Add ConnectID Invite/De-Link/Re-Link features

[sravfeyn]

Product Description

Technical Summary

This provides UI actions to provision users using ConnectID auth backend implemented previously.

Feature Flag

COMMCARE_CONNECT

Safety Assurance

Safety story

I have tested this locally and it's within a feature flag

Automated test coverage

QA Plan

Todo

Migrations

• The migrations in this code can be safely applied first independently of the code

Rollback instructions

• This PR can be reverted after deploy with no further considerations

Labels & Review

• Risk label is set correctly
• The set of people pinged as reviewers is appropriate for the level of risk of the change

[sravfeyn]

Todo; I will need to coordinate with mobile to get a link that opens ConnectID app with the invite intent.

[calellowitz]

One other alternative is to send this as push notification (probably via the connectid server). That way the app is already handling it, and we know they are logged in. It will also allow us to hide all the info that doesn't matter to the user (like the code or username, which they won't be familiar with), since we can pass that in the data params.

[sravfeyn]

Yeah, definitely push notification would be better.

I remember Dave mentioning this specifically needed an SMS deeplink (I don't recall why). I will check with him and see if we can do push notification (on top of SMS).

[calellowitz]

general idea looks good. added a few questions and suggestions

[calellowitz]

nit: might be better to just have connect_id in the variable than use cid and add a comment to explain it

[calellowitz]

Does this require stage confirmation for connect domains or just allow it?

[sravfeyn]

This is a context variable that's used in the template for things that are common for all two-stage provision workflows.

[calellowitz]

nit: if it is a POST anyway these views can be combined and just pass the is_active value in the payload, but definitely not blocking and fine to keep it this way

[sravfeyn]

True. But there is a tradeoff on JS side. The corresponding JS here which is also used for regular (de/)activate needs to handle the POST param for connectid separately. So it's not much worth.

[calellowitz]

nit: i think this should be a 403 and can be added as a permission check to the views (the request isn't bad, they just aren't allowed to do it)

[calellowitz]

is it possible to pass the username in the view so that we can fetch the django user directly rather than the couch user and then the django user?

[sravfeyn]

The tradeoff is that we lookup and send django user IDs for all users in the paginate_mobile_workers so that the caller knows the django userid to pass it to this view.

[calellowitz]

do we have a util for this somewhere? I realize its a small thing, but we do it so much in HQ that I am surprised we dont have a function for it.

[sravfeyn]

Yeah, I thought the same, I couldn't find either. Most places do this same thing, and perhaps it wasn't worth a util that has just this one line in it.

[snopoke]

corehq.apps.users.util.raw_username

[calellowitz]

I don't think we want to send the user a message telling them to make a POST, because they won't know what to do with that info. I think we want to pass the right info to the phone so it can do that automatically (or have a clickable link that will confirm it, but a link that is clickable in the sms but doesn't do the right thing is going to be confusing)

[sravfeyn]

Yeah, definitely, this is a ToDo; mobile team has given me the correct format, so I will update this.

[calellowitz]

One other alternative is to send this as push notification (probably via the connectid server). That way the app is already handling it, and we know they are logged in. It will also allow us to hide all the info that doesn't matter to the user (like the code or username, which they won't be familiar with), since we can pass that in the data params.

[calellowitz]

what does encrypting the invite code do for us here?

[sravfeyn]

I think the code 'encodes' the invitation sent time, so that before confirming it can check the invite didn't expire. This is really a soft enforcement used in the other two multi-stage user provision workflows, so I took the pattern as it is.

[calellowitz]

Does this confirm that the token was valid at all? What response do we send if it wasn't?

[sravfeyn]

If the token is not valid this would not return a username. So right now, this would 500 if the token is not valid. Which is same behaviour as that of link_connectid_user.

[sravfeyn]

@calellowitz Bumping for review please

[sravfeyn]

@calellowitz Bumping for review. This, as well as the cchq one dimagi/commcare-cloud#6449

[calellowitz]

Are you planning to address the lint errors. Code generally looks fine, but that is generally worth doing. Otherwise one question (I see that one of them was corrected in a later commit). Otherwise, I would feel a bit more comfortable if someone outside connect reviewed this, since I am a bit rusty on hq code, but looks good to me.

[calellowitz]

This lint error looks real

[calellowitz]

Do we not want these messages for the import results?