Twilio integration for sms alerts

[manishapriya94]

Context

User Story: A user can choose to opt into sms alerts around the cause they wrote a letter for. The twilio integration allows us to follow up with user education via SMS.

• Stage 1: Users are sent through social media campaign, at advocacy events, while canvassing through a QR code
• Stage 2: Users authenticate (via Auth0 through their phone number)
• Stage 3: Users sign up for updates when sending their letter
• Stage 4: Send sms updates monthly from advocacy group (update the constituent table for people who signed up for sms updates)

Specs

• Integrate Twilio

  

• Update Database

• Update API docs

References

Data Structure | Data Report Feature Discussion Twilio API Docs User Journey Miro

Exit Criteria

• Full User Story Discussion

  Exit Criteria

• [ ] Set up Twilio API
  • [x] Create API token secret
  • [x] OpenSourceFellows/amplify#145
• [ ] OpenSourceFellows/amplify_server#34
• [ ] OpenSourceFellows/amplify#147
• [ ] OpenSourceFellows/amplify#149

[andyfeller]

Capturing discuss notes working with @nawazkhan and @ankitagrawal98

Brainstorm on task breakdown

1. Stage 2 needs to be expanded to take advantage of Auth0's SMS passwordless login option (which is through Twilio ironically) detailed https://auth0.com/docs/authenticate/passwordless/authentication-methods/sms-otp in order to allow people to authenticate with their mobile device rather than needing a Google account

   We think the Auth0 passwordless login using the Universal Login flow makes the most sense IF it can provide the phone number used for authenticating

   

2. Implement necessary database schema changes for containing constituents mobile number, per campaign notification preference as well as UI changes that populate the data

   

3. Developing a monthly digest process that generates digests around the various campaigns that constituents have signed up for

4. Explore a method for organizers to send out ad-hoc messages to constituents for a given campaign

[manishapriya94]

Open source alternative: https://fonoster.com/

cc: @nawazkhan @ankitagrawal98 @andyfeller

[i-am-b-soto]

Hello,

As of now, I'm not seeing a source of the sms message, nor what triggers it.

Do the individual campaign managers have access to Twilio accounts (presumably under some sort of organization) and setup their own flow to call an Amplify API endpoint? Or are we looking for a more in-house solution where campaign managers can login to Amplify and build and send their own messages and notifications from Amplify?

[manishapriya94]

Community user story: The groups often don't have IT people and might create another barrier if they have to have their own tooling.

• Could the workflow reflect a model in which the group texts some number/mechanism and it will text the end user who has subscribed?
• Would that include a review process? Or does it need authentication to be able to send to begin the flow? A different Auth0 workflow (currently it validates constituents, we need new one for the community groups)

If constituent:

• authentication: is this their user profile --> mapped to sms
• database: ensure the endpoint its coming from has encryption at rest and in transit (sms numbers protected/not linked to user --> OpenSourceFellows/amplify#31

If its admin

• access and authentication to perform action

• what visibility does subscription give?

  • banner
  • unsubscribe

• Compliance check:

  • What is the end to end encryption (which plan)
  • How to architect for identity validation/access management

Next steps @Iamsoto explores issues:

• [x] What is the end to end encryption and authentication look like (can we authorize with sms alone)
• [ ] Can it be integrated into current auth0 scheme Resources

[i-am-b-soto]

Also. HIPAA specifically is for Protected Health Information. I don't see health information stored in Amplify. So I don't believe HIPAA specifically should be a concern for us. Correct me if I'm wrong

source: https://www.cdc.gov/phlp/publications/topic/hipaa.html https://support.twilio.com/hc/en-us/articles/360059959413-Building-HIPAA-Compliant-Messaging-Applications-with-Twilio

[i-am-b-soto]

The California Consumer Privacy Act might be something to be aware of, however: And if we're reaching an international audience, The EU has the GDPR. Let me know if this seems more relevant.

Source: https://oag.ca.gov/privacy/ccpa https://digitalguardian.com/blog/what-gdpr-general-data-protection-regulation-understanding-and-complying-gdpr-data-protection