLevel.None
+        };
+    }
+}

src/SEBT.Portal.Api/Controllers/Auth/OidcController.cs

@@ -190,6 +190,8 @@ private void SeedMockData()
         verified.Email = verifiedEmail;
         verified.UserProfile = new UserProfile { FirstName = "John", MiddleName = "Robert", LastName = "Doe" };
         _households[verifiedEmail] = verified;
+        // To test CO OIDC login locally, uncomment and replace with your PingOne sandbox user email:
+        // _households["sebt.co+YOUR_PHONE@codeforamerica.org"] = verified;
 
         // Scenario 3: Pending application without address (not ID verified)
         // Note: Address should not be included for non-ID-verified users, but we set it here

src/SEBT.Portal.Core/Models/Auth/ClaimsPrincipalExtensions.cs

@@ -32,7 +32,7 @@ public async Task<Result<HouseholdData>> Handle(GetHouseholdDataQuery query, Can
 
         logger.LogDebug("Household data request received for identifier type {Type}", identifier.Type);
 
-        var userIalLevel = GetUserIalLevel(query.User);
+        var userIalLevel = query.User.GetIalLevel();
         var piiVisibility = idProofingRequirementsService.GetPiiVisibility(userIalLevel);
 
         logger.LogDebug(
@@ -58,23 +58,4 @@ public async Task<Result<HouseholdData>> Handle(GetHouseholdDataQuery query, Can
         return Result<HouseholdData>.Success(householdData);
     }
 
-    private static UserIalLevel GetUserIalLevel(ClaimsPrincipal user)
-    {
-        var ialClaim = user.FindFirst(JwtClaimTypes.Ial)?.Value;
-
-        if (string.IsNullOrWhiteSpace(ialClaim))
-        {
-            return UserIalLevel.None;
-        }
-
-        var normalized = ialClaim.Trim().ToLowerInvariant();
-        return normalized switch
-        {
-            "1" => UserIalLevel.IAL1,
-            "1plus" => UserIalLevel.IAL1plus,
-            "2" => UserIalLevel.IAL2,
-            "0" => UserIalLevel.None,
-            _ => UserIalLevel.None
-        };
-    }
 }

src/SEBT.Portal.Infrastructure/Repositories/MockHouseholdRepository.cs

@@ -41,10 +41,12 @@ public async Task<Result> Handle(
             return Result.Unauthorized("Unable to identify user from token.");
         }
 
+        var userIalLevel = command.User.GetIalLevel();
+
         var household = await repository.GetHouseholdByIdentifierAsync(
             identifier,
             new PiiVisibility(IncludeAddress: false, IncludeEmail: false, IncludePhone: false),
-            UserIalLevel.None,
+            userIalLevel,
             cancellationToken);
 
         if (household == null)
@@ -72,7 +74,7 @@ public async Task<Result> Handle(
         // Stubbed — returns success without calling the state system.
 
         logger.LogInformation(
-            "Card replacement completed for household identifier kind {Kind}",
+            "Card replacement request recorded for household identifier kind {Kind}",
             identifierKind);
 
         return Result.Success();

src/SEBT.Portal.UseCases/Household/GetHouseholdData/GetHouseholdDataQueryHandler.cs

@@ -33,6 +33,7 @@ const nextConfig: NextConfig = {
   /* SASS Configuration for USWDS */
   sassOptions: {
     implementation: 'sass-embedded',
+    quietDeps: true,
     includePaths: [
       path.join(designSystemPath, 'design/sass'),
       path.join(__dirname, 'node_modules/@uswds/uswds/packages'),
@@ -49,6 +50,7 @@ const nextConfig: NextConfig = {
             options: {
               implementation: 'sass-embedded',
               sassOptions: {
+                quietDeps: true,
                 loadPaths: [
                   path.join(designSystemPath, 'design/sass'),
                   path.join(__dirname, 'node_modules/@uswds/uswds/packages'),