search

codeforpdx / PASS

PASS project - with HMIS module integration
MIT License
25 stars 24 forks source link

Bug: Sign-up Link registration signs up with wrong name and webId #464

Closed leekahung closed 4 months ago

leekahung commented 8 months ago

Bug Description:

Existing registration flow sign-up with the wrong name and webId. It uses the name and webId from the person they sign up with instead when adding to their Contact list.

Reproduction Steps:

1. Registers new user 2. See bug after navigating to Contacts page

Expected Behavior:

Should sign up user with their own first and last name with their webId, not the first and last name and webId of the person that they sign up with. The information added to the Contact list should be related to the person that's being registered not the person who they sign up with.

Screenshots (If applicable):

https://github.com/codeforpdx/PASS/assets/114430929/ed68ca69-a9a5-4a40-8e34-713347a26617

https://github.com/codeforpdx/PASS/assets/114430929/1b66fd94-449f-4352-8c64-5b22a5f3e204

timbot1789 commented 8 months ago

I don't think the bug here is quite as described. I've attached a screen recording showing a full signup process working correctly. Screencast from 10-21-2023 12:32:20 PM.webm

I think the issue happened at timestamp 0:12 of the first video in the main description. You'll see after pod creation, you are redirected to the pod server itself to complete sign in and allow PASS to create the contacts list in your pod. At that point, you need to be sure to sign into the pod server as the new user, not as the case manager. Otherwise you will continue through the rest of the signup process as the case manager. At time 0:12, if you look at the displayed web ID, you'll noticed you signed into the case manager's pod, not the newly created pod

The issue is that users sign into PASS in 2 places: the pod server, and PASS itself. Logging out of PASS does not necessarily log you out of the pod server. During the signup flow, the case manager is logged out of pass, but still logged into their pod.

I can think of 2 ways to fix this:

  1. Force the case manager to log out before beginning the signup flow. The signup link in the profile page forcibly logs you out of your pod, and if you access the signup page while logged in, you're blocked by a warning message and redirected to your pod. This may be disruptive to case manager workflows though if they're forced to constantly sign out to help people get accounts set up.
  2. Put the signup section under a different domain than the rest of PASS. e.g. if PASS is hosted at pass.com , then signup is at signup.pass.com. It may however require the user to sign in twice: once to create the pod, and once to access PASS (unless we get really funky with a reverse proxy).
timbot1789 commented 4 months ago

I'll implement fix 2 from the above comment

timbot1789 commented 4 months ago

Upon further exploration, I think the best approach will be to forcibly log out the user when they navigate to the invite link, so that the auth systems don't get confused. We can massage this more later, but I don't think it will be THAT disruptive of a workflow, especially since the hypothetical case manager can always open a new browser window and copy-paste the invite link.

This requires a few changes:

  1. We must log out of both the app and the solid provider. The most recent version of inrupt's auth library allows us to do this, HOWEVER
  2. In order for the full logout flow to work properly, we must create a client ID document. This document must be hosted separately from the react app, because the react app is evaluated client side. The client app id must resolve server side.
  3. We can host the document on our own Vite[^1] server by modifying the vite config appropriately.

[^1]: Vite isn't actually the server. I just don't know what server Vite provides and don't care to look it up.