Epic/CreateUser

[kimlisa]

Chrome wants to create a user.

1. The user fills up the registration form in the website
2. Chrome will check for user input validity
3. Chrome gathers this info into a userObject

- firstName: string
- lastName: string
- email: string
- password: hashed string
- organization: string

4. Chrome calls app-gateway-svc CreateUser(userObject) CreateUser(UserResponse)
5. app-gateway-svc will call user-svc GetStatus()
6. Two results from user-svc:

   - Service is unavailable: return error with this message
   - Service is available: proceed with the following

7. app-gateway-svc will call user-svc CreateUser(userObject)
8. user-svc will take this userObject and check if email already exists in mongoDB (unique email)
9. Two results:

   - Email is taken: return error with this message
   - Email not taken: proceed with the following

10. user-svc will create a unique user ID using ulid
11. user-svc will hash the hashed password using bcrypt
12. user-svc will create and insert new document with userObject information in user collection
13. user-svc sends back OK
14. app-gateway-svc receives any of the following message from user-svc and sends it back to Chrome:

    1: Service is down
    2: Email is taken
    3: OK

15. Chrome can take any of the following action:

16. If service is down: Chrome displays error message to user that service is unavailable atm and try again later
17. If email is taken: Chrome displays error message to user to use a different email
18. If OK: Chrome will redirect user to logged in search page

[faraonc]

Follow-up enhancement for app-gateway-svc https://github.com/hwsc-org/hwsc-app-gateway-svc/issues/14

[faraonc]

https://github.com/hwsc-org/hwsc-user-svc/issues/19

[faraonc]

High Level

1. I am thinking about starting from Chrome clicking the Registration link
2. Chrome dials using maybe a dummy email and password
3. app-gateway maybe does not need to go to user-svc to get a dummy token with registration permission with a hardcoded secret for registration, or maybe go to user-svc to to get a dummy token with secret that can change?
4. User fills out form
5. Chrome sends out the form to app-gateway-svc using CreateUser
6. app-gateway-svc forwards to user-svc
7. Update DB
8. Send Email
9. Chrome disconnects GRPC from app-gateway-svc
10. Chrome redirects to succesful or failed registration

[faraonc]

We can also use a dummy token instead of dummy email and password.

What are the trade-offs?

Do we have other ways to do this?

[kimlisa]

High Level

New User

• Chrome clicks registration link
• User fills out form and clicks submit
• Chrome sends user information and dials to app-gateway
• gateway sends request to user-svc to CreateUser
• user-svc CreateUser does the following
  • validates and inserts user information into database (is_verified for new users defaults to false)
  • if validation fails, send back error message to gateway, gateway in turn passes the error to chrome, chrome will display error message to user
  • generates an email token and inserts into email_token database tied to the user
  • (TODO) generate a verification link by creating a string url concatenated with the email token to be sent with email
  • sends an email to the user with verification link
• user-svc finishes and returns OK and user object to gateway (i don't think it is necessary to send user object back anymore)
• gateway returns OK and user object to chrome
• chrome will redirect to a page that says something like, Please verify your email: we sent a verification link to the email you provided us (the user object sent back from CreateUser is kind of useless here?)

Email Verification Process: should also work as updating email?

• User clicks on verification link from their inbox
• Chrome directs User to verification page
• verification page does the following:
  • extracts the token from the url
  • do some kind of validation on the token to ensure it is a valid token (test for length, types of chars, and ?)
  • sends the extracted token and dial to gateway
• gateway calls and sends token to VerifyEmailToken from user-svc
• VerifyEmailToken does the following:
  • looks up token from email_tokens table
  • if no matching token is present, send back error to gateway, gateway sends back to chrome what to the frontend?
  • checks expiration date on the matched token
  • if matched token is expired:
    • delete the expired token from email_tokens table
    • generate a new email token and insert into email_tokens
    • generate a verification link to be included in email
    • send an email with this verification link to user
    • send back expired token error to gateway, gateway sends this error to chrome, and chrome will display message something like: The link you clicked on has expired. Please check your email for the new verification link we sent
  • if token has not expired, send back OK to gateway
  • gateway sends OK to chrome
  • Chrome will log user out if logged in (for users who are updating their email)
  • Chrome displays a message something like "Email has been verified. Please log in"

NEW Users who log in without verifying their email

• User enters email and password to log in
• Chrome sends user information and dials to gateway
• gateway calls AuthenticateUser
• AuthenticateUser does the following:
  • Looks up user email and password from accounts table
  • if no matching row, send back error to gateway, gateway sends error to Chrome, Chrome displays error message to User
  • (TODO) check is is_verified column is set to TRUE
  • if is_verified is FALSE, send error and retrieved user object to gateway, gateway sends error to Chrome, Chrome redirects to a page that says "Please verify your email sent to user@email.com" (same page shown after registration)

[faraonc]

High Level

New User

• Chrome clicks registration link
• User fills out form
• User requires to pass CAPTCHA test
• User clicks submit
• Chrome dials to gateway using dummy email + password
• gateway calls user-svc's AuthenticateUser
• user-svc returns a token with a registration only permission to gateway-svc
• Chrome sends user information + register_token to app-gateway
• gateway sends request + register_token to user-svc to CreateUser
• user-svc CreateUser does the following
  • validates and inserts user information into database (is_verified for new users defaults to false)
  • if validation fails, send back error message to gateway, gateway in turn passes the error to chrome, chrome will display error message to user
  • generates an email token and inserts into email_token database tied to the user
  • (TODO) generate a verification link by creating a string url concatenated with the email token to be sent with email
  • sends an email to the user with verification link
• user-svc finishes and returns OK and user object to gateway (i don't think it is necessary to send user object back anymore)
• gateway returns OK and user object to chrome
• chrome will redirect to a page that says something like, Please verify your email: we sent a verification link to the email you provided us (the user object sent back from CreateUser is kind of useless here?)

Email Verification Process: should also work as updating email?

• User clicks on verification link from their inbox
• Chrome directs User to verification page
• verification page does the following:
  • extracts the token from the url
  • do some kind of validation on the token to ensure it is a valid token (test for length, types of chars, and ?)
  • sends the extracted token and dial to gateway by adding metadata in the context in the following format "authorization": "Email Token " + token
• gateway calls and sends token to VerifyEmailToken from user-svc
• VerifyEmailToken does the following:
  • looks up token from email_tokens table
  • if no matching token is present, send back error to gateway, gateway sends back to chrome what to the frontend?
  • checks expiration date on the matched token
  • if matched token is expired:
    • delete the expired token from email_tokens table
    • generate a new email token and insert into email_tokens
    • generate a verification link to be included in email
    • send an email with this verification link to user
    • send back expired token error to gateway, gateway sends this error to chrome, and chrome will display message something like: The link you clicked on has expired. Please check your email for the new verification link we sent
  • if token has not expired, send back OK to gateway
  • gateway sends OK to chrome
  • Chrome will log user out if logged in (for users who are updating their email)
  • Chrome displays a message something like "Email has been verified. Please log in"

NEW Users who log in without verifying their email

• User enters email and password to log in
• Chrome sends user information and dials to gateway
• gateway calls AuthenticateUser
• AuthenticateUser does the following:
  • Looks up user email and password from accounts table
  • if no matching row, send back error to gateway, gateway sends error to Chrome, Chrome displays error message to User
  • (TODO) check is is_verified column is set to TRUE
  • if is_verified is FALSE, send error and retrieved user object to gateway, gateway sends error to Chrome, Chrome redirects to a page that says "Please verify your email sent to user@email.com" (same page shown after registration)