BUG: Change Email Verification Link Does Not Expire

[cholly75]

Describe the Bug When testing #10007 we discovered that the verification link sent in the email as a response the user completing the change email workflow does not actually have an expiration date/time. The email language was changed to indicate that the link expires in an hour 24 hours, however it does not actually do so.

Business Impact/Reason for Severity Low

In which environment did you see this bug? DEV

Who were you logged in as? Petitioner

What were you doing when you discovered this bug? (Using the application, demoing, smoke tests, testing other functionality, etc.) Testing #10007

To Reproduce Steps to reproduce the behavior:

1. Log in as a DAWSON petitioner
2. Complete the "Change Email" workflow to change the user email/username
3. Receive the email w/ the verification link
4. Wait longer than 1 hour 24 hours
5. Click the link

Expected Behavior Message received in UI about link having expired

Actual Behavior Verification link works just fine and update to user completes successfully.

Screenshots If applicable, add screenshots to help explain your problem.

Desktop (please complete the following information):

• OS: [e.g. iOS]
• Browser [e.g. chrome, safari]
• Version [e.g. 22]

Smartphone (please complete the following information):

• Device: [e.g. iPhone6]
• OS: [e.g. iOS8.1]
• Browser [e.g. stock browser, safari]
• Version [e.g. 22]

Cause of Bug, If Known

Process for Logging a Bug:

• Complete the above information
• Add a severity tag (Critical, High Severity, Medium Severity or Low Severity). See below for priority definition.

Severity Definition:

• Critical Defect Blocks entire system's or module’s functionality No workarounds available Testing cannot proceed further without bug being fixed.

• High-severity Defect Affects key functionality of an application There's a workaround, but not obvious or easy App behaves in a way that is strongly different from the one stated in the requirements

• Medium-severity Defect A minor function does not behave in a way stated in the requirements. Workaround is available and easy

• Low-severity Defect Mostly related to an application’s UI Doesn't need a workaround, because it doesn't impact functionality

Definition of Ready for Bugs(Created 10-4-21)

Definition used: A failure or flaw in the system which produces an incorrect or undesired result that deviates from the expected result or behavior. (Note: Expected results are use cases that have been documented in past user stories as acceptance criteria and test cases, and do not include strange behavior unrelated to use cases.)

The following criteria must be met in order for the development team to begin work on the bug.

The bug must:

• Be focused on solving a user problem
• Contain data for all fields in the bug template, so the team can pick it up and begin working immediately

Process: If the unexpected results are new use cases that have been identified, but not yet built, new acceptance criteria and test cases should be captured in a new user story and prioritized by the product owner.

If the Court is not able to reproduce the bug, add the “Unable to reproduce” tag. This will provide visibility into the type of support that may be needed by the Court. In the event that the Court cannot reproduce the bug, the Court will work with Flexion to communicate what type of troubleshooting help may be needed.

Definition of Done (Updated 4-14-21)

Product Owner

• [ ] Bug fix has been validated in the Court's test environment

Engineering

• [ ] Automated test scripts have been written
• [ ] Field level and page level validation errors (front-end and server-side) integrated and functioning
• [ ] Verify that language for docket record for internal users and external users is identical
• [ ] New screens have been added to pa11y scripts
• [ ] All new functionality verified to work with keyboard and macOS voiceover https://www.apple.com/voiceover/info/guide/_1124.html
• [ ] READMEs, other appropriate docs and swagger/APIs fully updated
• [ ] UI should be touch optimized and responsive for external only (functions on supported mobile devices and optimized for screen sizes as required)
• [ ] Interactors should validate entities before calling persistence methods
• [ ] Code refactored for clarity and to remove any known technical debt
• [ ] Deployed to the Court's test environment if prod-like data is required. Otherwise, deployed to any experimental environment for review.

[ttlenard]

@Mwindo So sorry! It looks like we failed to update this ticket to be consistent with changes we ended up doing when we implemented login. In the different workflows, we used to have different expirations (1 hour, 24 hours, 7 days, etc.) and we decided to make them all 24 hours. We failed to make this bug consistent with the changes.

Can we please make this a 24 hour expiration instead of a 1 hour? Thank you!

[Mwindo]

@ttlenard No worries at all--I've updated the code and re-deployed to test!

[ttlenard]

@swongCO @mwestereng1 @katiecissell

Now that the link expires, I think we might want to update our error message so that it is clear to the user what is going on. Can you please help in coming up with the appropriate messaging for a user?

Here is the current error message they get when they click on the verification link and it is expired:

We may also want to consider updating the text in the email they receive as well as that yellow banner that displays when a user does have a pending email that is awaiting verification.

Thanks for the help with this!

[mwestereng1]

UX Notes:

Link to the Figma File with verification messaging updates:

• [ ] Click on the expired link in the email (red banner)
• [ ] Attempted login with new and unverified email (red banner)
• [ ] Login with old email and verification link is expired (yellow banner)

Email updates:

• [x] Remove the closing HTML tag at the end of the Dawson email address in the body of the email
• [ ] After the sentence "After 24 hours, this link will expire." add "If the link is expired, click it to receive a new verification email."

[Mwindo]

After the sentence "After 24 hours, this link will expire." add "If the link is expired, click it to receive a new verification email."

@mwestereng1 I think you mentioned this, and I apologize for not catching on quicker! Now that I've thought about implementation details more, I think there is a modest security issue: there is no point in having an email link expire if clicking the link will just generate a new, fresh link automatically. It's the same as a link that never expires, just with an extra step in between.

The more secure approach, which I should have called out earlier on in the discussions about this ticket, is to force the user to re-trigger the email from within the app. One way to do this is via the notification banner. Since that will be dismissible, however, we would probably also want a "permanent" way to do re-trigger the email, maybe via the My Account > Change Email route, where we already display a pending email address. Maybe we can have a button there that sends a new link, and in the instructions on the email say something like, "If the link is expired, please go to My Account -> Change Email in DAWSON and click the re-send email button."