From 4c84c716f398b5b793b67f972e3307215df0be87 Mon Sep 17 00:00:00 2001
From: "pre-commit-ci[bot]"
 <66853113+pre-commit-ci[bot]@users.noreply.github.com>
Date: Mon, 3 Apr 2023 21:47:41 +0000
Subject: [PATCH 01/54] chore(pre-commit): autoupdate hooks
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

updates:
- [github.com/psf/black: 23.1.0 → 23.3.0](https://github.com/psf/black/compare/23.1.0...23.3.0)
---
 .pre-commit-config.yaml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml
index acd12a620..bdbe8cfd6 100644
--- a/.pre-commit-config.yaml
+++ b/.pre-commit-config.yaml
@@ -34,7 +34,7 @@ repos:
         args: ["--maxkb=1500"]
 
   - repo: https://github.com/psf/black
-    rev: 23.1.0
+    rev: 23.3.0
     hooks:
       - id: black
         types:

From 3083b2432e11471712f6d6fba3d029e7b6cfa9b9 Mon Sep 17 00:00:00 2001
From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com>
Date: Mon, 3 Apr 2023 22:12:35 +0000
Subject: [PATCH 02/54] chore(deps): bump django from 4.1.7 to 4.2 in
 /appcontainer

Bumps [django](https://github.com/django/django) from 4.1.7 to 4.2.
- [Release notes](https://github.com/django/django/releases)
- [Commits](https://github.com/django/django/compare/4.1.7...4.2)

---
updated-dependencies:
- dependency-name: django
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
---
 appcontainer/requirements.txt | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/appcontainer/requirements.txt b/appcontainer/requirements.txt
index d2261cfdf..564541046 100644
--- a/appcontainer/requirements.txt
+++ b/appcontainer/requirements.txt
@@ -1,5 +1,5 @@
 Authlib==1.2.0
-Django==4.1.7
+Django==4.2
 django-csp==3.7
 eligibility-api==2023.01.1
 requests==2.28.2

From 693eec74df3347dca9fc49a51cbe01cfc325b6a3 Mon Sep 17 00:00:00 2001
From: Angela Tran <angela@compiler.la>
Date: Tue, 4 Apr 2023 19:24:48 +0000
Subject: [PATCH 03/54] chore: replace deprecated `length_is` in favor of
 `length` filter

---
 benefits/enrollment/templates/enrollment/success.html | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/benefits/enrollment/templates/enrollment/success.html b/benefits/enrollment/templates/enrollment/success.html
index e74c6331c..61a40e8d8 100644
--- a/benefits/enrollment/templates/enrollment/success.html
+++ b/benefits/enrollment/templates/enrollment/success.html
@@ -18,7 +18,7 @@ <h1 class="pb-lg-8 pb-4">{{ page.headline }}</h1>
 {% endblock inner-content %}
 
 {% block call-to-action %}
-  {% if page.buttons|length_is:"1" %}
+  {% if page.buttons|length == 1 %}
     <div class="row d-flex justify-content-lg-center flex-lg-row">
       <div class="col-9 col-lg-10 d-flex justify-content-end logout-paragraph">
         <p>

From 080b18a593fe45057abadc203ebd719db8a9baa5 Mon Sep 17 00:00:00 2001
From: Angela Tran <angela@compiler.la>
Date: Tue, 4 Apr 2023 21:25:45 +0000
Subject: [PATCH 04/54] chore: update code for configuring static file storage

replace deprecated approach with new STORAGES setting
---
 benefits/settings.py | 10 +++++++---
 1 file changed, 7 insertions(+), 3 deletions(-)

diff --git a/benefits/settings.py b/benefits/settings.py
index c93e7dd26..93fb0e9a5 100644
--- a/benefits/settings.py
+++ b/benefits/settings.py
@@ -196,9 +196,13 @@ def _filter_empty(ls):
 STATIC_URL = "/static/"
 STATICFILES_DIRS = [os.path.join(BASE_DIR, "benefits", "static")]
 # use Manifest Static Files Storage by default
-STATICFILES_STORAGE = os.environ.get(
-    "DJANGO_STATICFILES_STORAGE", "django.contrib.staticfiles.storage.ManifestStaticFilesStorage"
-)
+STORAGES = {
+    "staticfiles": {
+        "BACKEND": os.environ.get(
+            "DJANGO_STATICFILES_STORAGE", "django.contrib.staticfiles.storage.ManifestStaticFilesStorage"
+        )
+    }
+}
 STATIC_ROOT = os.path.join(BASE_DIR, "static")
 
 # Logging configuration

From dd39c120f76dddcfc3af0fd6580b37f7dcc5c216 Mon Sep 17 00:00:00 2001
From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com>
Date: Wed, 5 Apr 2023 22:01:04 +0000
Subject: [PATCH 05/54] chore(deps): bump sentry-sdk from 1.18.0 to 1.19.1 in
 /appcontainer

Bumps [sentry-sdk](https://github.com/getsentry/sentry-python) from 1.18.0 to 1.19.1.
- [Release notes](https://github.com/getsentry/sentry-python/releases)
- [Changelog](https://github.com/getsentry/sentry-python/blob/master/CHANGELOG.md)
- [Commits](https://github.com/getsentry/sentry-python/compare/1.18.0...1.19.1)

---
updated-dependencies:
- dependency-name: sentry-sdk
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
---
 appcontainer/requirements.txt | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/appcontainer/requirements.txt b/appcontainer/requirements.txt
index d2261cfdf..76daf05d1 100644
--- a/appcontainer/requirements.txt
+++ b/appcontainer/requirements.txt
@@ -3,5 +3,5 @@ Django==4.1.7
 django-csp==3.7
 eligibility-api==2023.01.1
 requests==2.28.2
-sentry-sdk==1.18.0
+sentry-sdk==1.19.1
 six==1.16.0

From 0a11b5b5975a877bbc135a0348196d2debdbee0d Mon Sep 17 00:00:00 2001
From: machiko <machiko@compiler.la>
Date: Thu, 6 Apr 2023 14:22:06 -0700
Subject: [PATCH 06/54] fix(url): fix broken link in docs

---
 docs/use-cases/courtesy-cards.md | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/docs/use-cases/courtesy-cards.md b/docs/use-cases/courtesy-cards.md
index d4122cc53..840380d44 100644
--- a/docs/use-cases/courtesy-cards.md
+++ b/docs/use-cases/courtesy-cards.md
@@ -33,7 +33,7 @@ flowchart LR
 Notes:
 
 - [Eligibility Server documentation](https://docs.calitp.org/eligibility-server/)
-- [More details about the Benefits architecture](../deployment/infrastructure/#architecture)
+- [More details about the Benefits architecture](../../deployment/infrastructure/#architecture)
 - Velocity is the system MST uses to manage Courtesy Cards
 
 ## Process

From 4ef33da6423c1e35c0ffd8ddb0597582f61f55c4 Mon Sep 17 00:00:00 2001
From: Machiko Yasuda <machiko@compiler.la>
Date: Fri, 7 Apr 2023 01:59:51 +0000
Subject: [PATCH 07/54] fix(Docker): set platform

---
 .devcontainer/Dockerfile | 2 +-
 appcontainer/Dockerfile  | 2 +-
 compose.yml              | 1 +
 3 files changed, 3 insertions(+), 2 deletions(-)

diff --git a/.devcontainer/Dockerfile b/.devcontainer/Dockerfile
index 37da0fcf9..a9f38b39c 100644
--- a/.devcontainer/Dockerfile
+++ b/.devcontainer/Dockerfile
@@ -1,4 +1,4 @@
-FROM benefits_client:latest
+FROM --platform=linux/amd64 benefits_client:latest
 
 # install devcontainer requirements
 COPY .devcontainer/requirements.txt .devcontainer/requirements.txt
diff --git a/appcontainer/Dockerfile b/appcontainer/Dockerfile
index 8165f5938..795aecbb7 100644
--- a/appcontainer/Dockerfile
+++ b/appcontainer/Dockerfile
@@ -1,4 +1,4 @@
-FROM ghcr.io/cal-itp/docker-python-web:main
+FROM --platform=linux/amd64 ghcr.io/cal-itp/docker-python-web:main
 
 # install python dependencies
 COPY appcontainer/requirements.txt requirements.txt
diff --git a/compose.yml b/compose.yml
index b39a881f3..6d284afd5 100644
--- a/compose.yml
+++ b/compose.yml
@@ -38,6 +38,7 @@ services:
   server:
     image: ghcr.io/cal-itp/eligibility-server:dev
     env_file: .devcontainer/server/.env.server
+    platform: linux/amd64
     ports:
       - "8000"
     volumes:

From 55ea8437bacb4ee9cd61276534f5ccbebd0d30cf Mon Sep 17 00:00:00 2001
From: Machiko Yasuda <machiko@compiler.la>
Date: Fri, 7 Apr 2023 02:10:54 +0000
Subject: [PATCH 08/54] docs(test): testing git

---
 docs/use-cases/college.md | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/docs/use-cases/college.md b/docs/use-cases/college.md
index c66564322..d949d9c8f 100644
--- a/docs/use-cases/college.md
+++ b/docs/use-cases/college.md
@@ -1,4 +1,4 @@
-# College Discount
+# College discount
 
 We have another potential transit discount use case, which is for students/faculty/staff from the Monterey-Salinas Transit (MST) area. We will be taking [the existing program](https://mst.org/fares/overview/) where students from certain schools ride free, expanding it to faculty and staff in some cases, and allowing those riders to enroll their contactless bank (credit/debit) cards for half-price (50%) discounts during fall and winter breaks.
 

From 4852c7a2bcd26dd9d29990bcee84054361a06d00 Mon Sep 17 00:00:00 2001
From: Machiko Yasuda <machiko@compiler.la>
Date: Fri, 7 Apr 2023 02:15:37 +0000
Subject: [PATCH 09/54] test: Test git again

---
 docs/use-cases/college.md | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/docs/use-cases/college.md b/docs/use-cases/college.md
index d949d9c8f..c66564322 100644
--- a/docs/use-cases/college.md
+++ b/docs/use-cases/college.md
@@ -1,4 +1,4 @@
-# College discount
+# College Discount
 
 We have another potential transit discount use case, which is for students/faculty/staff from the Monterey-Salinas Transit (MST) area. We will be taking [the existing program](https://mst.org/fares/overview/) where students from certain schools ride free, expanding it to faculty and staff in some cases, and allowing those riders to enroll their contactless bank (credit/debit) cards for half-price (50%) discounts during fall and winter breaks.
 

From 200184bb3b8250bbcf84b8ca401f418a85264571 Mon Sep 17 00:00:00 2001
From: Kegan Maher <kegan@compiler.la>
Date: Fri, 7 Apr 2023 13:15:37 -0700
Subject: [PATCH 10/54] fix: try platform in compose file

---
 .devcontainer/Dockerfile | 2 +-
 appcontainer/Dockerfile  | 2 +-
 compose.yml              | 3 +++
 3 files changed, 5 insertions(+), 2 deletions(-)

diff --git a/.devcontainer/Dockerfile b/.devcontainer/Dockerfile
index a9f38b39c..37da0fcf9 100644
--- a/.devcontainer/Dockerfile
+++ b/.devcontainer/Dockerfile
@@ -1,4 +1,4 @@
-FROM --platform=linux/amd64 benefits_client:latest
+FROM benefits_client:latest
 
 # install devcontainer requirements
 COPY .devcontainer/requirements.txt .devcontainer/requirements.txt
diff --git a/appcontainer/Dockerfile b/appcontainer/Dockerfile
index 795aecbb7..8165f5938 100644
--- a/appcontainer/Dockerfile
+++ b/appcontainer/Dockerfile
@@ -1,4 +1,4 @@
-FROM --platform=linux/amd64 ghcr.io/cal-itp/docker-python-web:main
+FROM ghcr.io/cal-itp/docker-python-web:main
 
 # install python dependencies
 COPY appcontainer/requirements.txt requirements.txt
diff --git a/compose.yml b/compose.yml
index 6d284afd5..c5e2dea99 100644
--- a/compose.yml
+++ b/compose.yml
@@ -8,6 +8,7 @@ services:
       dockerfile: appcontainer/Dockerfile
     image: benefits_client:latest
     env_file: .env
+    platform: linux/amd64
     ports:
       - "${DJANGO_LOCAL_PORT:-8000}:8000"
 
@@ -21,6 +22,7 @@ services:
     entrypoint: sleep infinity
     depends_on:
       - server
+    platform: linux/amd64
     ports:
       - "${DJANGO_LOCAL_PORT:-8000}:8000"
     volumes:
@@ -30,6 +32,7 @@ services:
     image: benefits_client:dev
     entrypoint: mkdocs
     command: serve --dev-addr "0.0.0.0:8001"
+    platform: linux/amd64
     ports:
       - "8001"
     volumes:

From 6a469f3597a03135f6bb6f684f760e7dd3d26169 Mon Sep 17 00:00:00 2001
From: "pre-commit-ci[bot]"
 <66853113+pre-commit-ci[bot]@users.noreply.github.com>
Date: Mon, 10 Apr 2023 20:50:32 +0000
Subject: [PATCH 11/54] chore(pre-commit): autoupdate hooks
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

updates:
- [github.com/Riverside-Healthcare/djLint: v1.19.16 → v1.19.17](https://github.com/Riverside-Healthcare/djLint/compare/v1.19.16...v1.19.17)
---
 .pre-commit-config.yaml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml
index bdbe8cfd6..d3ec0c7a2 100644
--- a/.pre-commit-config.yaml
+++ b/.pre-commit-config.yaml
@@ -61,6 +61,6 @@ repos:
         types_or: [javascript, css]
 
   - repo: https://github.com/Riverside-Healthcare/djLint
-    rev: v1.19.16
+    rev: v1.19.17
     hooks:
       - id: djlint-django

From 6cc41f083318ba03abef6a78f5b8563664f3d482 Mon Sep 17 00:00:00 2001
From: Kegan Maher <kegan@compiler.la>
Date: Mon, 10 Apr 2023 23:39:31 +0000
Subject: [PATCH 12/54] refactor: move dependencies to pyproject.toml

install using pip against local source
---
 .devcontainer/Dockerfile       |  7 ++---
 .devcontainer/requirements.txt |  4 ---
 .dockerignore                  |  1 +
 appcontainer/Dockerfile        | 14 +++++-----
 appcontainer/requirements.txt  |  7 -----
 pyproject.toml                 | 47 +++++++++++++++++++++++++++++-----
 tests/pytest/requirements.txt  |  5 ----
 7 files changed, 50 insertions(+), 35 deletions(-)
 delete mode 100644 .devcontainer/requirements.txt
 delete mode 100644 appcontainer/requirements.txt
 delete mode 100644 tests/pytest/requirements.txt

diff --git a/.devcontainer/Dockerfile b/.devcontainer/Dockerfile
index 37da0fcf9..5e50a622c 100644
--- a/.devcontainer/Dockerfile
+++ b/.devcontainer/Dockerfile
@@ -1,15 +1,12 @@
 FROM benefits_client:latest
 
 # install devcontainer requirements
-COPY .devcontainer/requirements.txt .devcontainer/requirements.txt
-RUN pip install -r .devcontainer/requirements.txt
+RUN pip install -e .[dev]
 
+# docs requirements are in a separate file for the GitHub Action
 COPY docs/requirements.txt docs/requirements.txt
 RUN pip install -r docs/requirements.txt
 
-COPY tests/pytest/requirements.txt tests/pytest/requirements.txt
-RUN pip install -r tests/pytest/requirements.txt
-
 # install pre-commit environments in throwaway Git repository
 # https://stackoverflow.com/a/68758943
 COPY .pre-commit-config.yaml .
diff --git a/.devcontainer/requirements.txt b/.devcontainer/requirements.txt
deleted file mode 100644
index adb07efea..000000000
--- a/.devcontainer/requirements.txt
+++ /dev/null
@@ -1,4 +0,0 @@
-black
-djlint
-flake8
-pre-commit
diff --git a/.dockerignore b/.dockerignore
index 5ea37e022..c4198b1d4 100644
--- a/.dockerignore
+++ b/.dockerignore
@@ -5,3 +5,4 @@
 .flake8
 .*ignore
 *.db
+*.egg-info
diff --git a/appcontainer/Dockerfile b/appcontainer/Dockerfile
index 8165f5938..6366be07c 100644
--- a/appcontainer/Dockerfile
+++ b/appcontainer/Dockerfile
@@ -1,15 +1,15 @@
 FROM ghcr.io/cal-itp/docker-python-web:main
 
-# install python dependencies
-COPY appcontainer/requirements.txt requirements.txt
-RUN pip install -r requirements.txt
+# upgrade pip
+RUN python -m pip install --upgrade pip
 
-# copy Django utility script
+# copy source files
 COPY manage.py manage.py
+COPY bin bin
+COPY benefits benefits
+COPY pyproject.toml pyproject.toml
 
-# copy source files
-COPY bin/ bin/
-COPY benefits/ benefits/
+RUN pip install -e .
 
 # ensure $USER can compile messages in the locale directories
 USER root
diff --git a/appcontainer/requirements.txt b/appcontainer/requirements.txt
deleted file mode 100644
index be66c88b3..000000000
--- a/appcontainer/requirements.txt
+++ /dev/null
@@ -1,7 +0,0 @@
-Authlib==1.2.0
-Django==4.2
-django-csp==3.7
-eligibility-api==2023.01.1
-requests==2.28.2
-sentry-sdk==1.19.1
-six==1.16.0
diff --git a/pyproject.toml b/pyproject.toml
index 08fb8aad4..1e45ad635 100644
--- a/pyproject.toml
+++ b/pyproject.toml
@@ -1,17 +1,51 @@
-# NOTE: you have to use single-quoted strings in TOML for regular expressions.
-# It's the equivalent of r-strings in Python.  Multiline strings are treated as
-# verbose regular expressions by Black.  Use [ ] to denote a significant space
-# character.
+[build-system]
+requires = ["setuptools>=64", "wheel"]
+build-backend = "setuptools.build_meta"
 
-# Configuration for black
+[project]
+classifiers = ["Programming Language :: Python :: 3 :: Only"]
+description = "Cal-ITP Benefits is an application that enables automated eligibility verification and enrollment for transit benefits onto customers’ existing contactless bank (credit/debit) cards."
+dependencies = [
+    "Authlib==1.2.0",
+    "Django==4.2",
+    "django-csp==3.7",
+    "eligibility-api==2023.01.1",
+    "requests==2.28.2",
+    "sentry-sdk==1.19.1",
+    "six==1.16.0",
+]
+dynamic = ["version"]
+keywords = ["django"]
+license = { file = "LICENSE" }
+name = "benefits"
+readme = "README.md"
+requires-python = ">=3.9"
+
+[project.optional-dependencies]
+dev = [
+    "black",
+    "djlint",
+    "flake8",
+    "pre-commit",
+    "pytest",
+    "pytest-cov",
+    "pytest-django",
+    "pytest-mock",
+    "pytest-socket",
+]
 
+[project.urls]
+Code = "https://github.com/cal-itp/benefits"
+Documentation = "https://docs.calitp.org/benefits"
+Issues = "https://github.com/cal-itp/benefits/issues"
+
+# Configuration for black
 [tool.black]
 line-length = 127
 target-version = ['py310']
 include = '\.pyi?$'
 
 # Configuration for djlint
-
 [tool.djlint]
 ignore = "H017,H031"
 indent = 2
@@ -22,7 +56,6 @@ preserve_blank_lines = true
 use_gitignore = true
 
 # Configuration for pytest
-
 [tool.coverage.run]
 omit = [
     "benefits/core/migrations/*"
diff --git a/tests/pytest/requirements.txt b/tests/pytest/requirements.txt
deleted file mode 100644
index 4743c4a37..000000000
--- a/tests/pytest/requirements.txt
+++ /dev/null
@@ -1,5 +0,0 @@
-pytest
-pytest-cov
-pytest-django
-pytest-mock
-pytest-socket

From 9bd4343b2c094c4fb0c74e652bc43e2942148f8a Mon Sep 17 00:00:00 2001
From: Kegan Maher <kegan@compiler.la>
Date: Mon, 10 Apr 2023 23:42:27 +0000
Subject: [PATCH 13/54] ci: update dependabot, tests

---
 .github/dependabot.yml                   | 2 +-
 .github/workflows/labeler-deploy-dev.yml | 8 ++++----
 .github/workflows/tests-pytest.yml       | 4 ++--
 3 files changed, 7 insertions(+), 7 deletions(-)

diff --git a/.github/dependabot.yml b/.github/dependabot.yml
index 39db2af14..96c61c651 100644
--- a/.github/dependabot.yml
+++ b/.github/dependabot.yml
@@ -6,7 +6,7 @@
 version: 2
 updates:
   - package-ecosystem: "pip"
-    directory: "/appcontainer" # main requirements.txt
+    directory: "/" # pyproject.toml
     schedule:
       interval: "daily"
     commit-message:
diff --git a/.github/workflows/labeler-deploy-dev.yml b/.github/workflows/labeler-deploy-dev.yml
index f2e34da5f..b2441c058 100644
--- a/.github/workflows/labeler-deploy-dev.yml
+++ b/.github/workflows/labeler-deploy-dev.yml
@@ -5,11 +5,11 @@ on:
     branches: [dev]
     types: [opened]
     paths:
-      - '.github/workflows/deploy-*.yml'
-      - 'benefits/**'
-      - 'bin/**'
+      - ".github/workflows/deploy-*.yml"
+      - "benefits/**"
+      - "bin/**"
       - Dockerfile
-      - requirements.txt
+      - pyproject.toml
 
 jobs:
   label-deployment-dev:
diff --git a/.github/workflows/tests-pytest.yml b/.github/workflows/tests-pytest.yml
index 120883142..0f5cc27f1 100644
--- a/.github/workflows/tests-pytest.yml
+++ b/.github/workflows/tests-pytest.yml
@@ -18,10 +18,10 @@ jobs:
         with:
           python-version-file: .github/workflows/.python-version
           cache: pip
-          cache-dependency-path: "**/requirements.txt"
+          cache-dependency-path: "**/pyproject.toml"
 
       - name: Install Python dependencies
-        run: pip install -r appcontainer/requirements.txt -r tests/pytest/requirements.txt
+        run: pip install -e .[dev]
 
       - name: Run setup
         run: ./bin/init.sh

From 0d97c0108dd27b21466a7e1be414a96233badd4f Mon Sep 17 00:00:00 2001
From: Kegan Maher <kegan@compiler.la>
Date: Mon, 10 Apr 2023 23:51:15 +0000
Subject: [PATCH 14/54] fix: tell setuptools which package to install

---
 pyproject.toml | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/pyproject.toml b/pyproject.toml
index 1e45ad635..2496fc4bc 100644
--- a/pyproject.toml
+++ b/pyproject.toml
@@ -66,3 +66,6 @@ DJANGO_SETTINGS_MODULE = "benefits.settings"
 markers = [
     "request_path: use with session_request to initialize with the given path",
 ]
+
+[tool.setuptools]
+packages = ["benefits"]

From b981af8e5fbbf35c2a2ac97e85a4513f304bf3eb Mon Sep 17 00:00:00 2001
From: Kegan Maher <kegan@compiler.la>
Date: Mon, 10 Apr 2023 23:51:44 +0000
Subject: [PATCH 15/54] chore(devcontainer): install TOML extension

---
 .devcontainer/devcontainer.json | 1 +
 1 file changed, 1 insertion(+)

diff --git a/.devcontainer/devcontainer.json b/.devcontainer/devcontainer.json
index 555a41401..8f192c4a0 100644
--- a/.devcontainer/devcontainer.json
+++ b/.devcontainer/devcontainer.json
@@ -20,6 +20,7 @@
       },
       // Add the IDs of extensions you want installed when the container is created.
       "extensions": [
+        "bungcip.better-toml",
         "batisteo.vscode-django",
         "bpruitt-goddard.mermaid-markdown-syntax-highlighting",
         "eamodio.gitlens",

From 5b5b02f620dff86563b8504275878f964575fb32 Mon Sep 17 00:00:00 2001
From: Kegan Maher <kegan@compiler.la>
Date: Mon, 10 Apr 2023 23:55:47 +0000
Subject: [PATCH 16/54] refactor: split dev/test extra dependencies

no need for test runs to install dev packages
---
 .devcontainer/Dockerfile           | 2 +-
 .github/workflows/tests-pytest.yml | 2 +-
 pyproject.toml                     | 2 ++
 3 files changed, 4 insertions(+), 2 deletions(-)

diff --git a/.devcontainer/Dockerfile b/.devcontainer/Dockerfile
index 5e50a622c..9063a1f42 100644
--- a/.devcontainer/Dockerfile
+++ b/.devcontainer/Dockerfile
@@ -1,7 +1,7 @@
 FROM benefits_client:latest
 
 # install devcontainer requirements
-RUN pip install -e .[dev]
+RUN pip install -e .[dev,test]
 
 # docs requirements are in a separate file for the GitHub Action
 COPY docs/requirements.txt docs/requirements.txt
diff --git a/.github/workflows/tests-pytest.yml b/.github/workflows/tests-pytest.yml
index 0f5cc27f1..84b4a9f58 100644
--- a/.github/workflows/tests-pytest.yml
+++ b/.github/workflows/tests-pytest.yml
@@ -21,7 +21,7 @@ jobs:
           cache-dependency-path: "**/pyproject.toml"
 
       - name: Install Python dependencies
-        run: pip install -e .[dev]
+        run: pip install -e .[test]
 
       - name: Run setup
         run: ./bin/init.sh
diff --git a/pyproject.toml b/pyproject.toml
index 2496fc4bc..f95e11102 100644
--- a/pyproject.toml
+++ b/pyproject.toml
@@ -27,6 +27,8 @@ dev = [
     "djlint",
     "flake8",
     "pre-commit",
+]
+test = [
     "pytest",
     "pytest-cov",
     "pytest-django",

From 6c65db82051121ed4b6a9460db96f35d0aae89a8 Mon Sep 17 00:00:00 2001
From: Kegan Maher <kegan@compiler.la>
Date: Thu, 13 Apr 2023 18:56:54 +0000
Subject: [PATCH 17/54] feat(settings): enforce strict Content Security Policy

* disallow base-uri
* disallow object-src
* disallow unsafe-inline for script-src
* require nonce for script-src
---
 benefits/settings.py | 14 ++++++++++----
 1 file changed, 10 insertions(+), 4 deletions(-)

diff --git a/benefits/settings.py b/benefits/settings.py
index 93fb0e9a5..34baa2cfd 100644
--- a/benefits/settings.py
+++ b/benefits/settings.py
@@ -271,9 +271,9 @@ def _filter_empty(ls):
 # In particular, note that the inner single-quotes are required!
 # https://django-csp.readthedocs.io/en/latest/configuration.html#policy-settings
 
-CSP_DEFAULT_SRC = ["'self'"]
+CSP_BASE_URI = ["'none'"]
 
-CSP_IMG_SRC = ["'self'", "data:"]
+CSP_DEFAULT_SRC = ["'self'"]
 
 CSP_CONNECT_SRC = ["'self'", "https://api.amplitude.com/"]
 env_connect_src = _filter_empty(os.environ.get("DJANGO_CSP_CONNECT_SRC", "").split(","))
@@ -292,8 +292,15 @@ def _filter_empty(ls):
 if len(env_frame_src) > 0:
     CSP_FRAME_SRC = env_frame_src
 
+CSP_IMG_SRC = ["'self'", "data:"]
+
+# Configuring strict Content Security Policy
+# https://django-csp.readthedocs.io/en/latest/nonce.html
+CSP_INCLUDE_NONCE_IN = ["script-src"]
+
+CSP_OBJECT_SRC = ["'none'"]
+
 CSP_SCRIPT_SRC = [
-    "'unsafe-inline'",
     "https://cdn.amplitude.com/libs/",
     "https://cdn.jsdelivr.net/",
     "*.littlepay.com",
@@ -305,7 +312,6 @@ def _filter_empty(ls):
 
 CSP_STYLE_SRC = [
     "'self'",
-    "'unsafe-inline'",
     "https://california.azureedge.net/",
     "https://fonts.googleapis.com/css",
 ]

From 9b20fa70cb6c85df03811cb95d26ae73edbf0a68 Mon Sep 17 00:00:00 2001
From: Kegan Maher <kegan@compiler.la>
Date: Thu, 13 Apr 2023 19:02:20 +0000
Subject: [PATCH 18/54] chore: implement nonce on <script> tags

---
 benefits/core/templates/core/base.html           | 16 ++++++++++++----
 .../core/templates/core/includes/analytics.html  |  2 +-
 benefits/core/templates/core/includes/form.html  |  4 ++--
 .../enrollment/templates/enrollment/index.html   |  2 +-
 4 files changed, 16 insertions(+), 8 deletions(-)

diff --git a/benefits/core/templates/core/base.html b/benefits/core/templates/core/base.html
index 06c712d3e..7567bf0ed 100644
--- a/benefits/core/templates/core/base.html
+++ b/benefits/core/templates/core/base.html
@@ -27,7 +27,10 @@
       CA State Template v6.0.7 does not include jQuery
       See https://github.com/Office-of-Digital-Services/California-State-Web-Template/releases/tag/v6.0.7
     {% endcomment %}
-    <script src="https://cdn.jsdelivr.net/npm/jquery@3.6.1/dist/jquery.min.js" integrity="sha256-o88AwQnZB+VDvE9tvIXrMQaPlFFSUTR+nldQm1LuPXQ=" crossorigin="anonymous"></script>
+    <script nonce="{{ request.csp_nonce }}"
+            src="https://cdn.jsdelivr.net/npm/jquery@3.6.1/dist/jquery.min.js"
+            integrity="sha256-o88AwQnZB+VDvE9tvIXrMQaPlFFSUTR+nldQm1LuPXQ="
+            crossorigin="anonymous"></script>
 
     {% include "core/includes/analytics.html" with api_key=analytics.api_key uid=analytics.uid did=analytics.did %}
   </head>
@@ -125,9 +128,12 @@ <h1>{{ page.headline }}</h1>
 
       But we aren't using CA State Template Javascript, so include Bootstrap directly
     {% endcomment %}
-    <script src="https://cdn.jsdelivr.net/npm/bootstrap@5.1.3/dist/js/bootstrap.bundle.min.js" integrity="sha384-ka7Sk0Gln4gmtz2MlQnikT1wXgYsOg+OMhuP+IlRH9sENBO0LRn5q+8nbTov4+1p" crossorigin="anonymous"></script>
+    <script nonce="{{ request.csp_nonce }}"
+            src="https://cdn.jsdelivr.net/npm/bootstrap@5.1.3/dist/js/bootstrap.bundle.min.js"
+            integrity="sha384-ka7Sk0Gln4gmtz2MlQnikT1wXgYsOg+OMhuP+IlRH9sENBO0LRn5q+8nbTov4+1p"
+            crossorigin="anonymous"></script>
 
-    <script>
+    <script nonce="{{ request.csp_nonce }}">
       $(function() {
         document.cookie = "testcookie"
         if (document.cookie.indexOf("testcookie") < 0) {
@@ -144,6 +150,8 @@ <h1>{{ page.headline }}</h1>
       });
     </script>
 
-    {% if request.recaptcha %}<script src="{{ request.recaptcha.script_api }}"></script>{% endif %}
+    {% if request.recaptcha %}
+      <script nonce="{{ request.csp_nonce }}" src="{{ request.recaptcha.script_api }}"></script>
+    {% endif %}
   </body>
 </html>
diff --git a/benefits/core/templates/core/includes/analytics.html b/benefits/core/templates/core/includes/analytics.html
index bb1ef84a6..1efd2eb93 100644
--- a/benefits/core/templates/core/includes/analytics.html
+++ b/benefits/core/templates/core/includes/analytics.html
@@ -1,4 +1,4 @@
-<script type="text/javascript">
+<script nonce="{{ request.csp_nonce }}" type="text/javascript">
     (function(e,t){var n=e.amplitude||{_q:[],_iq:{}};var r=t.createElement("script")
         ;r.type="text/javascript"
         ;r.integrity="sha384-u0hlTAJ1tNefeBKwiBNwB4CkHZ1ck4ajx/pKmwWtc+IufKJiCQZ+WjJIi+7C6Ntm"
diff --git a/benefits/core/templates/core/includes/form.html b/benefits/core/templates/core/includes/form.html
index 66b917844..bb6108629 100644
--- a/benefits/core/templates/core/includes/form.html
+++ b/benefits/core/templates/core/includes/form.html
@@ -46,7 +46,7 @@
       </div>
     {% endif %}
 
-    <script>
+    <script nonce="{{ request.csp_nonce }}">
       $(function() {
         // listen for a custom "submitting" event on the form, for button interactions
         $("#{{ form.id }}").on("submitting", function(e) {
@@ -77,7 +77,7 @@
       {% endcomment %}
       <input type="hidden" name="{{ request.recaptcha.data_field }}" value="">
 
-      <script>
+      <script nonce="{{ request.csp_nonce }}">
         function recaptchaSubmit($event) {
           // checks the validity of the form. Return if invalid; HTML5 validation errors should display
           if (!$event.currentTarget.form.checkValidity()) {
diff --git a/benefits/enrollment/templates/enrollment/index.html b/benefits/enrollment/templates/enrollment/index.html
index 7d28f59d3..b45577d03 100644
--- a/benefits/enrollment/templates/enrollment/index.html
+++ b/benefits/enrollment/templates/enrollment/index.html
@@ -15,7 +15,7 @@ <h1 class="pb-lg-8 pb-4">{{ page.headline }}</h1>
 
   {% comment %} This Javascript code must be before the forms. {% endcomment %}
   {% if payment_processor %}
-    <script>
+    <script nonce="{{ request.csp_nonce }}">
             var startedEvent = "started payment connection", closedEvent = "closed payment connection";
 
             $.getScript("{{ payment_processor.card_tokenize_url }}")

From ad9730d1fa99fc08bbfa63bdf0f51fb2dbd13432 Mon Sep 17 00:00:00 2001
From: Kegan Maher <kegan@compiler.la>
Date: Thu, 13 Apr 2023 19:09:24 +0000
Subject: [PATCH 19/54] chore(analytics): add nonce to inject <script> tag

---
 benefits/core/templates/core/includes/analytics.html | 1 +
 1 file changed, 1 insertion(+)

diff --git a/benefits/core/templates/core/includes/analytics.html b/benefits/core/templates/core/includes/analytics.html
index 1efd2eb93..04302a603 100644
--- a/benefits/core/templates/core/includes/analytics.html
+++ b/benefits/core/templates/core/includes/analytics.html
@@ -4,6 +4,7 @@
         ;r.integrity="sha384-u0hlTAJ1tNefeBKwiBNwB4CkHZ1ck4ajx/pKmwWtc+IufKJiCQZ+WjJIi+7C6Ntm"
         ;r.crossOrigin="anonymous";r.async=true
         ;r.src="https://cdn.amplitude.com/libs/amplitude-8.1.0-min.gz.js"
+        ;r.nonce="{{ request.csp_nonce }}"
         ;r.onload=function(){if(!e.amplitude.runQueuedFunctions){
             console.log("[Amplitude] Error: could not load SDK")}}
         ;var i=t.getElementsByTagName("script")[0];i.parentNode.insertBefore(r,i)

From 24d954f47bf075e0879bbab46f629d31a90cbce2 Mon Sep 17 00:00:00 2001
From: Kegan Maher <kegan@compiler.la>
Date: Thu, 13 Apr 2023 19:11:36 +0000
Subject: [PATCH 20/54] chore(enrollment): add nonce to payment processor
 script

use the more generic $.ajax() to download the script and apply the nonce
before execution
---
 benefits/enrollment/templates/enrollment/index.html | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/benefits/enrollment/templates/enrollment/index.html b/benefits/enrollment/templates/enrollment/index.html
index b45577d03..70d0cd0c1 100644
--- a/benefits/enrollment/templates/enrollment/index.html
+++ b/benefits/enrollment/templates/enrollment/index.html
@@ -18,7 +18,7 @@ <h1 class="pb-lg-8 pb-4">{{ page.headline }}</h1>
     <script nonce="{{ request.csp_nonce }}">
             var startedEvent = "started payment connection", closedEvent = "closed payment connection";
 
-            $.getScript("{{ payment_processor.card_tokenize_url }}")
+            $.ajax({ dataType: "script", attrs: { nonce: "{{ request.csp_nonce }}"}, url: "{{ payment_processor.card_tokenize_url }}" })
                 .done(function() {
                 $.get("{{ payment_processor.access_token_url }}", function(data) {
                     $(".loading").remove();

From 2faabec10a69caecd065b1a35ca009ba081d85cc Mon Sep 17 00:00:00 2001
From: Kegan Maher <kegan@compiler.la>
Date: Thu, 13 Apr 2023 19:32:02 +0000
Subject: [PATCH 21/54] feat(sentry): support CSP report-uri directive

sentry has out of the box support for receiving CSP reports
https://docs.sentry.io/product/security-policy-reporting/
---
 benefits/sentry.py       | 5 +++++
 benefits/settings.py     | 3 +++
 terraform/app_service.tf | 1 +
 3 files changed, 9 insertions(+)

diff --git a/benefits/sentry.py b/benefits/sentry.py
index f5198dbb4..68e4a82b4 100644
--- a/benefits/sentry.py
+++ b/benefits/sentry.py
@@ -10,6 +10,7 @@
 
 
 SENTRY_ENVIRONMENT = os.environ.get("SENTRY_ENVIRONMENT", "local")
+SENTRY_CSP_REPORT_URI = None
 
 
 def git_available():
@@ -82,5 +83,9 @@ def configure():
             send_default_pii=False,
             event_scrubber=EventScrubber(denylist=get_denylist()),
         )
+
+        # override the module-level variable when configuration happens, if set
+        global SENTRY_CSP_REPORT_URI
+        SENTRY_CSP_REPORT_URI = os.environ.get("SENTRY_REPORT_URI", "")
     else:
         print("SENTRY_DSN not set, so won't send events")
diff --git a/benefits/settings.py b/benefits/settings.py
index 34baa2cfd..aff3e6640 100644
--- a/benefits/settings.py
+++ b/benefits/settings.py
@@ -300,6 +300,9 @@ def _filter_empty(ls):
 
 CSP_OBJECT_SRC = ["'none'"]
 
+if sentry.SENTRY_CSP_REPORT_URI:
+    CSP_REPORT_URI = [sentry.SENTRY_CSP_REPORT_URI]
+
 CSP_SCRIPT_SRC = [
     "https://cdn.amplitude.com/libs/",
     "https://cdn.jsdelivr.net/",
diff --git a/terraform/app_service.tf b/terraform/app_service.tf
index 03e733b7b..8ffb6d689 100644
--- a/terraform/app_service.tf
+++ b/terraform/app_service.tf
@@ -78,6 +78,7 @@ resource "azurerm_linux_web_app" "main" {
     # Sentry
     "SENTRY_DSN"         = "${local.secret_prefix}sentry-dsn)",
     "SENTRY_ENVIRONMENT" = local.env_name,
+    "SENTRY_REPORT_URI"  = "${local.secret_prefix}sentry-report-uri)",
 
     # Environment variables for data migration
     "MST_SENIOR_GROUP_ID"                            = "${local.secret_prefix}mst-senior-group-id)",

From 02b5ef91f122b06b4df91d2b85d970c94e4b328c Mon Sep 17 00:00:00 2001
From: Kegan Maher <kegan@compiler.la>
Date: Thu, 13 Apr 2023 21:16:44 +0000
Subject: [PATCH 22/54] docs: strict CSP, Sentry report-uri config

---
 docs/configuration/content-security-policy.md |  6 +++++-
 docs/configuration/environment-variables.md   | 10 ++++++++++
 2 files changed, 15 insertions(+), 1 deletion(-)

diff --git a/docs/configuration/content-security-policy.md b/docs/configuration/content-security-policy.md
index bbff840d1..3d22c189e 100644
--- a/docs/configuration/content-security-policy.md
+++ b/docs/configuration/content-security-policy.md
@@ -6,10 +6,14 @@
 
 > The HTTP `Content-Security-Policy` response header allows web site administrators to control resources the user agent is
 > allowed to load for a given page.
-
+>
 > With a few exceptions, policies mostly involve specifying server origins and script endpoints. This helps guard against
 > cross-site scripting attacks
 
+!!! warning "Strict CSP"
+
+    Benefits configures a Strict Content Security Policy. Read more about Strict CSP from Google: <https://csp.withgoogle.com/docs/strict-csp.html>.
+
 ## `django-csp`
 
 !!! tldr "django-csp docs"
diff --git a/docs/configuration/environment-variables.md b/docs/configuration/environment-variables.md
index 63226dab7..c218be2f1 100644
--- a/docs/configuration/environment-variables.md
+++ b/docs/configuration/environment-variables.md
@@ -177,5 +177,15 @@ Enables [sending events to Sentry](../../deployment/troubleshooting/#error-monit
 
 Segments errors by which deployment they occur in. This defaults to `local`, and can be set to match one of the [environment names](../../deployment/infrastructure/#environments).
 
+### `SENTRY_REPORT_URI`
+
+!!! tldr "Sentry docs"
+
+    [Security Policy Reporting](https://docs.sentry.io/product/security-policy-reporting/)
+
+Collect information on Content-Security-Policy (CSP) violations. Read more about [CSP configuration in Benefits](./content-security-policy.md).
+
+To enable report collection, set this env var to the authenticated Sentry endpoint.
+
 [app-service-config]: https://docs.microsoft.com/en-us/azure/app-service/configure-common?tabs=portal
 [getting-started_create-env]: ../getting-started/README.md#create-an-environment-file

From 1f7c9e9eba36bb069c5dca8690c7580108aad0c8 Mon Sep 17 00:00:00 2001
From: Kegan Maher <kegan@compiler.la>
Date: Fri, 14 Apr 2023 20:44:43 +0000
Subject: [PATCH 23/54] docs: reword to more generic Agency Cards

---
 docs/use-cases/agency-cards.md   | 72 ++++++++++++++++++++++++++++++++
 docs/use-cases/courtesy-cards.md | 60 --------------------------
 mkdocs.yml                       |  1 +
 3 files changed, 73 insertions(+), 60 deletions(-)
 create mode 100644 docs/use-cases/agency-cards.md
 delete mode 100644 docs/use-cases/courtesy-cards.md

diff --git a/docs/use-cases/agency-cards.md b/docs/use-cases/agency-cards.md
new file mode 100644
index 000000000..af586a457
--- /dev/null
+++ b/docs/use-cases/agency-cards.md
@@ -0,0 +1,72 @@
+# Agency Cards
+
+_Agency Cards_ is a generic term for reduced fare programs offered by Transit Providers, such as the
+[Courtesy Card program from Monterey-Salinas Transit (MST)](https://mst.org/riders-guide/how-to-ride/courtesy-card/).
+
+Agency cards are different from our other use cases in that eligibility verification happens on the agency side (offline) rather
+than through the Benefits app, and the Benefits app then checks for a valid Agency Card via an [Eligibility API call](https://docs.calitp.org/eligibility-api/specification/).
+
+## Architecture
+
+In order to support an Agency Cards deployment, the Transit Provider produces a list of eligible users
+(CSV format) that is loaded into an instance of [Eligibility Server](https://docs.calitp.org/eligibility-server/) running in the Transit Provider's cloud.
+
+Cal-ITP makes the [`hashfields` tool](https://docs.calitp.org/hashfields) to facilitate masking user data before it leaves Transit Provider on-premises systems.
+
+The complete system architecture looks like:
+
+```mermaid
+flowchart LR
+    rider((User's browser))
+    api[Eligibility Server]
+    data[Hashed Agency Card data]
+    cardsystem[Data source]
+
+    rider --> Benefits
+
+    subgraph CDT Azure
+        Benefits
+    end
+
+    Benefits --> api
+
+    subgraph Transit Provider cloud
+        api --> data
+    end
+
+    subgraph Transit Provider on-prem
+        cardsystem --> hashfields
+    end
+
+    hashfields --> data
+```
+
+Notes:
+
+- [Eligibility Server source code](https://github.com/cal-itp/eligibility-server)
+- [hashfields source code](https://github.com/cal-itp/hashfields)
+- [More details about the Benefits architecture](../../deployment/infrastructure/#architecture)
+- In MST, the `Data Source` is Velocity, the system MST uses to manage and print Courtesy Cards
+
+## Process
+
+```mermaid
+sequenceDiagram
+    actor Rider
+    participant Benefits as Benefits app
+    participant elig_server as Eligibility Server
+    participant cc_data as Hashed data
+    participant Data Source
+    participant Littlepay
+
+    Data Source-->>cc_data: exports nightly
+    cc_data-->>elig_server: gets loaded on Server start
+
+    Rider->>Benefits: visits site
+    Benefits-->>elig_server: passes entered Agency Card details
+    elig_server-->>Benefits: confirms eligibility
+
+    Benefits-->>Littlepay: enrollment start
+    Rider->>Littlepay: enters payment card details
+    Littlepay-->>Benefits: enrollment complete
+```
diff --git a/docs/use-cases/courtesy-cards.md b/docs/use-cases/courtesy-cards.md
deleted file mode 100644
index 840380d44..000000000
--- a/docs/use-cases/courtesy-cards.md
+++ /dev/null
@@ -1,60 +0,0 @@
-# Courtesy Cards
-
-Courtesy Cards are [a reduced fare program from Monterey-Salinas Transit (MST)](https://mst.org/riders-guide/how-to-ride/courtesy-card/). We more generically refer to these "agency cards", in that they are issued by a transit agency. They are different from our other use cases in that eligibility verification happens on the agency side (offline) rather than through the Benefits app, and the Benefits app then checks for a valid Courtesy Card via an [Eligibility API call](https://docs.calitp.org/eligibility-api/specification/).
-
-## Architecture
-
-```mermaid
-flowchart LR
-    rider((User's browser))
-    api[Eligibility Server]
-    data[Hashed Courtesy Card data]
-    velocity[SQL Server]
-
-    rider --> Benefits
-
-    subgraph CDT Azure
-        Benefits
-    end
-
-    Benefits --> api
-
-    subgraph MST Azure
-        api --> data
-    end
-
-    subgraph MST Velocity
-        velocity --> hashfields
-    end
-
-    hashfields --> data
-```
-
-Notes:
-
-- [Eligibility Server documentation](https://docs.calitp.org/eligibility-server/)
-- [More details about the Benefits architecture](../../deployment/infrastructure/#architecture)
-- Velocity is the system MST uses to manage Courtesy Cards
-
-## Process
-
-```mermaid
-sequenceDiagram
-    actor Rider
-    participant Benefits as Benefits app
-    participant elig_server as Eligibility Server
-    participant cc_data as Hashed data
-    participant Velocity
-    participant Littlepay
-
-    Velocity-->>cc_data: exports nightly
-    cc_data-->>elig_server: gets loaded on Server start
-
-    Rider->>Benefits: visits site
-    Benefits-->>elig_server: passes entered Courtesy Card details
-    elig_server-->>Benefits: confirms eligibility
-
-    Benefits-->>Littlepay: enrollment start
-    Rider->>Littlepay: enters payment card details
-    Littlepay-->>Benefits: enrollment complete
-```
diff --git a/mkdocs.yml b/mkdocs.yml
index 2697220ff..7ea374833 100644
--- a/mkdocs.yml
+++ b/mkdocs.yml
@@ -39,6 +39,7 @@ plugins:
         "getting-started/development.md": "development/README.md"
         "getting-started/docker-dynamic-ports.md": "development/docker-dynamic-ports.md"
         "students.md": "use-cases/college.md"
+        "use-cases/courtesy-cards.md": "use-cases/agency-cards.md"
         "use-cases/students.md": "use-cases/college.md"
 
 extra_css:

From 0b2b23086e2518648881a12c23b6ba3c6ac86618 Mon Sep 17 00:00:00 2001
From: Kegan Maher <kegan@compiler.la>
Date: Fri, 14 Apr 2023 20:46:35 +0000
Subject: [PATCH 24/54] docs: update interconnections graph

* add sentry
* make more generic Courtesy Cards --> Agency Cards
---
 docs/deployment/infrastructure.md | 17 ++++++++---------
 1 file changed, 8 insertions(+), 9 deletions(-)

diff --git a/docs/deployment/infrastructure.md b/docs/deployment/infrastructure.md
index 954457a17..4e5fad752 100644
--- a/docs/deployment/infrastructure.md
+++ b/docs/deployment/infrastructure.md
@@ -8,18 +8,18 @@ The infrastructure is configured as code via [Terraform](https://www.terraform.i
 
 ```mermaid
 flowchart LR
-    %% DMV integration is currently disabled, hence the lines commented out below
-
-    %% dmv[DMV Eligibility Verification API]
     benefits[Benefits application]
     style benefits stroke-width:5px
     recaptcha[Google reCAPTCHA]
     rider((User's browser))
     idg[Identity Gateway]
-    mst_elig[Eligibility Server]
-    cc_data[(Courtesy Card data)]
+    elig_server[Eligibility Server]
+    cc_data[(Agency Card data)]
     cookies[(Cookies)]
 
+    benefits -->|Errors| sentry
+    elig_server -->|Errors| sentry
+
     rider --> benefits
     rider -->|Credentials and identity proofing| Login.gov
     rider --> recaptcha
@@ -29,13 +29,12 @@ flowchart LR
 
     benefits --> idg
     benefits <--> recaptcha
-    %% benefits --> dmv
     benefits -->|Events| Amplitude
     benefits -->|Group enrollment| Littlepay
-    benefits --> mst_elig
+    benefits --> elig_server
 
-    subgraph "MST (Courtesy Cards)"
-    mst_elig --> cc_data
+    subgraph "Agency Cards (e.g. MST Courtesy Cards)"
+    elig_server --> cc_data
     end
 
     idg --> Login.gov

From bceb52ad1e6adde22099661e1971e77763d6d2ae Mon Sep 17 00:00:00 2001
From: Kegan Maher <kegan@compiler.la>
Date: Fri, 14 Apr 2023 22:11:52 +0000
Subject: [PATCH 25/54] docs: fix cc_data --> ac_data

---
 docs/deployment/infrastructure.md | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/docs/deployment/infrastructure.md b/docs/deployment/infrastructure.md
index 4e5fad752..97afea83e 100644
--- a/docs/deployment/infrastructure.md
+++ b/docs/deployment/infrastructure.md
@@ -14,7 +14,7 @@ flowchart LR
     rider((User's browser))
     idg[Identity Gateway]
     elig_server[Eligibility Server]
-    cc_data[(Agency Card data)]
+    ac_data[(Agency Card data)]
     cookies[(Cookies)]
 
     benefits -->|Errors| sentry
@@ -34,7 +34,7 @@ flowchart LR
     benefits --> elig_server
 
     subgraph "Agency Cards (e.g. MST Courtesy Cards)"
-    elig_server --> cc_data
+    elig_server --> ac_data
     end
 
     idg --> Login.gov

From 9d0c22a983eee0f6d2fa053d105660e93e67807c Mon Sep 17 00:00:00 2001
From: "pre-commit-ci[bot]"
 <66853113+pre-commit-ci[bot]@users.noreply.github.com>
Date: Mon, 17 Apr 2023 20:27:01 +0000
Subject: [PATCH 26/54] chore(pre-commit): autoupdate hooks
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

updates:
- [github.com/Riverside-Healthcare/djLint: v1.19.17 → v1.23.0](https://github.com/Riverside-Healthcare/djLint/compare/v1.19.17...v1.23.0)
---
 .pre-commit-config.yaml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml
index d3ec0c7a2..cdd00d11b 100644
--- a/.pre-commit-config.yaml
+++ b/.pre-commit-config.yaml
@@ -61,6 +61,6 @@ repos:
         types_or: [javascript, css]
 
   - repo: https://github.com/Riverside-Healthcare/djLint
-    rev: v1.19.17
+    rev: v1.23.0
     hooks:
       - id: djlint-django

From c5227b9f5e96afe6c085e8cbbc609442ada6202b Mon Sep 17 00:00:00 2001
From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com>
Date: Mon, 17 Apr 2023 22:06:43 +0000
Subject: [PATCH 27/54] chore(deps-dev): bump cypress from 12.9.0 to 12.10.0 in
 /tests/cypress

Bumps [cypress](https://github.com/cypress-io/cypress) from 12.9.0 to 12.10.0.
- [Release notes](https://github.com/cypress-io/cypress/releases)
- [Changelog](https://github.com/cypress-io/cypress/blob/develop/CHANGELOG.md)
- [Commits](https://github.com/cypress-io/cypress/compare/v12.9.0...v12.10.0)

---
updated-dependencies:
- dependency-name: cypress
  dependency-type: direct:development
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
---
 tests/cypress/package-lock.json | 51 +++++++++++++++++----------------
 tests/cypress/package.json      |  2 +-
 2 files changed, 28 insertions(+), 25 deletions(-)

diff --git a/tests/cypress/package-lock.json b/tests/cypress/package-lock.json
index 55f2253d6..bc1a942d8 100644
--- a/tests/cypress/package-lock.json
+++ b/tests/cypress/package-lock.json
@@ -9,7 +9,7 @@
       "version": "1.0.0",
       "license": "AGPL-3.0-or-later",
       "devDependencies": {
-        "cypress": "^12.9.0"
+        "cypress": "^12.10.0"
       }
     },
     "node_modules/@colors/colors": {
@@ -479,9 +479,9 @@
       }
     },
     "node_modules/commander": {
-      "version": "5.1.0",
-      "resolved": "https://registry.npmjs.org/commander/-/commander-5.1.0.tgz",
-      "integrity": "sha512-P0CysNDQ7rtVw4QIQtm+MRxV66vKFSvlsQvGYXZWR3qFU0jlMKHZZZgw8e+8DSah4UDKMqnknRDQz+xuQXQ/Zg==",
+      "version": "6.2.1",
+      "resolved": "https://registry.npmjs.org/commander/-/commander-6.2.1.tgz",
+      "integrity": "sha512-U7VdrJFnJgo4xjrHpTzu0yrHPGImdsmD95ZlgYSEajAn2JKzDhDTPG9kBTefmObL2w/ngeZnilk+OV9CG3d7UA==",
       "dev": true,
       "engines": {
         "node": ">= 6"
@@ -523,9 +523,9 @@
       }
     },
     "node_modules/cypress": {
-      "version": "12.9.0",
-      "resolved": "https://registry.npmjs.org/cypress/-/cypress-12.9.0.tgz",
-      "integrity": "sha512-Ofe09LbHKgSqX89Iy1xen2WvpgbvNxDzsWx3mgU1mfILouELeXYGwIib3ItCwoRrRifoQwcBFmY54Vs0zw7QCg==",
+      "version": "12.10.0",
+      "resolved": "https://registry.npmjs.org/cypress/-/cypress-12.10.0.tgz",
+      "integrity": "sha512-Y0wPc221xKKW1/4iAFCphkrG2jNR4MjOne3iGn4mcuCaE7Y5EtXL83N8BzRsAht7GYfWVjJ/UeTqEdDKHz39HQ==",
       "dev": true,
       "hasInstallScript": true,
       "dependencies": {
@@ -543,7 +543,7 @@
         "check-more-types": "^2.24.0",
         "cli-cursor": "^3.1.0",
         "cli-table3": "~0.6.1",
-        "commander": "^5.1.0",
+        "commander": "^6.2.1",
         "common-tags": "^1.8.0",
         "dayjs": "^1.10.4",
         "debug": "^4.3.4",
@@ -561,7 +561,7 @@
         "listr2": "^3.8.3",
         "lodash": "^4.17.21",
         "log-symbols": "^4.0.0",
-        "minimist": "^1.2.6",
+        "minimist": "^1.2.8",
         "ospath": "^1.2.2",
         "pretty-bytes": "^5.6.0",
         "proxy-from-env": "1.0.0",
@@ -1280,10 +1280,13 @@
       }
     },
     "node_modules/minimist": {
-      "version": "1.2.6",
-      "resolved": "https://registry.npmjs.org/minimist/-/minimist-1.2.6.tgz",
-      "integrity": "sha512-Jsjnk4bw3YJqYzbdyBiNsPWHPfO++UGG749Cxs6peCu5Xg4nrena6OVxOYxrQTqww0Jmwt+Ref8rggumkTLz9Q==",
-      "dev": true
+      "version": "1.2.8",
+      "resolved": "https://registry.npmjs.org/minimist/-/minimist-1.2.8.tgz",
+      "integrity": "sha512-2yyAR8qBkN3YuheJanUpWC5U3bb5osDywNB8RzDVlDwDHbocAJveqqj1u8+SVD7jkWT4yvsHCpWqqWqAxb0zCA==",
+      "dev": true,
+      "funding": {
+        "url": "https://github.com/sponsors/ljharb"
+      }
     },
     "node_modules/ms": {
       "version": "2.1.2",
@@ -2167,9 +2170,9 @@
       }
     },
     "commander": {
-      "version": "5.1.0",
-      "resolved": "https://registry.npmjs.org/commander/-/commander-5.1.0.tgz",
-      "integrity": "sha512-P0CysNDQ7rtVw4QIQtm+MRxV66vKFSvlsQvGYXZWR3qFU0jlMKHZZZgw8e+8DSah4UDKMqnknRDQz+xuQXQ/Zg==",
+      "version": "6.2.1",
+      "resolved": "https://registry.npmjs.org/commander/-/commander-6.2.1.tgz",
+      "integrity": "sha512-U7VdrJFnJgo4xjrHpTzu0yrHPGImdsmD95ZlgYSEajAn2JKzDhDTPG9kBTefmObL2w/ngeZnilk+OV9CG3d7UA==",
       "dev": true
     },
     "common-tags": {
@@ -2202,9 +2205,9 @@
       }
     },
     "cypress": {
-      "version": "12.9.0",
-      "resolved": "https://registry.npmjs.org/cypress/-/cypress-12.9.0.tgz",
-      "integrity": "sha512-Ofe09LbHKgSqX89Iy1xen2WvpgbvNxDzsWx3mgU1mfILouELeXYGwIib3ItCwoRrRifoQwcBFmY54Vs0zw7QCg==",
+      "version": "12.10.0",
+      "resolved": "https://registry.npmjs.org/cypress/-/cypress-12.10.0.tgz",
+      "integrity": "sha512-Y0wPc221xKKW1/4iAFCphkrG2jNR4MjOne3iGn4mcuCaE7Y5EtXL83N8BzRsAht7GYfWVjJ/UeTqEdDKHz39HQ==",
       "dev": true,
       "requires": {
         "@cypress/request": "^2.88.10",
@@ -2221,7 +2224,7 @@
         "check-more-types": "^2.24.0",
         "cli-cursor": "^3.1.0",
         "cli-table3": "~0.6.1",
-        "commander": "^5.1.0",
+        "commander": "^6.2.1",
         "common-tags": "^1.8.0",
         "dayjs": "^1.10.4",
         "debug": "^4.3.4",
@@ -2239,7 +2242,7 @@
         "listr2": "^3.8.3",
         "lodash": "^4.17.21",
         "log-symbols": "^4.0.0",
-        "minimist": "^1.2.6",
+        "minimist": "^1.2.8",
         "ospath": "^1.2.2",
         "pretty-bytes": "^5.6.0",
         "proxy-from-env": "1.0.0",
@@ -2770,9 +2773,9 @@
       }
     },
     "minimist": {
-      "version": "1.2.6",
-      "resolved": "https://registry.npmjs.org/minimist/-/minimist-1.2.6.tgz",
-      "integrity": "sha512-Jsjnk4bw3YJqYzbdyBiNsPWHPfO++UGG749Cxs6peCu5Xg4nrena6OVxOYxrQTqww0Jmwt+Ref8rggumkTLz9Q==",
+      "version": "1.2.8",
+      "resolved": "https://registry.npmjs.org/minimist/-/minimist-1.2.8.tgz",
+      "integrity": "sha512-2yyAR8qBkN3YuheJanUpWC5U3bb5osDywNB8RzDVlDwDHbocAJveqqj1u8+SVD7jkWT4yvsHCpWqqWqAxb0zCA==",
       "dev": true
     },
     "ms": {
diff --git a/tests/cypress/package.json b/tests/cypress/package.json
index 29eb4e440..6e77d1306 100644
--- a/tests/cypress/package.json
+++ b/tests/cypress/package.json
@@ -12,6 +12,6 @@
   "license": "AGPL-3.0-or-later",
   "private": true,
   "devDependencies": {
-    "cypress": "^12.9.0"
+    "cypress": "^12.10.0"
   }
 }

From 3a1c7da3c437dd22b66d045a95497451bbad0f7c Mon Sep 17 00:00:00 2001
From: Kegan Maher <kegan@compiler.la>
Date: Tue, 18 Apr 2023 00:04:58 +0000
Subject: [PATCH 28/54] refactor: MST-specific payment processor

---
 benefits/core/migrations/0002_data.py | 46 ++++++++--------
 terraform/app_service.tf              | 78 +++++++++++++--------------
 2 files changed, 62 insertions(+), 62 deletions(-)

diff --git a/benefits/core/migrations/0002_data.py b/benefits/core/migrations/0002_data.py
index d7439b95e..910aa3adb 100644
--- a/benefits/core/migrations/0002_data.py
+++ b/benefits/core/migrations/0002_data.py
@@ -89,19 +89,19 @@ def load_data(app, *args, **kwargs):
 -----END CERTIFICATE-----
 """
 
-    payment_processor_client_cert = PemData.objects.create(
-        text=os.environ.get("PAYMENT_PROCESSOR_CLIENT_CERT", dummy_cert_text),
-        label="Payment processor client certificate",
+    mst_payment_processor_client_cert = PemData.objects.create(
+        text=os.environ.get("MST_PAYMENT_PROCESSOR_CLIENT_CERT", dummy_cert_text),
+        label="MST payment processor client certificate",
     )
 
-    payment_processor_client_cert_private_key = PemData.objects.create(
-        text=os.environ.get("PAYMENT_PROCESSOR_CLIENT_CERT_PRIVATE_KEY", client_private_key.text),
-        label="Payment processor client certificate private key",
+    mst_payment_processor_client_cert_private_key = PemData.objects.create(
+        text=os.environ.get("MST_PAYMENT_PROCESSOR_CLIENT_CERT_PRIVATE_KEY", client_private_key.text),
+        label="MST payment processor client certificate private key",
     )
 
-    payment_processor_client_cert_root_ca = PemData.objects.create(
-        text=os.environ.get("PAYMENT_PROCESSOR_CLIENT_CERT_ROOT_CA", dummy_cert_text),
-        label="Payment processor client certificate root CA",
+    mst_payment_processor_client_cert_root_ca = PemData.objects.create(
+        text=os.environ.get("MST_PAYMENT_PROCESSOR_CLIENT_CERT_ROOT_CA", dummy_cert_text),
+        label="MST payment processor client certificate root CA",
     )
 
     AuthProvider = app.get_model("core", "AuthProvider")
@@ -204,18 +204,18 @@ def load_data(app, *args, **kwargs):
 
     PaymentProcessor = app.get_model("core", "PaymentProcessor")
 
-    payment_processor = PaymentProcessor.objects.create(
-        name=os.environ.get("PAYMENT_PROCESSOR_NAME", "Test Payment Processor"),
-        api_base_url=os.environ.get("PAYMENT_PROCESSOR_API_BASE_URL", "http://server:8000"),
-        api_access_token_endpoint=os.environ.get("PAYMENT_PROCESSOR_API_ACCESS_TOKEN_ENDPOINT", "access-token"),
-        api_access_token_request_key=os.environ.get("PAYMENT_PROCESSOR_API_ACCESS_TOKEN_REQUEST_KEY", "request_access"),
-        api_access_token_request_val=os.environ.get("PAYMENT_PROCESSOR_API_ACCESS_TOKEN_REQUEST_VAL", "REQUEST_ACCESS"),
-        card_tokenize_url=os.environ.get("PAYMENT_PROCESSOR_CARD_TOKENIZE_URL", "http://server:8000/static/tokenize.js"),
-        card_tokenize_func=os.environ.get("PAYMENT_PROCESSOR_CARD_TOKENIZE_FUNC", "tokenize"),
-        card_tokenize_env=os.environ.get("PAYMENT_PROCESSOR_CARD_TOKENIZE_ENV", "test"),
-        client_cert=payment_processor_client_cert,
-        client_cert_private_key=payment_processor_client_cert_private_key,
-        client_cert_root_ca=payment_processor_client_cert_root_ca,
+    mst_payment_processor = PaymentProcessor.objects.create(
+        name=os.environ.get("MST_PAYMENT_PROCESSOR_NAME", "Test Payment Processor"),
+        api_base_url=os.environ.get("MST_PAYMENT_PROCESSOR_API_BASE_URL", "http://server:8000"),
+        api_access_token_endpoint=os.environ.get("MST_PAYMENT_PROCESSOR_API_ACCESS_TOKEN_ENDPOINT", "access-token"),
+        api_access_token_request_key=os.environ.get("MST_PAYMENT_PROCESSOR_API_ACCESS_TOKEN_REQUEST_KEY", "request_access"),
+        api_access_token_request_val=os.environ.get("MST_PAYMENT_PROCESSOR_API_ACCESS_TOKEN_REQUEST_VAL", "REQUEST_ACCESS"),
+        card_tokenize_url=os.environ.get("MST_PAYMENT_PROCESSOR_CARD_TOKENIZE_URL", "http://server:8000/static/tokenize.js"),
+        card_tokenize_func=os.environ.get("MST_PAYMENT_PROCESSOR_CARD_TOKENIZE_FUNC", "tokenize"),
+        card_tokenize_env=os.environ.get("MST_PAYMENT_PROCESSOR_CARD_TOKENIZE_ENV", "test"),
+        client_cert=mst_payment_processor_client_cert,
+        client_cert_private_key=mst_payment_processor_client_cert_private_key,
+        client_cert_root_ca=mst_payment_processor_client_cert_root_ca,
         customer_endpoint="customer",
         customers_endpoint="customers",
         group_endpoint="group",
@@ -240,7 +240,7 @@ def load_data(app, *args, **kwargs):
         private_key=client_private_key,
         public_key=client_public_key,
         jws_signing_alg=os.environ.get("MST_AGENCY_JWS_SIGNING_ALG", "RS256"),
-        payment_processor=payment_processor,
+        payment_processor=mst_payment_processor,
         eligibility_index_intro=_("eligibility.pages.index.p[0].mst"),
     )
     mst_agency.eligibility_types.set([mst_senior_type, mst_courtesy_card_type])
@@ -258,7 +258,7 @@ def load_data(app, *args, **kwargs):
         private_key=client_private_key,
         public_key=client_public_key,
         jws_signing_alg=os.environ.get("SACRT_AGENCY_JWS_SIGNING_ALG", "RS256"),
-        payment_processor=payment_processor,
+        payment_processor=mst_payment_processor,
         eligibility_index_intro=_("eligibility.pages.index.p[0].sacrt"),
     )
     sacrt_agency.eligibility_types.set([sacrt_senior_type])
diff --git a/terraform/app_service.tf b/terraform/app_service.tf
index 03e733b7b..0b4f557ed 100644
--- a/terraform/app_service.tf
+++ b/terraform/app_service.tf
@@ -80,45 +80,45 @@ resource "azurerm_linux_web_app" "main" {
     "SENTRY_ENVIRONMENT" = local.env_name,
 
     # Environment variables for data migration
-    "MST_SENIOR_GROUP_ID"                            = "${local.secret_prefix}mst-senior-group-id)",
-    "MST_COURTESY_CARD_GROUP_ID"                     = "${local.secret_prefix}mst-courtesy-card-group-id)"
-    "SACRT_SENIOR_GROUP_ID"                          = "${local.secret_prefix}sacrt-senior-group-id)"
-    "CLIENT_PRIVATE_KEY"                             = "${local.secret_prefix}client-private-key)"
-    "CLIENT_PUBLIC_KEY"                              = "${local.secret_prefix}client-public-key)"
-    "SERVER_PUBLIC_KEY_URL"                          = "${local.secret_prefix}server-public-key-url)"
-    "PAYMENT_PROCESSOR_CLIENT_CERT"                  = "${local.secret_prefix}payment-processor-client-cert)"
-    "PAYMENT_PROCESSOR_CLIENT_CERT_PRIVATE_KEY"      = "${local.secret_prefix}payment-processor-client-cert-private-key)"
-    "PAYMENT_PROCESSOR_CLIENT_CERT_ROOT_CA"          = "${local.secret_prefix}payment-processor-client-cert-root-ca)"
-    "AUTH_PROVIDER_CLIENT_NAME"                      = "${local.secret_prefix}auth-provider-client-name)"
-    "AUTH_PROVIDER_CLIENT_ID"                        = "${local.secret_prefix}auth-provider-client-id)"
-    "AUTH_PROVIDER_AUTHORITY"                        = "${local.secret_prefix}auth-provider-authority)"
-    "AUTH_PROVIDER_SCOPE"                            = "${local.secret_prefix}auth-provider-scope)"
-    "AUTH_PROVIDER_CLAIM"                            = "${local.secret_prefix}auth-provider-claim)"
-    "MST_OAUTH_VERIFIER_NAME"                        = "${local.secret_prefix}mst-oauth-verifier-name)"
-    "COURTESY_CARD_VERIFIER"                         = "${local.secret_prefix}courtesy-card-verifier)"
-    "COURTESY_CARD_VERIFIER_API_URL"                 = "${local.secret_prefix}courtesy-card-verifier-api-url)"
-    "COURTESY_CARD_VERIFIER_API_AUTH_HEADER"         = "${local.secret_prefix}courtesy-card-verifier-api-auth-header)"
-    "COURTESY_CARD_VERIFIER_API_AUTH_KEY"            = "${local.secret_prefix}courtesy-card-verifier-api-auth-key)"
-    "COURTESY_CARD_VERIFIER_JWE_CEK_ENC"             = "${local.secret_prefix}courtesy-card-verifier-jwe-cek-enc)"
-    "COURTESY_CARD_VERIFIER_JWE_ENCRYPTION_ALG"      = "${local.secret_prefix}courtesy-card-verifier-jwe-encryption-alg)"
-    "COURTESY_CARD_VERIFIER_JWS_SIGNING_ALG"         = "${local.secret_prefix}courtesy-card-verifier-jws-signing-alg)"
-    "SACRT_OAUTH_VERIFIER_NAME"                      = "${local.secret_prefix}sacrt-oauth-verifier-name)"
-    "PAYMENT_PROCESSOR_NAME"                         = "${local.secret_prefix}payment-processor-name)"
-    "PAYMENT_PROCESSOR_API_BASE_URL"                 = "${local.secret_prefix}payment-processor-api-base-url)"
-    "PAYMENT_PROCESSOR_API_ACCESS_TOKEN_ENDPOINT"    = "${local.secret_prefix}payment-processor-api-access-token-endpoint)"
-    "PAYMENT_PROCESSOR_API_ACCESS_TOKEN_REQUEST_KEY" = "${local.secret_prefix}payment-processor-api-access-token-request-key)"
-    "PAYMENT_PROCESSOR_API_ACCESS_TOKEN_REQUEST_VAL" = "${local.secret_prefix}payment-processor-api-access-token-request-val)"
-    "PAYMENT_PROCESSOR_CARD_TOKENIZE_URL"            = "${local.secret_prefix}payment-processor-card-tokenize-url)"
-    "PAYMENT_PROCESSOR_CARD_TOKENIZE_FUNC"           = "${local.secret_prefix}payment-processor-card-tokenize-func)"
-    "PAYMENT_PROCESSOR_CARD_TOKENIZE_ENV"            = "${local.secret_prefix}payment-processor-card-tokenize-env)"
-    "MST_AGENCY_SHORT_NAME"                          = "${local.secret_prefix}mst-agency-short-name)"
-    "MST_AGENCY_LONG_NAME"                           = "${local.secret_prefix}mst-agency-long-name)"
-    "MST_AGENCY_JWS_SIGNING_ALG"                     = "${local.secret_prefix}mst-agency-jws-signing-alg)"
-    "SACRT_AGENCY_SHORT_NAME"                        = "${local.secret_prefix}sacrt-agency-short-name)"
-    "SACRT_AGENCY_LONG_NAME"                         = "${local.secret_prefix}sacrt-agency-long-name)"
-    "SACRT_AGENCY_MERCHANT_ID"                       = "${local.secret_prefix}sacrt-agency-merchant-id)"
-    "SACRT_AGENCY_ACTIVE"                            = "${local.secret_prefix}sacrt-agency-active)"
-    "SACRT_AGENCY_JWS_SIGNING_ALG"                   = "${local.secret_prefix}sacrt-agency-jws-signing-alg)"
+    "MST_SENIOR_GROUP_ID"                                = "${local.secret_prefix}mst-senior-group-id)",
+    "MST_COURTESY_CARD_GROUP_ID"                         = "${local.secret_prefix}mst-courtesy-card-group-id)"
+    "SACRT_SENIOR_GROUP_ID"                              = "${local.secret_prefix}sacrt-senior-group-id)"
+    "CLIENT_PRIVATE_KEY"                                 = "${local.secret_prefix}client-private-key)"
+    "CLIENT_PUBLIC_KEY"                                  = "${local.secret_prefix}client-public-key)"
+    "SERVER_PUBLIC_KEY_URL"                              = "${local.secret_prefix}server-public-key-url)"
+    "MST_PAYMENT_PROCESSOR_CLIENT_CERT"                  = "${local.secret_prefix}mst-payment-processor-client-cert)"
+    "MST_PAYMENT_PROCESSOR_CLIENT_CERT_PRIVATE_KEY"      = "${local.secret_prefix}mst-payment-processor-client-cert-private-key)"
+    "MST_PAYMENT_PROCESSOR_CLIENT_CERT_ROOT_CA"          = "${local.secret_prefix}mst-payment-processor-client-cert-root-ca)"
+    "AUTH_PROVIDER_CLIENT_NAME"                          = "${local.secret_prefix}auth-provider-client-name)"
+    "AUTH_PROVIDER_CLIENT_ID"                            = "${local.secret_prefix}auth-provider-client-id)"
+    "AUTH_PROVIDER_AUTHORITY"                            = "${local.secret_prefix}auth-provider-authority)"
+    "AUTH_PROVIDER_SCOPE"                                = "${local.secret_prefix}auth-provider-scope)"
+    "AUTH_PROVIDER_CLAIM"                                = "${local.secret_prefix}auth-provider-claim)"
+    "MST_OAUTH_VERIFIER_NAME"                            = "${local.secret_prefix}mst-oauth-verifier-name)"
+    "COURTESY_CARD_VERIFIER"                             = "${local.secret_prefix}courtesy-card-verifier)"
+    "COURTESY_CARD_VERIFIER_API_URL"                     = "${local.secret_prefix}courtesy-card-verifier-api-url)"
+    "COURTESY_CARD_VERIFIER_API_AUTH_HEADER"             = "${local.secret_prefix}courtesy-card-verifier-api-auth-header)"
+    "COURTESY_CARD_VERIFIER_API_AUTH_KEY"                = "${local.secret_prefix}courtesy-card-verifier-api-auth-key)"
+    "COURTESY_CARD_VERIFIER_JWE_CEK_ENC"                 = "${local.secret_prefix}courtesy-card-verifier-jwe-cek-enc)"
+    "COURTESY_CARD_VERIFIER_JWE_ENCRYPTION_ALG"          = "${local.secret_prefix}courtesy-card-verifier-jwe-encryption-alg)"
+    "COURTESY_CARD_VERIFIER_JWS_SIGNING_ALG"             = "${local.secret_prefix}courtesy-card-verifier-jws-signing-alg)"
+    "SACRT_OAUTH_VERIFIER_NAME"                          = "${local.secret_prefix}sacrt-oauth-verifier-name)"
+    "MST_PAYMENT_PROCESSOR_NAME"                         = "${local.secret_prefix}mst-payment-processor-name)"
+    "MST_PAYMENT_PROCESSOR_API_BASE_URL"                 = "${local.secret_prefix}mst-payment-processor-api-base-url)"
+    "MST_PAYMENT_PROCESSOR_API_ACCESS_TOKEN_ENDPOINT"    = "${local.secret_prefix}mst-payment-processor-api-access-token-endpoint)"
+    "MST_PAYMENT_PROCESSOR_API_ACCESS_TOKEN_REQUEST_KEY" = "${local.secret_prefix}mst-payment-processor-api-access-token-request-key)"
+    "MST_PAYMENT_PROCESSOR_API_ACCESS_TOKEN_REQUEST_VAL" = "${local.secret_prefix}mst-payment-processor-api-access-token-request-val)"
+    "MST_PAYMENT_PROCESSOR_CARD_TOKENIZE_URL"            = "${local.secret_prefix}mst-payment-processor-card-tokenize-url)"
+    "MST_PAYMENT_PROCESSOR_CARD_TOKENIZE_FUNC"           = "${local.secret_prefix}mst-payment-processor-card-tokenize-func)"
+    "MST_PAYMENT_PROCESSOR_CARD_TOKENIZE_ENV"            = "${local.secret_prefix}mst-payment-processor-card-tokenize-env)"
+    "MST_AGENCY_SHORT_NAME"                              = "${local.secret_prefix}mst-agency-short-name)"
+    "MST_AGENCY_LONG_NAME"                               = "${local.secret_prefix}mst-agency-long-name)"
+    "MST_AGENCY_JWS_SIGNING_ALG"                         = "${local.secret_prefix}mst-agency-jws-signing-alg)"
+    "SACRT_AGENCY_SHORT_NAME"                            = "${local.secret_prefix}sacrt-agency-short-name)"
+    "SACRT_AGENCY_LONG_NAME"                             = "${local.secret_prefix}sacrt-agency-long-name)"
+    "SACRT_AGENCY_MERCHANT_ID"                           = "${local.secret_prefix}sacrt-agency-merchant-id)"
+    "SACRT_AGENCY_ACTIVE"                                = "${local.secret_prefix}sacrt-agency-active)"
+    "SACRT_AGENCY_JWS_SIGNING_ALG"                       = "${local.secret_prefix}sacrt-agency-jws-signing-alg)"
   }
 
   lifecycle {

From 804bbdd548e93e481aba3fb88b3a805f7907b8b6 Mon Sep 17 00:00:00 2001
From: Kegan Maher <kegan@compiler.la>
Date: Tue, 18 Apr 2023 00:10:32 +0000
Subject: [PATCH 29/54] feat: configure a payment processor for SacRT

---
 benefits/core/migrations/0002_data.py | 34 +++++++++-
 terraform/app_service.tf              | 97 +++++++++++++++------------
 2 files changed, 87 insertions(+), 44 deletions(-)

diff --git a/benefits/core/migrations/0002_data.py b/benefits/core/migrations/0002_data.py
index 910aa3adb..ef6eaea20 100644
--- a/benefits/core/migrations/0002_data.py
+++ b/benefits/core/migrations/0002_data.py
@@ -104,6 +104,21 @@ def load_data(app, *args, **kwargs):
         label="MST payment processor client certificate root CA",
     )
 
+    sacrt_payment_processor_client_cert = PemData.objects.create(
+        text=os.environ.get("SACRT_PAYMENT_PROCESSOR_CLIENT_CERT", dummy_cert_text),
+        label="SacRT payment processor client certificate",
+    )
+
+    sacrt_payment_processor_client_cert_private_key = PemData.objects.create(
+        text=os.environ.get("SACRT_PAYMENT_PROCESSOR_CLIENT_CERT_PRIVATE_KEY", client_private_key.text),
+        label="SacRT payment processor client certificate private key",
+    )
+
+    sacrt_payment_processor_client_cert_root_ca = PemData.objects.create(
+        text=os.environ.get("SACRT_PAYMENT_PROCESSOR_CLIENT_CERT_ROOT_CA", dummy_cert_text),
+        label="SacRT payment processor client certificate root CA",
+    )
+
     AuthProvider = app.get_model("core", "AuthProvider")
 
     auth_provider = AuthProvider.objects.create(
@@ -221,6 +236,23 @@ def load_data(app, *args, **kwargs):
         group_endpoint="group",
     )
 
+    sacrt_payment_processor = PaymentProcessor.objects.create(
+        name=os.environ.get("SACRT_PAYMENT_PROCESSOR_NAME", "Test Payment Processor"),
+        api_base_url=os.environ.get("SACRT_PAYMENT_PROCESSOR_API_BASE_URL", "http://server:8000"),
+        api_access_token_endpoint=os.environ.get("SACRT_PAYMENT_PROCESSOR_API_ACCESS_TOKEN_ENDPOINT", "access-token"),
+        api_access_token_request_key=os.environ.get("SACRT_PAYMENT_PROCESSOR_API_ACCESS_TOKEN_REQUEST_KEY", "request_access"),
+        api_access_token_request_val=os.environ.get("SACRT_PAYMENT_PROCESSOR_API_ACCESS_TOKEN_REQUEST_VAL", "REQUEST_ACCESS"),
+        card_tokenize_url=os.environ.get("SACRT_PAYMENT_PROCESSOR_CARD_TOKENIZE_URL", "http://server:8000/static/tokenize.js"),
+        card_tokenize_func=os.environ.get("SACRT_PAYMENT_PROCESSOR_CARD_TOKENIZE_FUNC", "tokenize"),
+        card_tokenize_env=os.environ.get("SACRT_PAYMENT_PROCESSOR_CARD_TOKENIZE_ENV", "test"),
+        client_cert=sacrt_payment_processor_client_cert,
+        client_cert_private_key=sacrt_payment_processor_client_cert_private_key,
+        client_cert_root_ca=sacrt_payment_processor_client_cert_root_ca,
+        customer_endpoint="customer",
+        customers_endpoint="customers",
+        group_endpoint="group",
+    )
+
     TransitAgency = app.get_model("core", "TransitAgency")
 
     # load the sample data from a JSON file so that it can be accessed by Cypress as well
@@ -258,7 +290,7 @@ def load_data(app, *args, **kwargs):
         private_key=client_private_key,
         public_key=client_public_key,
         jws_signing_alg=os.environ.get("SACRT_AGENCY_JWS_SIGNING_ALG", "RS256"),
-        payment_processor=mst_payment_processor,
+        payment_processor=sacrt_payment_processor,
         eligibility_index_intro=_("eligibility.pages.index.p[0].sacrt"),
     )
     sacrt_agency.eligibility_types.set([sacrt_senior_type])
diff --git a/terraform/app_service.tf b/terraform/app_service.tf
index 0b4f557ed..78ac65354 100644
--- a/terraform/app_service.tf
+++ b/terraform/app_service.tf
@@ -58,10 +58,10 @@ resource "azurerm_linux_web_app" "main" {
     "ANALYTICS_KEY" = local.is_dev ? null : "${local.secret_prefix}analytics-key)",
 
     # Django settings
-    "DJANGO_ADMIN"            = (local.is_prod || local.is_test) ? null : "${local.secret_prefix}django-admin)",
-    "DJANGO_ALLOWED_HOSTS"    = "${local.secret_prefix}django-allowed-hosts)",
-    "DJANGO_DEBUG"            = local.is_prod ? null : "${local.secret_prefix}django-debug)",
-    "DJANGO_LOG_LEVEL"        = "${local.secret_prefix}django-log-level)",
+    "DJANGO_ADMIN"         = (local.is_prod || local.is_test) ? null : "${local.secret_prefix}django-admin)",
+    "DJANGO_ALLOWED_HOSTS" = "${local.secret_prefix}django-allowed-hosts)",
+    "DJANGO_DEBUG"         = local.is_prod ? null : "${local.secret_prefix}django-debug)",
+    "DJANGO_LOG_LEVEL"     = "${local.secret_prefix}django-log-level)",
 
     "DJANGO_RATE_LIMIT"         = local.is_dev ? null : "${local.secret_prefix}django-rate-limit)",
     "DJANGO_RATE_LIMIT_METHODS" = local.is_dev ? null : "${local.secret_prefix}django-rate-limit-methods)",
@@ -80,45 +80,56 @@ resource "azurerm_linux_web_app" "main" {
     "SENTRY_ENVIRONMENT" = local.env_name,
 
     # Environment variables for data migration
-    "MST_SENIOR_GROUP_ID"                                = "${local.secret_prefix}mst-senior-group-id)",
-    "MST_COURTESY_CARD_GROUP_ID"                         = "${local.secret_prefix}mst-courtesy-card-group-id)"
-    "SACRT_SENIOR_GROUP_ID"                              = "${local.secret_prefix}sacrt-senior-group-id)"
-    "CLIENT_PRIVATE_KEY"                                 = "${local.secret_prefix}client-private-key)"
-    "CLIENT_PUBLIC_KEY"                                  = "${local.secret_prefix}client-public-key)"
-    "SERVER_PUBLIC_KEY_URL"                              = "${local.secret_prefix}server-public-key-url)"
-    "MST_PAYMENT_PROCESSOR_CLIENT_CERT"                  = "${local.secret_prefix}mst-payment-processor-client-cert)"
-    "MST_PAYMENT_PROCESSOR_CLIENT_CERT_PRIVATE_KEY"      = "${local.secret_prefix}mst-payment-processor-client-cert-private-key)"
-    "MST_PAYMENT_PROCESSOR_CLIENT_CERT_ROOT_CA"          = "${local.secret_prefix}mst-payment-processor-client-cert-root-ca)"
-    "AUTH_PROVIDER_CLIENT_NAME"                          = "${local.secret_prefix}auth-provider-client-name)"
-    "AUTH_PROVIDER_CLIENT_ID"                            = "${local.secret_prefix}auth-provider-client-id)"
-    "AUTH_PROVIDER_AUTHORITY"                            = "${local.secret_prefix}auth-provider-authority)"
-    "AUTH_PROVIDER_SCOPE"                                = "${local.secret_prefix}auth-provider-scope)"
-    "AUTH_PROVIDER_CLAIM"                                = "${local.secret_prefix}auth-provider-claim)"
-    "MST_OAUTH_VERIFIER_NAME"                            = "${local.secret_prefix}mst-oauth-verifier-name)"
-    "COURTESY_CARD_VERIFIER"                             = "${local.secret_prefix}courtesy-card-verifier)"
-    "COURTESY_CARD_VERIFIER_API_URL"                     = "${local.secret_prefix}courtesy-card-verifier-api-url)"
-    "COURTESY_CARD_VERIFIER_API_AUTH_HEADER"             = "${local.secret_prefix}courtesy-card-verifier-api-auth-header)"
-    "COURTESY_CARD_VERIFIER_API_AUTH_KEY"                = "${local.secret_prefix}courtesy-card-verifier-api-auth-key)"
-    "COURTESY_CARD_VERIFIER_JWE_CEK_ENC"                 = "${local.secret_prefix}courtesy-card-verifier-jwe-cek-enc)"
-    "COURTESY_CARD_VERIFIER_JWE_ENCRYPTION_ALG"          = "${local.secret_prefix}courtesy-card-verifier-jwe-encryption-alg)"
-    "COURTESY_CARD_VERIFIER_JWS_SIGNING_ALG"             = "${local.secret_prefix}courtesy-card-verifier-jws-signing-alg)"
-    "SACRT_OAUTH_VERIFIER_NAME"                          = "${local.secret_prefix}sacrt-oauth-verifier-name)"
-    "MST_PAYMENT_PROCESSOR_NAME"                         = "${local.secret_prefix}mst-payment-processor-name)"
-    "MST_PAYMENT_PROCESSOR_API_BASE_URL"                 = "${local.secret_prefix}mst-payment-processor-api-base-url)"
-    "MST_PAYMENT_PROCESSOR_API_ACCESS_TOKEN_ENDPOINT"    = "${local.secret_prefix}mst-payment-processor-api-access-token-endpoint)"
-    "MST_PAYMENT_PROCESSOR_API_ACCESS_TOKEN_REQUEST_KEY" = "${local.secret_prefix}mst-payment-processor-api-access-token-request-key)"
-    "MST_PAYMENT_PROCESSOR_API_ACCESS_TOKEN_REQUEST_VAL" = "${local.secret_prefix}mst-payment-processor-api-access-token-request-val)"
-    "MST_PAYMENT_PROCESSOR_CARD_TOKENIZE_URL"            = "${local.secret_prefix}mst-payment-processor-card-tokenize-url)"
-    "MST_PAYMENT_PROCESSOR_CARD_TOKENIZE_FUNC"           = "${local.secret_prefix}mst-payment-processor-card-tokenize-func)"
-    "MST_PAYMENT_PROCESSOR_CARD_TOKENIZE_ENV"            = "${local.secret_prefix}mst-payment-processor-card-tokenize-env)"
-    "MST_AGENCY_SHORT_NAME"                              = "${local.secret_prefix}mst-agency-short-name)"
-    "MST_AGENCY_LONG_NAME"                               = "${local.secret_prefix}mst-agency-long-name)"
-    "MST_AGENCY_JWS_SIGNING_ALG"                         = "${local.secret_prefix}mst-agency-jws-signing-alg)"
-    "SACRT_AGENCY_SHORT_NAME"                            = "${local.secret_prefix}sacrt-agency-short-name)"
-    "SACRT_AGENCY_LONG_NAME"                             = "${local.secret_prefix}sacrt-agency-long-name)"
-    "SACRT_AGENCY_MERCHANT_ID"                           = "${local.secret_prefix}sacrt-agency-merchant-id)"
-    "SACRT_AGENCY_ACTIVE"                                = "${local.secret_prefix}sacrt-agency-active)"
-    "SACRT_AGENCY_JWS_SIGNING_ALG"                       = "${local.secret_prefix}sacrt-agency-jws-signing-alg)"
+    "MST_SENIOR_GROUP_ID"                                  = "${local.secret_prefix}mst-senior-group-id)",
+    "MST_COURTESY_CARD_GROUP_ID"                           = "${local.secret_prefix}mst-courtesy-card-group-id)"
+    "SACRT_SENIOR_GROUP_ID"                                = "${local.secret_prefix}sacrt-senior-group-id)"
+    "CLIENT_PRIVATE_KEY"                                   = "${local.secret_prefix}client-private-key)"
+    "CLIENT_PUBLIC_KEY"                                    = "${local.secret_prefix}client-public-key)"
+    "SERVER_PUBLIC_KEY_URL"                                = "${local.secret_prefix}server-public-key-url)"
+    "MST_PAYMENT_PROCESSOR_CLIENT_CERT"                    = "${local.secret_prefix}mst-payment-processor-client-cert)"
+    "MST_PAYMENT_PROCESSOR_CLIENT_CERT_PRIVATE_KEY"        = "${local.secret_prefix}mst-payment-processor-client-cert-private-key)"
+    "MST_PAYMENT_PROCESSOR_CLIENT_CERT_ROOT_CA"            = "${local.secret_prefix}mst-payment-processor-client-cert-root-ca)"
+    "SACRT_PAYMENT_PROCESSOR_CLIENT_CERT"                  = "${local.secret_prefix}sacrt-payment-processor-client-cert)"
+    "SACRT_PAYMENT_PROCESSOR_CLIENT_CERT_PRIVATE_KEY"      = "${local.secret_prefix}sacrt-payment-processor-client-cert-private-key)"
+    "SACRT_PAYMENT_PROCESSOR_CLIENT_CERT_ROOT_CA"          = "${local.secret_prefix}sacrt-payment-processor-client-cert-root-ca)"
+    "AUTH_PROVIDER_CLIENT_NAME"                            = "${local.secret_prefix}auth-provider-client-name)"
+    "AUTH_PROVIDER_CLIENT_ID"                              = "${local.secret_prefix}auth-provider-client-id)"
+    "AUTH_PROVIDER_AUTHORITY"                              = "${local.secret_prefix}auth-provider-authority)"
+    "AUTH_PROVIDER_SCOPE"                                  = "${local.secret_prefix}auth-provider-scope)"
+    "AUTH_PROVIDER_CLAIM"                                  = "${local.secret_prefix}auth-provider-claim)"
+    "MST_OAUTH_VERIFIER_NAME"                              = "${local.secret_prefix}mst-oauth-verifier-name)"
+    "COURTESY_CARD_VERIFIER"                               = "${local.secret_prefix}courtesy-card-verifier)"
+    "COURTESY_CARD_VERIFIER_API_URL"                       = "${local.secret_prefix}courtesy-card-verifier-api-url)"
+    "COURTESY_CARD_VERIFIER_API_AUTH_HEADER"               = "${local.secret_prefix}courtesy-card-verifier-api-auth-header)"
+    "COURTESY_CARD_VERIFIER_API_AUTH_KEY"                  = "${local.secret_prefix}courtesy-card-verifier-api-auth-key)"
+    "COURTESY_CARD_VERIFIER_JWE_CEK_ENC"                   = "${local.secret_prefix}courtesy-card-verifier-jwe-cek-enc)"
+    "COURTESY_CARD_VERIFIER_JWE_ENCRYPTION_ALG"            = "${local.secret_prefix}courtesy-card-verifier-jwe-encryption-alg)"
+    "COURTESY_CARD_VERIFIER_JWS_SIGNING_ALG"               = "${local.secret_prefix}courtesy-card-verifier-jws-signing-alg)"
+    "SACRT_OAUTH_VERIFIER_NAME"                            = "${local.secret_prefix}sacrt-oauth-verifier-name)"
+    "MST_PAYMENT_PROCESSOR_NAME"                           = "${local.secret_prefix}mst-payment-processor-name)"
+    "MST_PAYMENT_PROCESSOR_API_BASE_URL"                   = "${local.secret_prefix}mst-payment-processor-api-base-url)"
+    "MST_PAYMENT_PROCESSOR_API_ACCESS_TOKEN_ENDPOINT"      = "${local.secret_prefix}mst-payment-processor-api-access-token-endpoint)"
+    "MST_PAYMENT_PROCESSOR_API_ACCESS_TOKEN_REQUEST_KEY"   = "${local.secret_prefix}mst-payment-processor-api-access-token-request-key)"
+    "MST_PAYMENT_PROCESSOR_API_ACCESS_TOKEN_REQUEST_VAL"   = "${local.secret_prefix}mst-payment-processor-api-access-token-request-val)"
+    "MST_PAYMENT_PROCESSOR_CARD_TOKENIZE_URL"              = "${local.secret_prefix}mst-payment-processor-card-tokenize-url)"
+    "MST_PAYMENT_PROCESSOR_CARD_TOKENIZE_FUNC"             = "${local.secret_prefix}mst-payment-processor-card-tokenize-func)"
+    "MST_PAYMENT_PROCESSOR_CARD_TOKENIZE_ENV"              = "${local.secret_prefix}mst-payment-processor-card-tokenize-env)"
+    "SACRT_PAYMENT_PROCESSOR_NAME"                         = "${local.secret_prefix}sacrt-payment-processor-name)"
+    "SACRT_PAYMENT_PROCESSOR_API_BASE_URL"                 = "${local.secret_prefix}sacrt-payment-processor-api-base-url)"
+    "SACRT_PAYMENT_PROCESSOR_API_ACCESS_TOKEN_ENDPOINT"    = "${local.secret_prefix}sacrt-payment-processor-api-access-token-endpoint)"
+    "SACRT_PAYMENT_PROCESSOR_API_ACCESS_TOKEN_REQUEST_KEY" = "${local.secret_prefix}sacrt-payment-processor-api-access-token-request-key)"
+    "SACRT_PAYMENT_PROCESSOR_API_ACCESS_TOKEN_REQUEST_VAL" = "${local.secret_prefix}sacrt-payment-processor-api-access-token-request-val)"
+    "SACRT_PAYMENT_PROCESSOR_CARD_TOKENIZE_URL"            = "${local.secret_prefix}sacrt-payment-processor-card-tokenize-url)"
+    "SACRT_PAYMENT_PROCESSOR_CARD_TOKENIZE_FUNC"           = "${local.secret_prefix}sacrt-payment-processor-card-tokenize-func)"
+    "SACRT_PAYMENT_PROCESSOR_CARD_TOKENIZE_ENV"            = "${local.secret_prefix}sacrt-payment-processor-card-tokenize-env)"
+    "MST_AGENCY_SHORT_NAME"                                = "${local.secret_prefix}mst-agency-short-name)"
+    "MST_AGENCY_LONG_NAME"                                 = "${local.secret_prefix}mst-agency-long-name)"
+    "MST_AGENCY_JWS_SIGNING_ALG"                           = "${local.secret_prefix}mst-agency-jws-signing-alg)"
+    "SACRT_AGENCY_SHORT_NAME"                              = "${local.secret_prefix}sacrt-agency-short-name)"
+    "SACRT_AGENCY_LONG_NAME"                               = "${local.secret_prefix}sacrt-agency-long-name)"
+    "SACRT_AGENCY_MERCHANT_ID"                             = "${local.secret_prefix}sacrt-agency-merchant-id)"
+    "SACRT_AGENCY_ACTIVE"                                  = "${local.secret_prefix}sacrt-agency-active)"
+    "SACRT_AGENCY_JWS_SIGNING_ALG"                         = "${local.secret_prefix}sacrt-agency-jws-signing-alg)"
   }
 
   lifecycle {

From 9ecf172190471bdc1783a400a183bfbc2f18d4e6 Mon Sep 17 00:00:00 2001
From: Kegan Maher <kegan@compiler.la>
Date: Thu, 13 Apr 2023 17:01:12 -0700
Subject: [PATCH 30/54] chore(nginx): add conf file from base image

cal-itp/docker-python-web defines the default nginx.conf

take a copy so we can override for benefits
---
 appcontainer/Dockerfile |  3 ++
 appcontainer/nginx.conf | 63 +++++++++++++++++++++++++++++++++++++++++
 2 files changed, 66 insertions(+)
 create mode 100644 appcontainer/nginx.conf

diff --git a/appcontainer/Dockerfile b/appcontainer/Dockerfile
index 6366be07c..c8daef2c1 100644
--- a/appcontainer/Dockerfile
+++ b/appcontainer/Dockerfile
@@ -3,6 +3,9 @@ FROM ghcr.io/cal-itp/docker-python-web:main
 # upgrade pip
 RUN python -m pip install --upgrade pip
 
+# overwrite default nginx.conf
+COPY appcontainer/nginx.conf /etc/nginx/nginx.conf
+
 # copy source files
 COPY manage.py manage.py
 COPY bin bin
diff --git a/appcontainer/nginx.conf b/appcontainer/nginx.conf
new file mode 100644
index 000000000..f856e833b
--- /dev/null
+++ b/appcontainer/nginx.conf
@@ -0,0 +1,63 @@
+worker_processes auto;
+error_log stderr warn;
+pid /var/run/nginx.pid;
+
+events {
+  worker_connections 1024;
+  accept_mutex on;
+}
+
+http {
+  include mime.types;
+  default_type application/octet-stream;
+  sendfile on;
+  gzip on;
+  keepalive_timeout 5;
+
+  log_format main '[$time_local] "$request" '
+                  '$status $body_bytes_sent "$http_referer" '
+                  '"$http_user_agent" "$http_x_forwarded_for"';
+  access_log /dev/stdout main;
+
+  upstream app_server {
+    # fail_timeout=0 means we always retry an upstream even if it failed
+    # to return a good HTTP response
+    server unix:/home/calitp/run/gunicorn.sock fail_timeout=0;
+  }
+
+  server {
+    listen 8000;
+
+    keepalive_timeout 65;
+
+    location /favicon.ico {
+      access_log off;
+      log_not_found off;
+      expires 1y;
+      add_header Cache-Control public;
+    }
+
+    # path for static files
+    location /static/ {
+      alias /home/calitp/app/static/;
+      expires 1y;
+      add_header Cache-Control public;
+    }
+
+    location / {
+      # checks for static file, if not found proxy to app
+      try_files $uri @proxy_to_app;
+    }
+
+    # app path
+    location @proxy_to_app {
+      proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+      proxy_set_header X-Forwarded-Proto $scheme;
+      proxy_set_header Host $http_host;
+      # we don't want nginx trying to do something clever with
+      # redirects, we set the Host: header above already.
+      proxy_redirect off;
+      proxy_pass http://app_server;
+    }
+  }
+}

From 4f02d5dddc2f2e97426cacaf51067f64b74633a3 Mon Sep 17 00:00:00 2001
From: Kegan Maher <kegan@compiler.la>
Date: Thu, 13 Apr 2023 17:02:19 -0700
Subject: [PATCH 31/54] feat(nginx): 404 known scraping targets

based on data from amplitude and sentry
---
 appcontainer/nginx.conf | 18 ++++++++++++++++++
 1 file changed, 18 insertions(+)

diff --git a/appcontainer/nginx.conf b/appcontainer/nginx.conf
index f856e833b..f5200238b 100644
--- a/appcontainer/nginx.conf
+++ b/appcontainer/nginx.conf
@@ -30,6 +30,24 @@ http {
 
     keepalive_timeout 65;
 
+    # 404 known scraping path targets
+    # case-insensitive regex matches the given path fragment anywhere in the request path
+    # e.g. /something/api and /login
+    location ~* /(\.?git|api|app|assets|ats|auth|bootstrap|bower|cgi|content|credentials|docker|doc|env|example|login|swagger|web) {
+        access_log off;
+        log_not_found off;
+        return 404;
+    }
+
+    # 404 known scraping file targets
+    # case-insensitive regex matches the given file extension anywhere in the request path
+    # e.g. /something/admin.php and /secrets.yaml
+    location ~* /.+\.(asp|axd|cgi|com|env|json|log|php|xml|ya?ml) {
+        access_log off;
+        log_not_found off;
+        return 404;
+    }
+
     location /favicon.ico {
       access_log off;
       log_not_found off;

From c3b60baa12c008658df0294febe8ec4b20850a39 Mon Sep 17 00:00:00 2001
From: Kegan Maher <kegan@compiler.la>
Date: Thu, 13 Apr 2023 17:03:07 -0700
Subject: [PATCH 32/54] refactor: move rate limit from Django to nginx

---
 appcontainer/nginx.conf                | 16 ++++++++
 benefits/core/middleware.py            | 41 +-------------------
 benefits/core/session.py               | 33 ----------------
 benefits/eligibility/views.py          |  3 +-
 benefits/settings.py                   | 15 --------
 tests/cypress/plugins/index.js         |  2 -
 tests/cypress/specs/rate-limit.cy.js   | 52 +++++++++++++++-----------
 tests/pytest/core/test_session.py      | 41 --------------------
 tests/pytest/eligibility/test_views.py |  7 ----
 9 files changed, 48 insertions(+), 162 deletions(-)

diff --git a/appcontainer/nginx.conf b/appcontainer/nginx.conf
index f5200238b..ad06dcb36 100644
--- a/appcontainer/nginx.conf
+++ b/appcontainer/nginx.conf
@@ -25,6 +25,9 @@ http {
     server unix:/home/calitp/run/gunicorn.sock fail_timeout=0;
   }
 
+  # define a zone with 10mb cache keyed on binary IP address, rate limit to 5 requests/min on applied locations
+  limit_req_zone $binary_remote_addr zone=ratelimit:10m rate=5r/m;
+
   server {
     listen 8000;
 
@@ -67,6 +70,19 @@ http {
       try_files $uri @proxy_to_app;
     }
 
+    location /eligibility/confirm {
+        # apply rate limit to this path
+        limit_req zone=ratelimit;
+        # copied from below location @proxy_to_app
+        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+        proxy_set_header X-Forwarded-Proto $scheme;
+        proxy_set_header Host $http_host;
+        # we don't want nginx trying to do something clever with
+        # redirects, we set the Host: header above already.
+        proxy_redirect off;
+        proxy_pass http://app_server;
+    }
+
     # app path
     location @proxy_to_app {
       proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
diff --git a/benefits/core/middleware.py b/benefits/core/middleware.py
index 93ec20cf2..4df16d6fa 100644
--- a/benefits/core/middleware.py
+++ b/benefits/core/middleware.py
@@ -2,12 +2,10 @@
 The core application: middleware definitions for request/response cycle.
 """
 import logging
-import time
 
 from django.conf import settings
-from django.http import HttpResponse, HttpResponseBadRequest
+from django.http import HttpResponse
 from django.shortcuts import redirect
-from django.template import loader
 from django.template.response import TemplateResponse
 from django.utils.decorators import decorator_from_middleware
 from django.utils.deprecation import MiddlewareMixin
@@ -40,43 +38,6 @@ def process_request(self, request):
             return user_error(request)
 
 
-class RateLimit(MiddlewareMixin):
-    """Middleware checks settings and session to ensure rate limit is respected."""
-
-    def process_request(self, request):
-        if not settings.RATE_LIMIT_ENABLED:
-            logger.debug("Rate Limiting is not configured")
-            return None
-
-        if request.method in settings.RATE_LIMIT_METHODS:
-            session.increment_rate_limit_counter(request)
-        else:
-            # bail early if the request method doesn't match
-            return None
-
-        counter = session.rate_limit_counter(request)
-        reset_time = session.rate_limit_time(request)
-        now = int(time.time())
-
-        if counter > settings.RATE_LIMIT:
-            if reset_time > now:
-                logger.warning("Rate limit exceeded")
-                home = viewmodels.Button.home(request)
-                page = viewmodels.ErrorPage.server_error(
-                    title="Rate limit error",
-                    headline="Rate limit error",
-                    paragraphs=["You have reached the rate limit. Please try again."],
-                    button=home,
-                )
-                t = loader.get_template("400.html")
-                return HttpResponseBadRequest(t.render(page.context_dict()))
-            else:
-                # enough time has passed, reset the rate limit
-                session.reset_rate_limit(request)
-
-        return None
-
-
 class EligibleSessionRequired(MiddlewareMixin):
     """Middleware raises an exception for sessions lacking confirmed eligibility."""
 
diff --git a/benefits/core/session.py b/benefits/core/session.py
index 7cb20185d..c26968cee 100644
--- a/benefits/core/session.py
+++ b/benefits/core/session.py
@@ -6,7 +6,6 @@
 import time
 import uuid
 
-from django.conf import settings
 from django.urls import reverse
 
 from . import models
@@ -22,8 +21,6 @@
 _ENROLLMENT_TOKEN = "enrollment_token"
 _ENROLLMENT_TOKEN_EXP = "enrollment_token_exp"
 _LANG = "lang"
-_LIMITCOUNTER = "limitcounter"
-_LIMITUNTIL = "limituntil"
 _OAUTH_CLAIM = "oauth_claim"
 _OAUTH_TOKEN = "oauth_token"
 _ORIGIN = "origin"
@@ -54,7 +51,6 @@ def context_dict(request):
     logger.debug("Get session context dict")
     return {
         _AGENCY: agency(request).slug if active_agency(request) else None,
-        _LIMITCOUNTER: rate_limit_counter(request),
         _DEBUG: debug(request),
         _DID: did(request),
         _ELIGIBILITY: eligibility(request),
@@ -64,7 +60,6 @@ def context_dict(request):
         _OAUTH_TOKEN: oauth_token(request),
         _OAUTH_CLAIM: oauth_claim(request),
         _ORIGIN: origin(request),
-        _LIMITUNTIL: rate_limit_time(request),
         _START: start(request),
         _UID: uid(request),
         _VERIFIER: verifier(request),
@@ -174,33 +169,6 @@ def origin(request):
     return request.session.get(_ORIGIN)
 
 
-def rate_limit_counter(request):
-    """Get this session's rate limit counter."""
-    logger.debug("Get rate limit counter")
-    return request.session.get(_LIMITCOUNTER)
-
-
-def increment_rate_limit_counter(request):
-    """Adds 1 to this session's rate limit counter."""
-    logger.debug("Increment rate limit counter")
-    c = rate_limit_counter(request)
-    request.session[_LIMITCOUNTER] = int(c) + 1
-
-
-def reset_rate_limit(request):
-    """Reset this session's rate limit counter and time."""
-    logger.debug("Reset rate limit")
-    request.session[_LIMITCOUNTER] = 0
-    # get the current time in Unix seconds, then add RATE_LIMIT_PERIOD seconds
-    request.session[_LIMITUNTIL] = int(time.time()) + settings.RATE_LIMIT_PERIOD
-
-
-def rate_limit_time(request):
-    """Get this session's rate limit time, a Unix timestamp after which the session's rate limt resets."""
-    logger.debug("Get rate limit time")
-    return request.session.get(_LIMITUNTIL)
-
-
 def reset(request):
     """Reset the session for the request."""
     logger.debug("Reset session")
@@ -219,7 +187,6 @@ def reset(request):
         u = str(uuid.uuid4())
         request.session[_UID] = u
         request.session[_DID] = str(uuid.UUID(hashlib.sha512(bytes(u, "utf8")).hexdigest()[:32]))
-        reset_rate_limit(request)
 
 
 def start(request):
diff --git a/benefits/eligibility/views.py b/benefits/eligibility/views.py
index 417ac13cd..38085a411 100644
--- a/benefits/eligibility/views.py
+++ b/benefits/eligibility/views.py
@@ -10,7 +10,7 @@
 from django.utils.translation import pgettext, gettext as _
 
 from benefits.core import recaptcha, session, viewmodels
-from benefits.core.middleware import AgencySessionRequired, LoginRequired, RateLimit, RecaptchaEnabled, VerifierSessionRequired
+from benefits.core.middleware import AgencySessionRequired, LoginRequired, RecaptchaEnabled, VerifierSessionRequired
 from benefits.core.models import EligibilityVerifier
 from benefits.core.views import ROUTE_HELP
 from . import analytics, forms, verify
@@ -152,7 +152,6 @@ def start(request):
 
 @decorator_from_middleware(AgencySessionRequired)
 @decorator_from_middleware(LoginRequired)
-@decorator_from_middleware(RateLimit)
 @decorator_from_middleware(RecaptchaEnabled)
 @decorator_from_middleware(VerifierSessionRequired)
 def confirm(request):
diff --git a/benefits/settings.py b/benefits/settings.py
index 93fb0e9a5..818d08bf8 100644
--- a/benefits/settings.py
+++ b/benefits/settings.py
@@ -241,21 +241,6 @@ def _filter_empty(ls):
 
 ANALYTICS_KEY = os.environ.get("ANALYTICS_KEY")
 
-# rate limit configuration
-# these should match the values in rate-limit.cy.js
-
-# number of requests allowed in the given period
-RATE_LIMIT = int(os.environ.get("DJANGO_RATE_LIMIT", 5))
-
-# HTTP request methods to rate limit
-RATE_LIMIT_METHODS = os.environ.get("DJANGO_RATE_LIMIT_METHODS", "POST").upper().split(",")
-
-# number of seconds before additional requests are denied
-RATE_LIMIT_PERIOD = int(os.environ.get("DJANGO_RATE_LIMIT_PERIOD", 60))
-
-# Rate Limit feature flag
-RATE_LIMIT_ENABLED = all((RATE_LIMIT > 0, len(RATE_LIMIT_METHODS) > 0, RATE_LIMIT_PERIOD > 0))
-
 # reCAPTCHA configuration
 
 RECAPTCHA_API_URL = os.environ.get("DJANGO_RECAPTCHA_API_URL", "https://www.google.com/recaptcha/api.js")
diff --git a/tests/cypress/plugins/index.js b/tests/cypress/plugins/index.js
index bfc8527a1..ffe5b1bb4 100644
--- a/tests/cypress/plugins/index.js
+++ b/tests/cypress/plugins/index.js
@@ -1,8 +1,6 @@
 module.exports = (on, config) => {
   // add OS environment variables into Cypress.env
   config.env = config.env || {};
-  config.env.DJANGO_RATE_LIMIT = process.env.DJANGO_RATE_LIMIT;
-  config.env.DJANGO_RATE_LIMIT_PERIOD = process.env.DJANGO_RATE_LIMIT_PERIOD;
 
   return config;
 };
diff --git a/tests/cypress/specs/rate-limit.cy.js b/tests/cypress/specs/rate-limit.cy.js
index a29a7d5d8..b5e7b260d 100644
--- a/tests/cypress/specs/rate-limit.cy.js
+++ b/tests/cypress/specs/rate-limit.cy.js
@@ -2,6 +2,12 @@ const agencies = require("../fixtures/transit-agencies");
 const users = require("../fixtures/users.json");
 const { eligibility_url, post_confirm } = require("../plugins/eligibility");
 
+const RATE_LIMIT = 12;
+// 5 seconds in milliseconds => allows 12 requests/minute
+const WAIT_TIME = 5 * 1000;
+const SUCCESS_STATUS = 302;
+const FAIL_STATUS = 503;
+
 describe("Rate limiting feature spec", () => {
   beforeEach(() => {
     cy.visit("/");
@@ -21,14 +27,6 @@ describe("Rate limiting feature spec", () => {
     const sub = users.ineligible.sub;
     const name = users.ineligible.name;
 
-    // start by making 5 times as many requests as allowed
-    // these should match the defaults in settings.py
-    const RATE_LIMIT = 5;
-    const N_REQUESTS = RATE_LIMIT * 5;
-    const RATE_LIMIT_PERIOD = 60;
-
-    const SUCCESS_STATUS = 302;
-
     // csrfmiddlewaretoken value needed to enable automated form submissions
     // there could be multiple forms on the page, so get() the one with the
     // action we are interested in
@@ -36,29 +34,39 @@ describe("Rate limiting feature spec", () => {
       .find("input[name='csrfmiddlewaretoken']")
       .invoke("attr", "value")
       .then((csrfmiddlewaretoken) => {
-        // make excess requests
-        for (let i = 0; i < N_REQUESTS; i++) {
-          // continue on non-successful status codes to check response
+        // make successive requests with no wait time
+        for (let i = 0; i < RATE_LIMIT; i++) {
           post_confirm(csrfmiddlewaretoken, sub, name, false).then((res) => {
-            if (i < RATE_LIMIT) {
-              // allow up to API_RATE_LIMIT requests
+            // the first request should succeed, subsequent should fail
+            if (i == 0) {
               expect(res.status).to.eq(SUCCESS_STATUS);
             } else {
-              // we've gone beyond API_RATE_LIMIT
-              expect(res.status).to.eq(400);
+              expect(res.status).to.eq(FAIL_STATUS);
             }
           });
         }
+      });
+  });
+
+  it("Allows requests with enough time in between", () => {
+    // start with a wait, since the previous test already triggered the limit
+    cy.wait(WAIT_TIME);
 
-        // now wait for the rate limit to refresh
-        // Cypress expects milliseconds, the rate limit period is expressed in seconds
-        cy.wait(RATE_LIMIT_PERIOD * 1000);
+    const sub = users.ineligible.sub;
+    const name = users.ineligible.name;
 
-        // and try again with a reasonable number of requests
-        for (let i = 0; i < RATE_LIMIT - 1; i++) {
-          post_confirm(csrfmiddlewaretoken, sub, name, true).then((res) => {
-            // these requests should all succeed
+    // csrfmiddlewaretoken value needed to enable automated form submissions
+    // there could be multiple forms on the page, so get() the one with the
+    // action we are interested in
+    cy.get(`form[action='${eligibility_url}'`)
+      .find("input[name='csrfmiddlewaretoken']")
+      .invoke("attr", "value")
+      .then((csrfmiddlewaretoken) => {
+        // make successive requests with time in between
+        for (let i = 0; i < RATE_LIMIT; i++) {
+          post_confirm(csrfmiddlewaretoken, sub, name, false).then((res) => {
             expect(res.status).to.eq(SUCCESS_STATUS);
+            cy.wait(WAIT_TIME);
           });
         }
       });
diff --git a/tests/pytest/core/test_session.py b/tests/pytest/core/test_session.py
index c7d0583a2..682c3d688 100644
--- a/tests/pytest/core/test_session.py
+++ b/tests/pytest/core/test_session.py
@@ -159,47 +159,6 @@ def test_oauth_token_default(app_request):
     assert not session.oauth_token(app_request)
 
 
-@pytest.mark.django_db
-def test_rate_limit_counter_default(app_request):
-    assert session.rate_limit_counter(app_request) == 0
-
-
-@pytest.mark.django_db
-def test_rate_limit_counter_increment(app_request):
-    session.reset_rate_limit(app_request)
-    session.increment_rate_limit_counter(app_request)
-
-    c1 = session.rate_limit_counter(app_request)
-    assert isinstance(c1, int)
-    assert c1 > 0
-
-    session.increment_rate_limit_counter(app_request)
-
-    c2 = session.rate_limit_counter(app_request)
-    assert c2 == c1 + 1
-
-
-@pytest.mark.django_db
-def test_rate_limit_reset(mocker, app_request):
-    mocker.patch.object(session.settings, "RATE_LIMIT_PERIOD", 100)
-    t0 = int(time.time())
-
-    session.reset_rate_limit(app_request)
-
-    assert session.rate_limit_counter(app_request) == 0
-    assert session.rate_limit_time(app_request) >= t0 + 100
-
-
-@pytest.mark.django_db
-def test_rate_limit_time_default(app_request):
-    # a reset session also resets rate limit time (t0), which should have already happened coming into this test
-    t0 = session.rate_limit_time(app_request)
-    t1 = int(time.time())
-
-    # rate limit expiry time should be in the future
-    assert t0 >= t1
-
-
 @pytest.mark.django_db
 def test_reset_agency(model_TransitAgency, app_request):
     session.update(app_request, agency=model_TransitAgency)
diff --git a/tests/pytest/eligibility/test_views.py b/tests/pytest/eligibility/test_views.py
index 4fd35aef3..2e93d6e40 100644
--- a/tests/pytest/eligibility/test_views.py
+++ b/tests/pytest/eligibility/test_views.py
@@ -50,13 +50,6 @@ def mocked_verifier_form(mocker):
     mocker.patch("benefits.eligibility.views.forms.EligibilityVerifierSelectionForm", return_value=mock_form)
 
 
-@pytest.fixture(autouse=True)
-def disable_rate_limit(mocker):
-    # override session rate limit handling for all tests
-    mock_settings = mocker.patch("benefits.core.middleware.settings")
-    mock_settings.RATE_LIMIT_ENABLED = False
-
-
 @pytest.mark.django_db
 @pytest.mark.usefixtures("mocked_session_agency")
 def test_index_get_agency_multiple_verifiers(

From 87376764933e6c5c43af534f49a8a28583f94712 Mon Sep 17 00:00:00 2001
From: Kegan Maher <kegan@compiler.la>
Date: Fri, 14 Apr 2023 05:08:04 +0000
Subject: [PATCH 33/54] fix(nginx): selective rate-limit for POST

---
 appcontainer/nginx.conf | 20 +++++++++++++++-----
 1 file changed, 15 insertions(+), 5 deletions(-)

diff --git a/appcontainer/nginx.conf b/appcontainer/nginx.conf
index ad06dcb36..6a942974f 100644
--- a/appcontainer/nginx.conf
+++ b/appcontainer/nginx.conf
@@ -25,8 +25,17 @@ http {
     server unix:/home/calitp/run/gunicorn.sock fail_timeout=0;
   }
 
-  # define a zone with 10mb cache keyed on binary IP address, rate limit to 5 requests/min on applied locations
-  limit_req_zone $binary_remote_addr zone=ratelimit:10m rate=5r/m;
+  # maps $binary_ip_address to $limit variable if request is of type POST
+  map $request_method $limit {
+    default         "";
+    POST            $binary_remote_addr;
+  }
+
+  # define a zone with 10mb memory, rate limit to 12 requests/min (~= 1 request/5 seconds) on applied locations
+  # $limit will eval to $binary_remote_addr for POST requests using the above map
+  # requests with an empty key value (e.g. GET) are not affected
+  # http://nginx.org/en/docs/http/ngx_http_limit_req_module.html#limit_req_zone
+  limit_req_zone $limit zone=rate_limit:10m rate=12r/m;
 
   server {
     listen 8000;
@@ -70,9 +79,10 @@ http {
       try_files $uri @proxy_to_app;
     }
 
-    location /eligibility/confirm {
-        # apply rate limit to this path
-        limit_req zone=ratelimit;
+    # apply rate limit to these paths
+    # case-insensitive regex matches path
+    location ~* ^/(eligibility/confirm)$ {
+        limit_req zone=rate_limit;
         # copied from below location @proxy_to_app
         proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
         proxy_set_header X-Forwarded-Proto $scheme;

From e70b0c523cd3be04ed74428586186e5e2be6cc99 Mon Sep 17 00:00:00 2001
From: Kegan Maher <kegan@compiler.la>
Date: Fri, 14 Apr 2023 05:52:11 +0000
Subject: [PATCH 34/54] refactor(nginx): include common directives

---
 appcontainer/Dockerfile |  1 +
 appcontainer/nginx.conf | 17 ++---------------
 appcontainer/proxy.conf |  8 ++++++++
 3 files changed, 11 insertions(+), 15 deletions(-)
 create mode 100644 appcontainer/proxy.conf

diff --git a/appcontainer/Dockerfile b/appcontainer/Dockerfile
index c8daef2c1..4aa3cf9df 100644
--- a/appcontainer/Dockerfile
+++ b/appcontainer/Dockerfile
@@ -5,6 +5,7 @@ RUN python -m pip install --upgrade pip
 
 # overwrite default nginx.conf
 COPY appcontainer/nginx.conf /etc/nginx/nginx.conf
+COPY appcontainer/proxy.conf /home/calitp/run/proxy.conf
 
 # copy source files
 COPY manage.py manage.py
diff --git a/appcontainer/nginx.conf b/appcontainer/nginx.conf
index 6a942974f..ac85d3293 100644
--- a/appcontainer/nginx.conf
+++ b/appcontainer/nginx.conf
@@ -83,25 +83,12 @@ http {
     # case-insensitive regex matches path
     location ~* ^/(eligibility/confirm)$ {
         limit_req zone=rate_limit;
-        # copied from below location @proxy_to_app
-        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
-        proxy_set_header X-Forwarded-Proto $scheme;
-        proxy_set_header Host $http_host;
-        # we don't want nginx trying to do something clever with
-        # redirects, we set the Host: header above already.
-        proxy_redirect off;
-        proxy_pass http://app_server;
+        include /home/calitp/run/proxy.conf;
     }
 
     # app path
     location @proxy_to_app {
-      proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
-      proxy_set_header X-Forwarded-Proto $scheme;
-      proxy_set_header Host $http_host;
-      # we don't want nginx trying to do something clever with
-      # redirects, we set the Host: header above already.
-      proxy_redirect off;
-      proxy_pass http://app_server;
+      include /home/calitp/run/proxy.conf;
     }
   }
 }
diff --git a/appcontainer/proxy.conf b/appcontainer/proxy.conf
new file mode 100644
index 000000000..a4e310387
--- /dev/null
+++ b/appcontainer/proxy.conf
@@ -0,0 +1,8 @@
+# the core app proxy directives
+proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+proxy_set_header X-Forwarded-Proto $scheme;
+proxy_set_header Host $http_host;
+# we don't want nginx trying to do something clever with
+# redirects, we set the Host: header above already.
+proxy_redirect off;
+proxy_pass http://app_server;

From ca0731c9461e576e1a70aeb587a628521d8118ea Mon Sep 17 00:00:00 2001
From: Kegan Maher <kegan@compiler.la>
Date: Fri, 14 Apr 2023 06:28:54 +0000
Subject: [PATCH 35/54] docs(rate-limit): update with nginx config

---
 docs/configuration/data.md       |  1 -
 docs/configuration/rate-limit.md | 71 ++++++++++++++++++--------------
 2 files changed, 40 insertions(+), 32 deletions(-)

diff --git a/docs/configuration/data.md b/docs/configuration/data.md
index 582241f6b..6e52de0b8 100644
--- a/docs/configuration/data.md
+++ b/docs/configuration/data.md
@@ -33,7 +33,6 @@ The sample data included in the repository is enough to bootstrap the applicatio
 Some configuration data is not available with the samples in the repository:
 
 - OAuth configuration to enable authentication (read more about [OAuth configuration](oauth.md))
-- Rate Limiting configuration for eligibility
 - reCAPTCHA configuration for user-submitted forms
 - Payment processor configuration for the enrollment phase
 - Amplitude configuration for capturing analytics events
diff --git a/docs/configuration/rate-limit.md b/docs/configuration/rate-limit.md
index 8dad3af27..c1fad33b9 100644
--- a/docs/configuration/rate-limit.md
+++ b/docs/configuration/rate-limit.md
@@ -1,47 +1,56 @@
 # Configuring Rate Limiting
 
-The benefits application has a simple, single-configuration Rate Limit feature that acts per-session to limit the
-number of consecutive requests in a given time period.
+The benefits application has a simple, single-configuration Rate Limit that acts
+per-IP to limit the number of consecutive requests in a given time period, via
+nginx [`limit_req_zone`](http://nginx.org/en/docs/http/ngx_http_limit_req_module.html#limit_req_zone)
+and [`limit_req`](http://nginx.org/en/docs/http/ngx_http_limit_req_module.html#limit_req) directives.
 
-## Applying to Django code
+The configured rate limit is 12 requests/minute, or 1 request/5 seconds:
 
-The [`RateLimit` middleware][benefits-middleware] can be installed globally for all requests with the
-[`MIDDLEWARE` setting][django-middleware], or per-view with a function decorator.
-
-The latter approach is how the Benefits application rate-limits the Eligibility verification form (which is shown on the
-`confirm` route/view):
-
-```python
-from django.utils.decorators import decorator_from_middleware
-
-from benefits.core.middleware import RateLimit
-
-
-@decorator_from_middleware(RateLimit)
-def confirm(request):
-    """View handler for the eligibility verification form."""
-    # ...
+```nginx
+limit_req_zone $limit zone=rate_limit:10m rate=12r/m;
 ```
 
-## Environment variables
+## HTTP method selection
 
-!!! warning
+An NGINX [map](http://nginx.org/en/docs/http/ngx_http_map_module.html#map)
+variable lists HTTP methods that will be rate limited:
 
-    The following environment variables are all required to activate the Rate Limit feature
+```nginx
+map $request_method $limit {
+    default         "";
+    POST            $binary_remote_addr;
+}
+```
 
-### `DJANGO_RATE_LIMIT`
+The `default` means don't apply a rate limit.
 
-Number of requests allowed in the given [`DJANGO_RATE_LIMIT_PERIOD`](#DJANGO_RATE_LIMIT_PERIOD).
+To add a new method, add a new line:
 
-Must be greater than `0`.
+```nginx
+map $request_method $limit {
+    default         "";
+    OPTIONS         $binary_remote_addr;
+    POST            $binary_remote_addr;
+}
+```
 
-### `DJANGO_RATE_LIMIT_METHODS`
+## App path selection
 
-Comma-separated list of HTTP Methods for which requests are rate limited.
+The `limit_req` is applied to an NGINX [`location`](https://nginx.org/en/docs/http/ngx_http_core_module.html#location) block with a case-insensitive regex to match paths:
 
-### `DJANGO_RATE_LIMIT_PERIOD`
+```nginx
+location ~* ^/(eligibility/confirm)$ {
+    limit_req zone=rate_limit;
+    # config...
+}
+```
 
-Number of seconds before additional requests are denied.
+To add a new path, add a regex OR `|` with the new path (omitting the leading slash):
 
-[benefits-middleware]: https://github.com/cal-itp/benefits/blob/dev/benefits/core/middleware.py
-[django-middleware]: https://docs.djangoproject.com/en/4.0/ref/settings/#std:setting-MIDDLEWARE
+```nginx
+location ~* ^/(eligibility/confirm|new/path)$ {
+    limit_req zone=rate_limit;
+    # config...
+}
+```

From 53fd701eaa811aebe74e67e199854f3c7a880609 Mon Sep 17 00:00:00 2001
From: Kegan Maher <kegan@compiler.la>
Date: Fri, 14 Apr 2023 16:58:09 +0000
Subject: [PATCH 36/54] fix(tests): mock settings on middleware module

settings was removed from the session module with rate-limit refactor

this test shouldn't use the session module anyway, as it is testing
a middleware
---
 tests/pytest/core/test_middleware_healthcheck_user_agent.py | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/tests/pytest/core/test_middleware_healthcheck_user_agent.py b/tests/pytest/core/test_middleware_healthcheck_user_agent.py
index ae90c97d5..9a6f34ed8 100644
--- a/tests/pytest/core/test_middleware_healthcheck_user_agent.py
+++ b/tests/pytest/core/test_middleware_healthcheck_user_agent.py
@@ -3,14 +3,14 @@
 
 import pytest
 
-from benefits.core import session
+from benefits.core import middleware
 from benefits.core.views import ROUTE_INDEX, TEMPLATE_INDEX
 
 
 @pytest.mark.django_db
 @pytest.mark.parametrize("user_agent", ["AlwaysOn", "Edge Health Probe"])
 def test_healthcheck_user_agent(mocker, user_agent):
-    mocker.patch.object(session.settings, "HEALTHCHECK_USER_AGENTS", [user_agent])
+    mocker.patch.object(middleware.settings, "HEALTHCHECK_USER_AGENTS", [user_agent])
     client = Client(HTTP_USER_AGENT=user_agent)
 
     response = client.get(reverse(ROUTE_INDEX))
@@ -21,7 +21,7 @@ def test_healthcheck_user_agent(mocker, user_agent):
 
 @pytest.mark.django_db
 def test_non_healthcheck_user_agent(mocker, client):
-    mocker.patch.object(session.settings, "HEALTHCHECK_USER_AGENTS", ["AlwaysOn"])
+    mocker.patch.object(middleware.settings, "HEALTHCHECK_USER_AGENTS", ["AlwaysOn"])
 
     response = client.get(reverse(ROUTE_INDEX))
 

From 78a77c74a4aa3a83ee5b3f0c95e4bbd44c5930a3 Mon Sep 17 00:00:00 2001
From: Kegan Maher <kegan@compiler.la>
Date: Fri, 14 Apr 2023 10:05:23 -0700
Subject: [PATCH 37/54] chore(terraform): remove unused rate limit env vars

---
 terraform/app_service.tf | 4 ----
 1 file changed, 4 deletions(-)

diff --git a/terraform/app_service.tf b/terraform/app_service.tf
index 78ac65354..9c71cd5ec 100644
--- a/terraform/app_service.tf
+++ b/terraform/app_service.tf
@@ -63,10 +63,6 @@ resource "azurerm_linux_web_app" "main" {
     "DJANGO_DEBUG"         = local.is_prod ? null : "${local.secret_prefix}django-debug)",
     "DJANGO_LOG_LEVEL"     = "${local.secret_prefix}django-log-level)",
 
-    "DJANGO_RATE_LIMIT"         = local.is_dev ? null : "${local.secret_prefix}django-rate-limit)",
-    "DJANGO_RATE_LIMIT_METHODS" = local.is_dev ? null : "${local.secret_prefix}django-rate-limit-methods)",
-    "DJANGO_RATE_LIMIT_PERIOD"  = local.is_dev ? null : "${local.secret_prefix}django-rate-limit-period)",
-
     "DJANGO_RECAPTCHA_SECRET_KEY" = local.is_dev ? null : "${local.secret_prefix}django-recaptcha-secret-key)",
     "DJANGO_RECAPTCHA_SITE_KEY"   = local.is_dev ? null : "${local.secret_prefix}django-recaptcha-site-key)",
 

From 6fb30ac19224dd59f9a6ac29400ee688c3f8e206 Mon Sep 17 00:00:00 2001
From: Kegan Maher <kegan@compiler.la>
Date: Fri, 14 Apr 2023 10:19:35 -0700
Subject: [PATCH 38/54] refactor(tests): use helper for CC setup

---
 tests/cypress/specs/rate-limit.cy.js | 13 +++----------
 1 file changed, 3 insertions(+), 10 deletions(-)

diff --git a/tests/cypress/specs/rate-limit.cy.js b/tests/cypress/specs/rate-limit.cy.js
index b5e7b260d..579977636 100644
--- a/tests/cypress/specs/rate-limit.cy.js
+++ b/tests/cypress/specs/rate-limit.cy.js
@@ -1,5 +1,5 @@
-const agencies = require("../fixtures/transit-agencies");
 const users = require("../fixtures/users.json");
+const helpers = require("./helpers");
 const { eligibility_url, post_confirm } = require("../plugins/eligibility");
 
 const RATE_LIMIT = 12;
@@ -12,15 +12,8 @@ describe("Rate limiting feature spec", () => {
   beforeEach(() => {
     cy.visit("/");
 
-    // agency selection
-    cy.contains("Choose Your Provider").click();
-    cy.contains(agencies[0].fields.long_name).click();
-
-    // select Courtesy Card
-    // TODO find a more robust way to do this
-    cy.get('#form-verifier-selection [type="radio"]').check("2");
-    cy.get("#form-verifier-selection button[type='submit']").click();
-    cy.contains("Continue").click();
+    helpers.selectAgency();
+    helpers.selectCourtesyCard();
   });
 
   it("Limits excess requests", () => {

From 2ddaaf31e319c4edadb53a17eea0f5b9f66668fa Mon Sep 17 00:00:00 2001
From: Kegan Maher <kegan@compiler.la>
Date: Fri, 14 Apr 2023 10:20:35 -0700
Subject: [PATCH 39/54] refactor(tests): rate limit wait helper

POST to /eligibility/confirm needs to respect rate limit
---
 tests/cypress/specs/courtesy-cards.cy.js |  4 ++++
 tests/cypress/specs/helpers.js           |  9 +++++++++
 tests/cypress/specs/rate-limit.cy.js     | 11 ++++-------
 3 files changed, 17 insertions(+), 7 deletions(-)

diff --git a/tests/cypress/specs/courtesy-cards.cy.js b/tests/cypress/specs/courtesy-cards.cy.js
index 4b8298571..64ea4c8f4 100644
--- a/tests/cypress/specs/courtesy-cards.cy.js
+++ b/tests/cypress/specs/courtesy-cards.cy.js
@@ -10,6 +10,8 @@ describe("Courtesy Cards", () => {
   });
 
   it("Confirms an eligible user", () => {
+    helpers.rateLimitWait();
+
     cy.get("#sub").type(users.eligible.sub);
     cy.get("#name").type(users.eligible.name);
     cy.get("#form-eligibility-verification button[type='submit']").click();
@@ -18,6 +20,8 @@ describe("Courtesy Cards", () => {
   });
 
   it("Rejects an ineligible user", () => {
+    helpers.rateLimitWait();
+
     cy.get("#sub").type(users.ineligible.sub);
     cy.get("#name").type(users.ineligible.name);
     cy.get("#form-eligibility-verification button[type='submit']").click();
diff --git a/tests/cypress/specs/helpers.js b/tests/cypress/specs/helpers.js
index 1d037d2a2..3656b7e54 100644
--- a/tests/cypress/specs/helpers.js
+++ b/tests/cypress/specs/helpers.js
@@ -2,6 +2,15 @@ const agencies = require("../fixtures/transit-agencies");
 
 const agency = agencies[0].fields;
 
+// from nginx.conf
+const RATE_LIMIT = 12;
+// 12 requests/minute ==> 5 seconds in milliseconds
+const WAIT_TIME = (60 / RATE_LIMIT) * 1000;
+
+export const rateLimitWait = () => {
+  cy.wait(WAIT_TIME);
+};
+
 export const selectAgency = () => {
   cy.location("pathname").should("eq", "/");
 
diff --git a/tests/cypress/specs/rate-limit.cy.js b/tests/cypress/specs/rate-limit.cy.js
index 579977636..fdbfe5474 100644
--- a/tests/cypress/specs/rate-limit.cy.js
+++ b/tests/cypress/specs/rate-limit.cy.js
@@ -2,9 +2,6 @@ const users = require("../fixtures/users.json");
 const helpers = require("./helpers");
 const { eligibility_url, post_confirm } = require("../plugins/eligibility");
 
-const RATE_LIMIT = 12;
-// 5 seconds in milliseconds => allows 12 requests/minute
-const WAIT_TIME = 5 * 1000;
 const SUCCESS_STATUS = 302;
 const FAIL_STATUS = 503;
 
@@ -28,7 +25,7 @@ describe("Rate limiting feature spec", () => {
       .invoke("attr", "value")
       .then((csrfmiddlewaretoken) => {
         // make successive requests with no wait time
-        for (let i = 0; i < RATE_LIMIT; i++) {
+        for (let i = 0; i < helpers.RATE_LIMIT; i++) {
           post_confirm(csrfmiddlewaretoken, sub, name, false).then((res) => {
             // the first request should succeed, subsequent should fail
             if (i == 0) {
@@ -43,7 +40,7 @@ describe("Rate limiting feature spec", () => {
 
   it("Allows requests with enough time in between", () => {
     // start with a wait, since the previous test already triggered the limit
-    cy.wait(WAIT_TIME);
+    helpers.rateLimitWait();
 
     const sub = users.ineligible.sub;
     const name = users.ineligible.name;
@@ -56,10 +53,10 @@ describe("Rate limiting feature spec", () => {
       .invoke("attr", "value")
       .then((csrfmiddlewaretoken) => {
         // make successive requests with time in between
-        for (let i = 0; i < RATE_LIMIT; i++) {
+        for (let i = 0; i < helpers.RATE_LIMIT; i++) {
           post_confirm(csrfmiddlewaretoken, sub, name, false).then((res) => {
             expect(res.status).to.eq(SUCCESS_STATUS);
-            cy.wait(WAIT_TIME);
+            helpers.rateLimitWait();
           });
         }
       });

From 8c0a3b5d4c45ab2d85c61e45436eae726b25c3e7 Mon Sep 17 00:00:00 2001
From: Kegan Maher <kegan@compiler.la>
Date: Fri, 14 Apr 2023 10:45:57 -0700
Subject: [PATCH 40/54] test(nginx): assert 404 on known scraping targets

---
 tests/cypress/specs/scrapers.cy.js | 31 ++++++++++++++++++++++++++++++
 1 file changed, 31 insertions(+)
 create mode 100644 tests/cypress/specs/scrapers.cy.js

diff --git a/tests/cypress/specs/scrapers.cy.js b/tests/cypress/specs/scrapers.cy.js
new file mode 100644
index 000000000..eb7e120bd
--- /dev/null
+++ b/tests/cypress/specs/scrapers.cy.js
@@ -0,0 +1,31 @@
+const endpoints = ["auth", "cgi", "eligibility/app", "login", "sample/api"];
+const files = [".env", "wp-admin/login.php", "data.json", "secrets/prod.yaml"];
+
+const visit = (partial_path) => {
+  return cy.request({
+    method: "GET",
+    url: `/${partial_path}`,
+    // allow cypress to continue on 404
+    failOnStatusCode: false,
+  });
+};
+
+const NOT_FOUND = 404;
+
+describe("Scraper filtering spec", () => {
+  endpoints.forEach((endpoint) => {
+    it(`404s known scraper endpoint pattern: /${endpoint}`, () => {
+      visit(endpoint).then((res) => {
+        expect(res.status).to.eq(NOT_FOUND);
+      });
+    });
+  });
+
+  files.forEach((file) => {
+    it(`404s known scraper file pattern: /${file}`, () => {
+      visit(file).then((res) => {
+        expect(res.status).to.eq(NOT_FOUND);
+      });
+    });
+  });
+});

From 3ba8cc5678da3cb8167fe6e3241dc9298ef3d950 Mon Sep 17 00:00:00 2001
From: Kegan Maher <kegan@compiler.la>
Date: Fri, 14 Apr 2023 16:28:18 -0700
Subject: [PATCH 41/54] fix(nginx): filename optional

checking for extension only
---
 appcontainer/nginx.conf | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/appcontainer/nginx.conf b/appcontainer/nginx.conf
index ac85d3293..c5ac4be5d 100644
--- a/appcontainer/nginx.conf
+++ b/appcontainer/nginx.conf
@@ -54,7 +54,7 @@ http {
     # 404 known scraping file targets
     # case-insensitive regex matches the given file extension anywhere in the request path
     # e.g. /something/admin.php and /secrets.yaml
-    location ~* /.+\.(asp|axd|cgi|com|env|json|log|php|xml|ya?ml) {
+    location ~* /.*\.(asp|axd|cgi|com|env|json|log|php|xml|ya?ml) {
         access_log off;
         log_not_found off;
         return 404;

From 1f33670b58dcb0498e9e70dde7fbc9b21e4a1b29 Mon Sep 17 00:00:00 2001
From: Kegan Maher <kegan@compiler.la>
Date: Fri, 14 Apr 2023 16:28:50 -0700
Subject: [PATCH 42/54] fix(tests): simplify, ensure nginx throws 404

---
 tests/cypress/specs/scrapers.cy.js | 17 ++++++-----------
 1 file changed, 6 insertions(+), 11 deletions(-)

diff --git a/tests/cypress/specs/scrapers.cy.js b/tests/cypress/specs/scrapers.cy.js
index eb7e120bd..e5daf47d3 100644
--- a/tests/cypress/specs/scrapers.cy.js
+++ b/tests/cypress/specs/scrapers.cy.js
@@ -1,5 +1,6 @@
 const endpoints = ["auth", "cgi", "eligibility/app", "login", "sample/api"];
 const files = [".env", "wp-admin/login.php", "data.json", "secrets/prod.yaml"];
+const targets = endpoints.concat(files);
 
 const visit = (partial_path) => {
   return cy.request({
@@ -13,18 +14,12 @@ const visit = (partial_path) => {
 const NOT_FOUND = 404;
 
 describe("Scraper filtering spec", () => {
-  endpoints.forEach((endpoint) => {
-    it(`404s known scraper endpoint pattern: /${endpoint}`, () => {
-      visit(endpoint).then((res) => {
-        expect(res.status).to.eq(NOT_FOUND);
-      });
-    });
-  });
-
-  files.forEach((file) => {
-    it(`404s known scraper file pattern: /${file}`, () => {
-      visit(file).then((res) => {
+  targets.forEach((target) => {
+    it(`nginx returns 404 for known scraper target pattern: /${target}`, () => {
+      visit(target).then((res) => {
         expect(res.status).to.eq(NOT_FOUND);
+        expect(res.body).to.contain("nginx");
+        expect(res.body).not.to.contain("Cal-ITP");
       });
     });
   });

From 5b081bccaee3f1b1e35a82fbd77e930098f47834 Mon Sep 17 00:00:00 2001
From: Kegan Maher <kegan@compiler.la>
Date: Tue, 18 Apr 2023 14:03:02 -0700
Subject: [PATCH 43/54] fix(tests): export rate limit consts

otherwise these are undefined in the tests that need them
---
 tests/cypress/specs/helpers.js | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/tests/cypress/specs/helpers.js b/tests/cypress/specs/helpers.js
index 3656b7e54..f241bcdb8 100644
--- a/tests/cypress/specs/helpers.js
+++ b/tests/cypress/specs/helpers.js
@@ -3,9 +3,9 @@ const agencies = require("../fixtures/transit-agencies");
 const agency = agencies[0].fields;
 
 // from nginx.conf
-const RATE_LIMIT = 12;
+export const RATE_LIMIT = 12;
 // 12 requests/minute ==> 5 seconds in milliseconds
-const WAIT_TIME = (60 / RATE_LIMIT) * 1000;
+export const WAIT_TIME = (60 / RATE_LIMIT) * 1000;
 
 export const rateLimitWait = () => {
   cy.wait(WAIT_TIME);

From 120a962b3bd0a224e3d0bd66340dd792a181fba3 Mon Sep 17 00:00:00 2001
From: Kegan Maher <kegan@compiler.la>
Date: Tue, 18 Apr 2023 14:04:16 -0700
Subject: [PATCH 44/54] refactor(tests): move helpers out of specs

---
 tests/cypress/{specs => plugins}/helpers.js | 0
 tests/cypress/specs/benefit-select.cy.js    | 2 +-
 tests/cypress/specs/courtesy-cards.cy.js    | 2 +-
 tests/cypress/specs/rate-limit.cy.js        | 2 +-
 tests/cypress/specs/spanish.cy.js           | 2 +-
 5 files changed, 4 insertions(+), 4 deletions(-)
 rename tests/cypress/{specs => plugins}/helpers.js (100%)

diff --git a/tests/cypress/specs/helpers.js b/tests/cypress/plugins/helpers.js
similarity index 100%
rename from tests/cypress/specs/helpers.js
rename to tests/cypress/plugins/helpers.js
diff --git a/tests/cypress/specs/benefit-select.cy.js b/tests/cypress/specs/benefit-select.cy.js
index cfbf72db7..47a6ea69b 100644
--- a/tests/cypress/specs/benefit-select.cy.js
+++ b/tests/cypress/specs/benefit-select.cy.js
@@ -1,4 +1,4 @@
-const helpers = require("./helpers");
+const helpers = require("../plugins/helpers");
 
 const verifier_selection_url = "/eligibility";
 
diff --git a/tests/cypress/specs/courtesy-cards.cy.js b/tests/cypress/specs/courtesy-cards.cy.js
index 64ea4c8f4..6015dad44 100644
--- a/tests/cypress/specs/courtesy-cards.cy.js
+++ b/tests/cypress/specs/courtesy-cards.cy.js
@@ -1,4 +1,4 @@
-const helpers = require("./helpers");
+const helpers = require("../plugins/helpers");
 const users = require("../fixtures/users.json");
 
 describe("Courtesy Cards", () => {
diff --git a/tests/cypress/specs/rate-limit.cy.js b/tests/cypress/specs/rate-limit.cy.js
index fdbfe5474..ec0af3b9f 100644
--- a/tests/cypress/specs/rate-limit.cy.js
+++ b/tests/cypress/specs/rate-limit.cy.js
@@ -1,5 +1,5 @@
 const users = require("../fixtures/users.json");
-const helpers = require("./helpers");
+const helpers = require("../plugins/helpers");
 const { eligibility_url, post_confirm } = require("../plugins/eligibility");
 
 const SUCCESS_STATUS = 302;
diff --git a/tests/cypress/specs/spanish.cy.js b/tests/cypress/specs/spanish.cy.js
index 80c3e2f86..6142011ec 100644
--- a/tests/cypress/specs/spanish.cy.js
+++ b/tests/cypress/specs/spanish.cy.js
@@ -1,4 +1,4 @@
-const helpers = require("./helpers");
+const helpers = require("../plugins/helpers");
 
 describe("Spanish language", () => {
   beforeEach(() => {

From a1a3c43a713132cfa64b9c31a3e9a748a6ca712b Mon Sep 17 00:00:00 2001
From: Kegan Maher <kegan@compiler.la>
Date: Tue, 18 Apr 2023 14:04:59 -0700
Subject: [PATCH 45/54] test(rate-limit): ensure nginx returns the failure

---
 tests/cypress/specs/rate-limit.cy.js | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/tests/cypress/specs/rate-limit.cy.js b/tests/cypress/specs/rate-limit.cy.js
index ec0af3b9f..bfc534de6 100644
--- a/tests/cypress/specs/rate-limit.cy.js
+++ b/tests/cypress/specs/rate-limit.cy.js
@@ -32,6 +32,8 @@ describe("Rate limiting feature spec", () => {
               expect(res.status).to.eq(SUCCESS_STATUS);
             } else {
               expect(res.status).to.eq(FAIL_STATUS);
+              expect(res.body).to.contain("nginx");
+              expect(res.body).not.to.contain("Return home");
             }
           });
         }

From 9bdef245773d7785982940ef9dc9e573175b09f6 Mon Sep 17 00:00:00 2001
From: Kegan Maher <kegan@compiler.la>
Date: Thu, 20 Apr 2023 20:51:38 +0000
Subject: [PATCH 46/54] fix(settings): allow unsafe-inline for style-src

needed for payment processor overlay window
---
 benefits/settings.py | 1 +
 1 file changed, 1 insertion(+)

diff --git a/benefits/settings.py b/benefits/settings.py
index aff3e6640..8fd8ac614 100644
--- a/benefits/settings.py
+++ b/benefits/settings.py
@@ -315,6 +315,7 @@ def _filter_empty(ls):
 
 CSP_STYLE_SRC = [
     "'self'",
+    "'unsafe-inline'",
     "https://california.azureedge.net/",
     "https://fonts.googleapis.com/css",
 ]

From eafbe09ad6ea9531baee8fc93b65d08acab92e55 Mon Sep 17 00:00:00 2001
From: Kegan Maher <kegan@compiler.la>
Date: Fri, 14 Apr 2023 18:51:36 +0000
Subject: [PATCH 47/54] feat(sentry): make traces sample rate configurable

---
 benefits/sentry.py          | 11 ++++++++++-
 tests/pytest/test_sentry.py | 28 ++++++++++++++++++++++++++--
 2 files changed, 36 insertions(+), 3 deletions(-)

diff --git a/benefits/sentry.py b/benefits/sentry.py
index 68e4a82b4..1d49f96cf 100644
--- a/benefits/sentry.py
+++ b/benefits/sentry.py
@@ -62,6 +62,15 @@ def get_denylist():
     return denylist
 
 
+def get_traces_sample_rate():
+    rate = float(os.environ.get("SENTRY_TRACES_SAMPLE_RATE", "0.0"))
+
+    if rate < 0.0 or rate > 1.0:
+        raise ValueError("SENTRY_TRACES_SAMPLE_RATE must be a float in [0.0, 1.0]")
+
+    return rate
+
+
 def configure():
     SENTRY_DSN = os.environ.get("SENTRY_DSN")
     if SENTRY_DSN:
@@ -74,7 +83,7 @@ def configure():
             integrations=[
                 DjangoIntegration(),
             ],
-            traces_sample_rate=1.0,
+            traces_sample_rate=get_traces_sample_rate(),
             environment=SENTRY_ENVIRONMENT,
             release=release,
             in_app_include=["benefits"],
diff --git a/tests/pytest/test_sentry.py b/tests/pytest/test_sentry.py
index d369a8844..437088781 100644
--- a/tests/pytest/test_sentry.py
+++ b/tests/pytest/test_sentry.py
@@ -1,8 +1,11 @@
-from benefits import VERSION
-from benefits.sentry import get_release
 import os
 from tempfile import NamedTemporaryFile
 
+import pytest
+
+from benefits import VERSION
+from benefits.sentry import get_release, get_traces_sample_rate
+
 
 def test_git(mocker):
     mocker.patch("benefits.sentry.git_available", return_value=True)
@@ -45,3 +48,24 @@ def test_git_no_repo(mocker):
     mocker.patch("benefits.sentry.get_sha_file_path", return_value=file_path)
 
     assert get_release() == VERSION
+
+
+def test_traces_sample_rate_default():
+    rate = get_traces_sample_rate()
+    assert rate == 0.0
+
+
+@pytest.mark.parametrize("env_rate", ["0.0", "0.25", "0.99", "1.0"])
+def test_traces_sample_rate_valid_range(mocker, env_rate):
+    mocker.patch("benefits.sentry.os.environ.get", return_value=env_rate)
+
+    rate = get_traces_sample_rate()
+    assert rate == float(env_rate)
+
+
+@pytest.mark.parametrize("env_rate", ["-1.0", "-0.1", "1.01", "2.0"])
+def test_traces_sample_rate_invalid_range(mocker, env_rate):
+    mocker.patch("benefits.sentry.os.environ.get", return_value=env_rate)
+
+    with pytest.raises(ValueError, match=r"SENTRY_TRACES_SAMPLE_RATE"):
+        get_traces_sample_rate()

From afca263ba33ec012dc8a4476f08761d50149fcff Mon Sep 17 00:00:00 2001
From: Kegan Maher <kegan@compiler.la>
Date: Fri, 14 Apr 2023 18:52:35 +0000
Subject: [PATCH 48/54] chore(terraform): read traces sample rate from secrets

---
 terraform/app_service.tf | 7 ++++---
 1 file changed, 4 insertions(+), 3 deletions(-)

diff --git a/terraform/app_service.tf b/terraform/app_service.tf
index 61909f74b..85a9b1531 100644
--- a/terraform/app_service.tf
+++ b/terraform/app_service.tf
@@ -76,9 +76,10 @@ resource "azurerm_linux_web_app" "main" {
     "HEALTHCHECK_USER_AGENTS" = local.is_dev ? null : "${local.secret_prefix}healthcheck-user-agents)",
 
     # Sentry
-    "SENTRY_DSN"         = "${local.secret_prefix}sentry-dsn)",
-    "SENTRY_ENVIRONMENT" = local.env_name,
-    "SENTRY_REPORT_URI"  = "${local.secret_prefix}sentry-report-uri)",
+    "SENTRY_DSN"                = "${local.secret_prefix}sentry-dsn)",
+    "SENTRY_ENVIRONMENT"        = local.env_name,
+    "SENTRY_REPORT_URI"         = "${local.secret_prefix}sentry-report-uri)",
+    "SENTRY_TRACES_SAMPLE_RATE" = "${local.secret_prefix}sentry-traces-sample-rate)",
 
     # Environment variables for data migration
     "MST_SENIOR_GROUP_ID"                                  = "${local.secret_prefix}mst-senior-group-id)",

From 164a9094480b7b52d239076203e7c746ed56f802 Mon Sep 17 00:00:00 2001
From: Kegan Maher <kegan@compiler.la>
Date: Fri, 14 Apr 2023 18:55:45 +0000
Subject: [PATCH 49/54] docs(sentry): describe traces sample rate setting

---
 docs/configuration/environment-variables.md | 10 ++++++++++
 1 file changed, 10 insertions(+)

diff --git a/docs/configuration/environment-variables.md b/docs/configuration/environment-variables.md
index c218be2f1..80b7fac44 100644
--- a/docs/configuration/environment-variables.md
+++ b/docs/configuration/environment-variables.md
@@ -187,5 +187,15 @@ Collect information on Content-Security-Policy (CSP) violations. Read more about
 
 To enable report collection, set this env var to the authenticated Sentry endpoint.
 
+### `SENTRY_TRACES_SAMPLE_RATE`
+
+!!! tldr "Sentry docs"
+
+    [`traces_sample_rate`](https://docs.sentry.io/platforms/python/configuration/sampling/#configuring-the-transaction-sample-rate)
+
+Control the volume of transactions sent to Sentry. Value must be a float in the range `[0.0, 1.0]`.
+
+The default is `0.0` (i.e. no transactions are tracked).
+
 [app-service-config]: https://docs.microsoft.com/en-us/azure/app-service/configure-common?tabs=portal
 [getting-started_create-env]: ../getting-started/README.md#create-an-environment-file

From 2a2cfcf32e240627e7214f3609c9bd4ef5583033 Mon Sep 17 00:00:00 2001
From: Kegan Maher <kegan@compiler.la>
Date: Fri, 14 Apr 2023 19:00:22 +0000
Subject: [PATCH 50/54] test(sentry): sample rate should be float

---
 tests/pytest/test_sentry.py | 8 ++++++++
 1 file changed, 8 insertions(+)

diff --git a/tests/pytest/test_sentry.py b/tests/pytest/test_sentry.py
index 437088781..720607d73 100644
--- a/tests/pytest/test_sentry.py
+++ b/tests/pytest/test_sentry.py
@@ -69,3 +69,11 @@ def test_traces_sample_rate_invalid_range(mocker, env_rate):
 
     with pytest.raises(ValueError, match=r"SENTRY_TRACES_SAMPLE_RATE"):
         get_traces_sample_rate()
+
+
+@pytest.mark.parametrize("env_rate", ["zero", "one", "huh?"])
+def test_traces_sample_rate_float(mocker, env_rate):
+    mocker.patch("benefits.sentry.os.environ.get", return_value=env_rate)
+
+    with pytest.raises(ValueError, match=r"could not convert string to float"):
+        get_traces_sample_rate()

From 75e305422d9f3a5fd12bb3d78239174b34cfa794 Mon Sep 17 00:00:00 2001
From: Kegan Maher <kegan@compiler.la>
Date: Thu, 20 Apr 2023 21:16:07 +0000
Subject: [PATCH 51/54] fix(sentry): default to 0 for bad env var

---
 benefits/sentry.py          | 10 ++++++----
 tests/pytest/test_sentry.py | 10 +++++-----
 2 files changed, 11 insertions(+), 9 deletions(-)

diff --git a/benefits/sentry.py b/benefits/sentry.py
index 1d49f96cf..3c31b3a74 100644
--- a/benefits/sentry.py
+++ b/benefits/sentry.py
@@ -63,10 +63,12 @@ def get_denylist():
 
 
 def get_traces_sample_rate():
-    rate = float(os.environ.get("SENTRY_TRACES_SAMPLE_RATE", "0.0"))
-
-    if rate < 0.0 or rate > 1.0:
-        raise ValueError("SENTRY_TRACES_SAMPLE_RATE must be a float in [0.0, 1.0]")
+    try:
+        rate = float(os.environ.get("SENTRY_TRACES_SAMPLE_RATE", "0.0"))
+        if rate < 0.0 or rate > 1.0:
+            rate = 0.0
+    except ValueError:
+        rate = 0.0
 
     return rate
 
diff --git a/tests/pytest/test_sentry.py b/tests/pytest/test_sentry.py
index 720607d73..7307cc317 100644
--- a/tests/pytest/test_sentry.py
+++ b/tests/pytest/test_sentry.py
@@ -67,13 +67,13 @@ def test_traces_sample_rate_valid_range(mocker, env_rate):
 def test_traces_sample_rate_invalid_range(mocker, env_rate):
     mocker.patch("benefits.sentry.os.environ.get", return_value=env_rate)
 
-    with pytest.raises(ValueError, match=r"SENTRY_TRACES_SAMPLE_RATE"):
-        get_traces_sample_rate()
+    rate = get_traces_sample_rate()
+    assert rate == 0.0
 
 
 @pytest.mark.parametrize("env_rate", ["zero", "one", "huh?"])
-def test_traces_sample_rate_float(mocker, env_rate):
+def test_traces_sample_rate_not_float(mocker, env_rate):
     mocker.patch("benefits.sentry.os.environ.get", return_value=env_rate)
 
-    with pytest.raises(ValueError, match=r"could not convert string to float"):
-        get_traces_sample_rate()
+    rate = get_traces_sample_rate()
+    assert rate == 0.0

From 2ae770fa7c17284ca91a5b6d69ea734c7b919628 Mon Sep 17 00:00:00 2001
From: Kegan Maher <kegan@compiler.la>
Date: Thu, 20 Apr 2023 21:22:29 +0000
Subject: [PATCH 52/54] chore(sentry): add configuration logging

---
 benefits/sentry.py | 10 ++++++++--
 1 file changed, 8 insertions(+), 2 deletions(-)

diff --git a/benefits/sentry.py b/benefits/sentry.py
index 3c31b3a74..e9bfcb412 100644
--- a/benefits/sentry.py
+++ b/benefits/sentry.py
@@ -1,3 +1,4 @@
+import logging
 import shutil
 import os
 import subprocess
@@ -8,6 +9,7 @@
 
 from benefits import VERSION
 
+logger = logging.getLogger(__name__)
 
 SENTRY_ENVIRONMENT = os.environ.get("SENTRY_ENVIRONMENT", "local")
 SENTRY_CSP_REPORT_URI = None
@@ -66,8 +68,12 @@ def get_traces_sample_rate():
     try:
         rate = float(os.environ.get("SENTRY_TRACES_SAMPLE_RATE", "0.0"))
         if rate < 0.0 or rate > 1.0:
+            logger.warn("SENTRY_TRACES_SAMPLE_RATE was not in the range [0.0, 1.0], defaulting to 0.0")
             rate = 0.0
+        else:
+            logger.info(f"SENTRY_TRACES_SAMPLE_RATE set to: {rate}")
     except ValueError:
+        logger.warn("SENTRY_TRACES_SAMPLE_RATE did not parse to float, defaulting to 0.0")
         rate = 0.0
 
     return rate
@@ -77,7 +83,7 @@ def configure():
     SENTRY_DSN = os.environ.get("SENTRY_DSN")
     if SENTRY_DSN:
         release = get_release()
-        print(f"Enabling Sentry for environment '{SENTRY_ENVIRONMENT}', release '{release}'...")
+        logger.info(f"Enabling Sentry for environment '{SENTRY_ENVIRONMENT}', release '{release}'...")
 
         # https://docs.sentry.io/platforms/python/configuration/
         sentry_sdk.init(
@@ -99,4 +105,4 @@ def configure():
         global SENTRY_CSP_REPORT_URI
         SENTRY_CSP_REPORT_URI = os.environ.get("SENTRY_REPORT_URI", "")
     else:
-        print("SENTRY_DSN not set, so won't send events")
+        logger.info("SENTRY_DSN not set, so won't send events")

From eb6651a14adad5027a5686604e7d6f6df966e424 Mon Sep 17 00:00:00 2001
From: Kegan Maher <kegan@compiler.la>
Date: Thu, 20 Apr 2023 21:58:43 +0000
Subject: [PATCH 53/54] chore(release): bump version to 2023.04.2

---
 benefits/__init__.py | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/benefits/__init__.py b/benefits/__init__.py
index 544748407..024e2c4d0 100644
--- a/benefits/__init__.py
+++ b/benefits/__init__.py
@@ -1,3 +1,3 @@
-__version__ = "2023.04.1"
+__version__ = "2023.04.2"
 
 VERSION = __version__

From e3b8e9122fccac7a8c7c1ea843188fcbcb88a41d Mon Sep 17 00:00:00 2001
From: Kegan Maher <kegan@compiler.la>
Date: Thu, 20 Apr 2023 22:24:41 +0000
Subject: [PATCH 54/54] fix(nginx): relax 404 filter

---
 appcontainer/nginx.conf            | 6 ++----
 tests/cypress/specs/scrapers.cy.js | 2 +-
 2 files changed, 3 insertions(+), 5 deletions(-)

diff --git a/appcontainer/nginx.conf b/appcontainer/nginx.conf
index c5ac4be5d..d85fb2b7f 100644
--- a/appcontainer/nginx.conf
+++ b/appcontainer/nginx.conf
@@ -44,8 +44,7 @@ http {
 
     # 404 known scraping path targets
     # case-insensitive regex matches the given path fragment anywhere in the request path
-    # e.g. /something/api and /login
-    location ~* /(\.?git|api|app|assets|ats|auth|bootstrap|bower|cgi|content|credentials|docker|doc|env|example|login|swagger|web) {
+    location ~* /(\.?git|api|app|assets|ats|bootstrap|bower|cgi|content|credentials|docker|doc|env|example|swagger|web) {
         access_log off;
         log_not_found off;
         return 404;
@@ -53,8 +52,7 @@ http {
 
     # 404 known scraping file targets
     # case-insensitive regex matches the given file extension anywhere in the request path
-    # e.g. /something/admin.php and /secrets.yaml
-    location ~* /.*\.(asp|axd|cgi|com|env|json|log|php|xml|ya?ml) {
+    location ~* /.*\.(asp|axd|cgi|com|env|json|php|xml|ya?ml) {
         access_log off;
         log_not_found off;
         return 404;
diff --git a/tests/cypress/specs/scrapers.cy.js b/tests/cypress/specs/scrapers.cy.js
index e5daf47d3..bf0e59dc5 100644
--- a/tests/cypress/specs/scrapers.cy.js
+++ b/tests/cypress/specs/scrapers.cy.js
@@ -1,4 +1,4 @@
-const endpoints = ["auth", "cgi", "eligibility/app", "login", "sample/api"];
+const endpoints = ["cgi", "eligibility/app", "sample/api"];
 const files = [".env", "wp-admin/login.php", "data.json", "secrets/prod.yaml"];
 const targets = endpoints.concat(files);