search

flexion / ef-cms

An Electronic Filing / Case Management System.
23 stars 10 forks source link

Authentication: DAWSON Account Login #10007

Closed cholly75 closed 5 months ago

cholly75 commented 1 year ago

As a DAWSON user, so that I can have a less confusing and better tailored sign-in process, I want to sign in to DAWSON from a DAWSON URL/domain.

Currently the DAWSON sign-in process is hosted directly on Amazon servers. This is an experiential and technical disconnect from a user experience point of view; the DAWSON link on the USTC website doesn't actually take the user to DAWSON, but a cryptic Amazon URL from which they are presented with a page with none of the DAWSON/USTC stylings and which we have very little control over the look and feel. This has also presented technical problems on occasion as seen with tickets reporting issues with jumping domains during the process and browser behavior.

To streamline this overall experience and open up avenues for customizing the DAWSON sign in process, we would like to move the front-end authentication UI to be within DAWSON itself.

This story will address the sign in process for the user.

Pre-Conditions

Acceptance Criteria

Notes

Post Deployment Tasks

Test Cases

Story Definition of Ready (updated on 12/23/22)

The following criteria must be met in order for the user story to be picked up by the Flexion development team. The user story must:

Definition of Done (Updated 5-19-22)

Product Owner

UX

Engineering

swongCO commented 1 year ago

Questions/comments from pre-refinement: Look at login.gov for reference. Jenna may be able to help with questions.

katiecissell commented 1 year ago

Utilize the USWDS sign in template as a good jumping off point.

Private Zenhub Image

Validation

Private Zenhub Image

During the account creation process, after a user has verified their email, display the sign in UI with a green alert banner:

Private Zenhub Image

If they started to create an account, but didn’t confirm their email and try to sign in, display the sign in UI with a red alert banner:

Private Zenhub Image

Note: Also need to hide the 'log in' link on the verification email sent page now that we will have the correct page to display. This is a followup from the sign up ticket.

Updated email verification sent mockup 1/15/24

image.png

Mobile

Private Zenhub Image

Figma File

ttlenard commented 1 year ago

Test Cases

1) User navigates to DAWSON login page; Page has look and feel as per design, link to the page is no longer a Cognito url.

Expected Results:

2) User views DAWSON login page; links to Forgot your password and sign up are present, and direct users to appropriately.

Expected Results:

3) Log in button on the DAWSON login page is not active until there is both an email and password entered.

Part 1

Expected Results:

Part 2

Expected results:

Repeat this test, but add in a password first, followed by the email.
Repeat this test, but after the button is enabled, delete either the email or password - the Log in button should disable if both fields are not filled in.

4) User attempts to login with an email or password that does not exist (or that are in the wrong case); error message is displayed.

Part 1

Expected Results:

Part 2

Expected Results:

5) User enters a valid email address and password; User is logged in to DAWSON as per normal.

Expected Results

*Repeat this test with various users (internal/external)

6) User creates an account using the newly deployed Create Petitioner account page; After verifying their email, user is routed to a new email address verified page.

Expected Results:

7) User creates an account using the newly deployed Create Petitioner account page; User does not verify their account. When attempting to log in, the user is routed to a new email address not verified page.

Part 1

Expected Results:

Part 2

Expected Results:

8) User clicks on the create account link on the DAWSON homepage, then clicks on the Log in Link on the newly deployed Create Petitioner Account page; User is navigated to the new DAWSON Log in Page.

Expected Results:

9) Test on Mobile

10) Kibana logs - Check to see what is getting logged

Updated Test Cases - Added 3/6/24 to account for the other scenarios that are included in this story besides just log in

11) User that has an account clicks on the Forgot password link, new modal for forgot password displays

Expected Results:

12) User types in a valid email address that is does not have an account in DAWSON; no email is sent.

Expected Results:

13) User types in a valid email address associated with a DAWSON Account in the forgot password modal; email is in inbox.

Expected Results:

14) User inputs an incorrect Password reset code, enters a new password (twice) and clicks Change Password and log in button; User receives error message.

Expected Results:

15) User clicks the link in the error message to request a new code; User is navigated to the Reset Password Page.

Expected Results:

16) User inputs Password reset code from email, enters a new password (twice) and clicks Change Password and log in button; User is logged in successfully.

Expected Results:

17) User that requested a Password reset code does not log in within 1 hour; user receives an error.

Expected Results:

18) Admissions clerk creates a new account for a practitioner, Practitioner user receives email, can input temp PW, create a new PW, and can log in.

Expected Results:

*Note: Need to be sure that the resend automation in Zendesk works for folks that had a temp PW sent to them prior to this release that has expired.

19) Admissions clerk creates a new account for a Petitioner; Petitioner user receives email, can input temp PW, create a new PW, and can log in

Expected Results:

*Note: Need to be sure that the resend automation in Zendesk works for folks that had a temp PW sent to them prior to this release that has expired.

20) Practitioner (IRS/Private) associated with cases changes their email; user can log in with new email; Cases associated with the user have the updated contact information for the Practitioner.

Expected Results:

Repeat this test and do the following:

21) Petitioner associated with cases changes their email; user can log in with new email; Cases associated with the user have the updated contact information for the petitioner and Notice of Change documents are docketed appropriately.

Expected Results:

Repeat this test and do the following:

22) User clicks on the verify email link in the account creation email after it has already been verified; User receives the "unable to verify e-mail address" alert.

Expected Results:

23) User clicks on the verify your new email link in the "Verify your new email" email after it has already been verified; User receives the "unable to complete request" alert.

Expected Results:

24) Petitioner user creates a new account; Does not verify email within 24 hours; User receives alert.

Expected Results:

25) Admissions clerk sets up an account for a Petitioner; Petitioner does not log in with their temporary password within 7 days; User receives alert

Expected Results:

Repeat some tests with different users:

26) Petitioner updates their email address to a new email; Does not verify email within 24 hours;

Expected Results: I think this is what would happen? Need to test this

Repeat this test with different users:

27) User attempts to input an invalid email/password combination multiple times, User receives the "Too many unsuccessful log ins" error and account is locked for a bit of time before the user can retry. (Max of 15 min)

Expected Results:

28) Regression test that Internal Users can log in.

29) Regression test using a screen reader tool to ensure screen reader/tabbing order is correct.

30) Test Zendesk Automations - Mike to set up Zendesk sandbox to point to DEV to test that these automations still work.

31) Test to ensure that the above test cases work on Other browsers besides Edge.

Things to be aware of - Users that were in a pending status prior to the release of this code will not be able to use their verification link.

swongCO commented 9 months ago

Added mockups from 10011 re email verification banners on the sign in page.

swongCO commented 9 months ago

Pre refinement

rachelschneiderman commented 7 months ago

@ttlenard As a part of this story we have changed just slightly how maintenance mode works. When you have time, let's get together so we can show you what has changed and see if any documentation or screenshots need to be updated.

ttlenard commented 7 months ago

There are a few more things to consider with this story. Not sure if this handing the things below should be a separate story or included. @cholly75 @rachelschneiderman @zRogersFlexion @pixiwyn @TomElliottFlexion

1 - Practitioner changes employers. Admissions clerk goes into practitioner profile in DAWSON, ensures that they are not associated with any open cases, then changes the employer. This works fine, but we had an instance where the practitioner was logged in on their DAWSON account when the employer change occurred, and they subsequently filed an EA on a case. This filed the EA incorrectly (said Resp. instead of private). The practitioner then logged out/back in, and re-attempted. This resulted in the correct filing (EA for petitioner) but the privatePractitioner record on the case wasn't created, and the practitioner was not associated with the case (they were not listed as counsel for petitioner). Furthermore, the Practitioner didn't have access to the case documents on the case. Need to be able to gracefully handle this scenario.

2 - Another scenario to think about is when an Admissions clerk creates an account for someone (can be admitting a practitioner or adding in an eAccess email to a Petitioner). When they do this, DAWSON currently generates a temporary password for the user that is valid for 7 days. We have multiple instances per week where the user doesn't log in with the temp pw within the 7 days, and they have to email dawson support and request a new temp pw. Mike has created a Zendesk automation that will resend the user an email with a new temp PW. The Court would like to be able to let the user get a new temp PW themselves, rather than having them submit an email to dawson support. Can this be considered with this ticket?

cholly75 commented 7 months ago

I think we need separate stories on both of these.

swongCO commented 6 months ago

UX feedback on exp2

The title font should be Source Sans Pro:

Screenshot 2024-02-02 at 12.14.49 PM.png

In mobile and smaller screens, I'm getting the menu in the right corner. That should not be there:

Screenshot 2024-02-02 at 12.22.18 PM.png Screenshot 2024-02-02 at 12.25.00 PM.png

For the alert banners, is there a way to decrease the padding on the right side so that text will flow into that area? In the screenshot above, "DAWSON" should ideally be on the same line as the first and not wrap. In the mobile screenshot, there's enough space to accommodate some of the text that's wrapping.

zachrog commented 6 months ago

@ttlenard @cholly75 FYI we have addressed scenario #2 that Tenille mentioned a few comments above (practitioner does not verify their account within 7 day time limit) as a part of this story. We have NOT addressed scenario #1 as a part of this story.

ttlenard commented 6 months ago

Thanks @zRogersFlexion. Looking forward to seeing a demo of this!

ttlenard commented 6 months ago

Testing Feedback:

Getting a 400 error in the following scenario:

  1. Petitioner creates a new account, but does not verify their email address
  2. As an Admissions Clerk, navigate to a case with a paper service Petitioner and click on case info/parties tab
  3. Click edit for the paper service petitioner
  4. Add in the email that you created in step 1 (the one in pending status - has not been verified)
  5. Click save
  6. You will get the "matching email found" pop-up
  7. Click ok
  8. Receive a 400 error
swongCO commented 5 months ago

UX feedback (on Dev)

Screenshot 2024-02-27 at 9.59.33 AM.png Screenshot 2024-02-27 at 9.59.55 AM.png Screenshot 2024-02-27 at 9.43.21 AM.png
ttlenard commented 5 months ago

Some testing Feedback:

@rachelschneiderman @zRogersFlexion @pixiwyn @TomElliottFlexion

  1. Looks like the DAWSON icon is now pointing to the login page instead of the DAWSON home page. Please update.

    image.png

  2. Looks like the validation has changed for the PW. I'm now getting validation errors when I have a space in the middle of my PW. It does not do this on TEST.

    image.png
image.png
  1. Some comments regarding the emails. See comments in screen grabs:
image.png image.png image.png
  1. For all of the alerts, it appears that the header font is smaller than the message? It is hard for me to tell. Should the header text be bigger in size? See examples in the screen grabs below:
image.png image.png
ttlenard commented 5 months ago

Some additional comments re: the logs:

I noticed that the user email is still appearing in the user.email column if you take the following steps.

  1. Have the logs open for Dev. I was filtering by the dev environment.stage, and /auth/login for the request.url.
  2. Log in successfully as a user
  3. Log out
  4. On the log in page, enter a bogus email address (or the wrong email/PW combo)
  5. Receive the error on the UI (good)
  6. Next, review the logs
  7. Notice how the "good" email is showing in the user.email column for the entry that shows the "bad" email in the request.body.
  8. Now, click refresh on the login page
  9. Type in some bogus email
  10. Receive the error on the UI (good)
  11. Review the logs again
  12. Notice that the "good" email is no longer showing in the user.email column.
  13. I think somehow the good email was getting saved in state????
image.png
swongCO commented 5 months ago

UX is fine with all of the above changes. For the alert banner, in Dawson Test, the header is 17px and the body is 16px. Please match the font sizes for this story. Thank you!

ttlenard commented 5 months ago

@pixiwyn @rachelschneiderman @zRogersFlexion @TomElliottFlexion

I've created a quick video of a small issue I found.

Private Zenhub Video

ttlenard commented 5 months ago

@rachelschneiderman @zRogersFlexion @pixiwyn @TomElliottFlexion

More testing feedback:

  1. User has a DAWSON account and then they go into my account and update their own email
  2. They receive the email in their inbox and they verify it. They can log into DAWSON just fine with their new email.
  3. Then, at some point they go back into their email and click on the verify email button again.
  4. They get this error:
image.png
  1. We might want to enhance the messaging on this error? In this scenario, the email address is already verified which is why the link isn't working, but the error message doesn't really say that. Not sure if we want it to be that specific? Are there other scenarios where a user would receive this error message? If so, we could at least add in the "dawson.support@ustaxcourt.gov" instead of the generic DAWSON support. What are your thoughts on this error?
  2. Note that we are not getting any returns in the logs for when this validation message displays for the user. Can we get something for when this happens in the logs? Thanks!
swongCO commented 5 months ago

Update alert in Tenille's comment above:

Unable to complete your request Your request cannot be completed. Please try to log in. If you’re still having trouble, email dawson.support@ustaxcourt.gov.

ttlenard commented 5 months ago

Based off of our conversation at Standup this morning, I've added in number 6 in the above comment to mention logs.

ttlenard commented 5 months ago

@cholly75 For your consideration on either this story or a follow up story. This issue that is existing in production today and is still present in Dev causes so much confusion to the public users.

This has to do with the verify email link that a user receives when they change their email. If the user isn't logged in on another tab with their previous email, the user get's a 401 error. When helpdesk staff respond to tickets, and in our training materials, we have to bold/capitalize all over the place that the user must remain logged in on their other tab. Sure would be nice to not have to explain this constantly.

Steps to reproduce:

  1. Log in as a Petitioner
  2. Click on My account
  3. Update the email to a different email address
  4. You will see that the new email is pending.
  5. Log out of DAWSON
  6. Navigate to your email, and click on the verify email button in the email that you received
  7. The user will get the Unable to complete your request error: image.png

Note: If the user stays logged in to DAWSON with their old email, or if they just close the tab, then the verification button works fine and their new email is verified.

@ttlenard - this is coming as #10314

ttlenard commented 5 months ago

Some more testing feedback: @rachelschneiderman @pixiwyn

cc: @cholly75

Issue 1

  1. User with an account clicks the forgot password button.
  2. Input the valid email address that you have access to
  3. You should receive the email with the password reset code
  4. On the DAWSON screen, input an incorrect password reset code
  5. You should get the Invalid Verification code error.
  6. Click on the link to request a new code.
  7. Notice that nothing happens when clicking on this link. image.png

Issue 2

  1. The formatting for the "Welcome to DAWSON" header and the USTC icon in the upper left side of the screen is off when viewing the Account creating and Log in screens. Note that this is not currently formatted this way on any of the other environments. Seems to only be occurring on DEV.

Dev Environment: Create Petitioner Account page

image.png

Log in page:

image.png

IRS Environment:

image.png

Issue 3

This isn't necessarily and issue, but some more formatting questions/thoughts for the "An account has been created for you with the U.S. Tax Court" email. This is what is sent when an admissions clerk sets up an account for someone. Comments/Questions are in the screen capture

image.png
katiecissell commented 5 months ago

Updated account created email mock:image.png

ttlenard commented 5 months ago

@rachelschneiderman @zRogersFlexion @pixiwyn

Looks like if a user has an account created for them by an admissions clerk, but they do not log in within 7 days, they are getting an incorrect error message.

image.png

Currently in Cognito, the user will get this error message that tells them that their temp PW expired:

image.png

At a minimum, we need to update the error message, ideally it would be great if the user could get a new temp PW resent to them to start the 7 day cycle again.

swongCO commented 5 months ago

New alert text for expired temp password

Header: Temporary password has expired

Body: The temporary password you entered has expired. We sent an email with a new temporary password that expires in 7 days. If you don’t see it, check your spam folder. If you’re still having trouble, email dawson.support@ustaxcourt.gov.

rachelschneiderman commented 5 months ago

@cholly75 @ttlenard

If an external user (petitioner/practitioner) changes their login and service email, they will receive an email that they need to click a link to verify the change. The email states the verification link will expire in 24 hours, right now that is NOT true, the link will never expire.

At some point we need a story to address the expiration of that link.

cholly75 commented 5 months ago

@rachelschneiderman - documented verification link behavior as #10313