[ARF] ARP Authentication (Sign-in/Sign-up) Pilot

[gabezurita]

Product Outline

Link TBD

High-Level User Story

As a VSOfficer: I require a secure login system to verify my accreditation and identity in order to protect Veterans’ Personal Identifiable Information (PII) and Protected Health Information (PHI).

OKR

Reduce the time it takes for Veterans to find, use, and receive VA services.

Definition of done

What must be true for you to consider this epic complete?

• A VSOff Accredited Representative User is able to log in to representative.va.gov

[nihil2501]

Proof of concept

• Here is an ARP POC PR adapted from React Router's auth example that does not use the data router APIs and uses redux.
• But since we're probably pursuing the newer data router APIs introduced in v6.4+ (which can let us leave behind an over-reliance on redux for bespoke implementations of a myriad of patterns), someone could instead make a proof of concept that adapts React Router's auth router provider example that doesn't use redux. It would probably be very helpful.

Auth Epic

The below tickets are essentially in order within the frontend and backend sections.

Backend

• Update SiS ClientConfig with per-environment client IDs
• Use default Sign-in Service authentication
  • Remove skip_before_action :authenticate
  • Make a AR engine /v0/user endpoint that duplicates VA's endpoint (this is a Veteran)
• Sync with identity to reimplement AR engine's authenticate and /v0/user
• Make client ID functional in gating vets-api versus AR engine
  • Also this should be in the sync with identity

Frontend

• Implement auth RouterProvider POC
• Update USiP configuration with per-environment client IDs
• Migrate codebase to single React app
• Migrate codebase to react-router-dom-v5-compat@6.4+
• Add header with a dummy user nav component
  • Mock is shown logged in
  • SiS sign out link (cookies will disappear)
• Populating a user in client state at root component load
  • Just use /v0/user for now
• User nav should render something for loading, not signed-in, and signed-in
  • signed-in -> sign out link
• Landing page user action should render something for loading, not signed-in, signed-in
  • not signed-in -> sign in link
• Gate dashboard based on having a user
  • render something for loading, not signed-in, and signed-in
• Migrate to invoke AR engine /v0/user

[gabezurita]

Reviewer note: Issues in this epic require significant detail. We'll flesh them out on a just-in-time basis as they enter sprints.

[gabezurita]

I updated the below issue, which should be the final issue for the ARP engine auth backend: https://app.zenhub.com/workspaces/accredited-representative-facing-team-65453a97a9cc36069a2ad1d6/issues/gh/department-of-veterans-affairs/va.gov-team/77865

We'll need to complete the React App epic before starting the frontend auth work!

[gabezurita]

ARP Authentication Flow (as it relates to accept/deny POA) - source thread:

1. RepUser authenticates on ARP.
2. ARP module backend stores user attribute data from credentials in a backend model.
3. ARP module backend uses RepUser attribute data from credentials to query LightHouse for associated veterans (or veteran requests for association).
4. If the Rep approves or denies the veteran's request for association, the action calls are made to lighthouse APIs. Lighthouse databases store (or send the relevant approval/denial to the appropriate downstream system)

[gabezurita]

Making good progress! That said, a few new issues have come to light:

• Create an ARP mock user in vets-api-mock-data to test/demo ARP login in staging and localhost
• Handle id.me and login.gov service status in case of downtime — see example
• Log users out on inactivity (session timeout)