Feature/ser 280 require email confirmation#91
Conversation
…stering Signed-off-by: Jon Berry <jon@jonberry.co>
…r requesting account validation Signed-off-by: Jon Berry <jon@jonberry.co>
…ow to verified users
…er does not exist at the provided email address
…quire-email-confirmation Signed-off-by: Jon Berry <jon@jonberry.co> # Conflicts: # src/controllers/auth.controller.js
- Use async/await style in migration `20190408115030-add-validation-columns-users.js` - Update README/CHANGELOG
There was a problem hiding this comment.
Static review looks fine.
Rebase/Squash
Before merging to develop, I'd recommend squashing the 1st attempt ... 4th attempt linting fixes, and possibly some of the other commits.
Testing
It looks like only the original case is tested
AUTH_SERVICE_REQUIRE_ACCOUNT_VERIFICATION=falseAUTH_SERVICE_REQUIRE_SECURE_ACCOUNT_VERIFICATION=false
Not the entire set
AUTH_SERVICE_REQUIRE_ACCOUNT_VERIFICATION: [true, false]
X (cross)
AUTH_SERVICE_REQUIRE_SECURE_ACCOUNT_VERIFICATION: [true, false]
Indeed, testing the other 3x cases would require programmatically updating these variables set in .env.test, probably by modifying the config object in the test suite.
It's probably sufficient to add test(s) for just the case
AUTH_SERVICE_REQUIRE_ACCOUNT_VERIFICATION=trueAUTH_SERVICE_REQUIRE_SECURE_ACCOUNT_VERIFICATION=true
Indeed, when I update .env.test with these, I get "test failures" (a good thing in this case), e.g.
1) Auth API: Seed with environmental password should seed with the config admin with a environmentally derived password:
Error: expected 200 "OK", got 404 "Not Found"
mountHouli
left a comment
mountHouli
left a comment
There was a problem hiding this comment.
I was able to do a pretty thorough job reviewing this. I read all or nearly all of the code. However, I didn't get a chance to test, except for the one bug found/recorded in my review of the orange-web PR.
-
The forward migration needs to make every existing account already verified. (This is critical).
-
All of the 'messaging protocol' terminology is not clear. Can you think of a more straight-forward way of naming it?
mountHouli
left a comment
mountHouli
left a comment
There was a problem hiding this comment.
Please add thorough testing steps. (esp. see item 2.C. below)
1. Auto-verification
We need some way for users to be auto-verified. Two different examples:
A. The AUTH_SERVICE_SEED_ADMIN_* should be automatically verified when it is auto-generated the first time the auth service starts.
B. The Push Notifications Service User gets created as a part of the deployment process. It should be able to be auto-verified. Perhaps the logic in the create-user endpoint should be if (JWT belongs to a super admin && req.body.auto_verify_this_new_user_being_created) { /* Auto-complete the verification process */ }
(Note: I might remove the PNSU from the deployment process and instead just use the Seed Admin as the PNSU. However, I still think we should have the above (B) functionality).
2. Verification Process Questions/Changes
Regarding User.verifyAccountToken and User.prototype.updateVerifyAccountToken:
A. Together they accomplish one, discrete bit of functionality, so I think it should all be in one function, not split into two functions.
B. updateVerifyAccountToken implies that a token can be passed into this function. Since this function always auto-generates the token (you can only pass in an email and an expiration time), it should be called createVerifyAccountToken or generateVerifyAccountToken (probably the former rather than the latter). Also, verifyAccountToken misleads the developer/maintainer because it sounds like this function is involved in the process of verifying an existing token, not the process of generating a new token to be verified later. It should be renamed to createVerifyAccountToken or getAccountVerificationToken or createContactMethodVerificationToken or something like this.
C(ish / Related) (the following is my thought without thinking through it thoroughly)
/dispatch-verification-request should not exist. The way it should work is, any time you create a new user, as a part of that same API call to the auth service, it should populate the account verification fields in the Users table according to the account verification env vars, then dispatch the account verification email. In this same vein, why does orange-web VerifyEmailPrompt.jsx have a button to call /dispatch-verification-request? The token should already be created, and the web page should only be the landing page for when a user clicks on the verification email link. Along the same lines, in orange-web, what is the /verify-email page for?
mountHouli
left a comment
mountHouli
left a comment
There was a problem hiding this comment.
Now that #90 is merged, this PR must be rebased to include those changes.
Note: This will include having to change the signature of any calls to new APIError(). Very easy. I would be happy to help if you have any questions.
…ir email who attempt to sign in. Signed-off-by: Jon Berry <jon@jonberry.co>
Signed-off-by: Jon Berry <jon@jonberry.co>
Signed-off-by: Jon Berry <jon@jonberry.co>
@rmharrison may have some guidance on that.
I think we should be able to do that, should we consider adding a new scope for system-level users?
I left them split, because I see a class method vs instance may be needed here, especially if we go the route of dispatching a token and email when a user registers
changed to generate
We talked on the phone about this, it's inelegant for the first iteration but gets it out the door. |
Signed-off-by: Jon Berry <jon@jonberry.co>
Signed-off-by: Jon Berry <jon@jonberry.co>
…quire-email-confirmation
|
Regarding |
Regarding
|
Signed-off-by: Jon Berry <jon@jonberry.co>
…github.com/amida-tech/amida-auth-microservice into feature/SER-280-require-email-confirmation
Signed-off-by: Jon Berry <jon@jonberry.co>
mountHouli
left a comment
mountHouli
left a comment
There was a problem hiding this comment.
The migrations have one bug that needs to be fixed. See inline feedback regarding the WHERE clause of the UPDATE "Users" SET "verifiedContactMethods" = ... statement.
Signed-off-by: Jon Berry <jon@jonberry.co>
mountHouli
left a comment
mountHouli
left a comment
There was a problem hiding this comment.
Ton of great work! Many thanks!
orndorffgrant
left a comment
orndorffgrant
left a comment
There was a problem hiding this comment.
Good (and big!) PR!
Did a fairly thorough code review. Some small things to consider before approval.
| `You can reset your account password using the following link: ${resetLink}`, | ||
| 'If you believe this message was sent in error, please disregard this message.', | ||
| ]; | ||
| const text = util.format('%s\n\n%s\n\n%s\n\n%s', ...body); |
There was a problem hiding this comment.
Future/not applicable to this PR: If we get time to invest in this service, we should move to using a real templating engine for creating emails
There was a problem hiding this comment.
Outside of scope of this PR.
Keeping open (unresolved) FFR.
|
Seeing as Grant's comments have been addressed by Houli, and the package is running, merging. |
There was a problem hiding this comment.
Cherrypicked (minor) changes onto branch:release/2.8.0 because this branch had already been merged.
Was unable to integration test with orange-web
After creating user via POSTMAN, and sending sending email at orange-web/verify-url
2019-05-17T14:27:18.045Z error connect ECONNREFUSED 127.0.0.1:587
Error: connect ECONNREFUSED 127.0.0.1:587
at TCPConnectWrap.afterConnect [as oncomplete] (net.js:1054:14)
{
"errno": "ECONNREFUSED",
"code": "ECONNECTION",
"syscall": "connect",
"address": "127.0.0.1",
"port": 587,
"command": "CONN"
}
2019-05-17T14:27:18.050Z info HTTP POST /api/v2/auth/dispatch-verification-request 500 77ms
{
"res": {
"statusCode": 500,
"responseTime": 77
},
"req": {
"url": "/api/v2/auth/dispatch-verification-request",
"method": "POST",
"httpVersion": "1.1",
"originalUrl": "/api/v2/auth/dispatch-verification-request",
"query": {}
},
"responseTime": 77
}
I'm assuming I missed some configuration.
4 participants
If this PR fixes a bug, you must add test cases representative of the bug.
What's this PR do?
20190408115030-add-validation-columns-users.js)Related JIRA tickets:
How should this be manually tested?
The best way to test this flow to spin up a copy of Orange-Web PR #85.
https://_webPortalURL_/verify-email)🚨 NEW ENV VARIABLES:
AUTH_SERVICE_REQUIRE_ACCOUNT_VERIFICATION, required, booleanAUTH_SERVICE_REQUIRE_SECURE_ACCOUNT_VERIFICATION, required, booleanAny background context you want to provide?
Screenshots (if appropriate):