BUG: Candidate change own email broken

[tomlovesgithub]

Describe the bug Candidates who use the profile functionality to update their email address will be stuck in a 'boot loop' when clicking into the profile area due to their candidate document not being updated but their auth email being updated by the background function.

To Reproduce Steps to reproduce the behavior:

1. Go to 'profile'
2. update your email address (automatically logs you out)
3. log in again
4. go to profile
5. 'log out' modal pops up and prompts you to logout -> returns you to step 3

Expected behavior update does not cause bootloop Need to check if candidate's email already exists.

Additional context It has been highlighted that the background function exposed here is also used by the admin frontend, and that there is no auth to ensure that the user requesting the change is the same user who owns the candidate account.

Suggested fix (and improvement)

The following outline provides the key tasks in both fixing this bug and improving our solution to be simpler and more secure

Apply

• [ ] Remove call to cloud function updateEmailAddress

In the following places include a hint so the user knows they are changing their login email:

• [ ] On candidate profile form
• [ ] On application personal details form

Whenever the email address is changed

• [ ] Update the candidate document
• [ ] If email differs from auth email address then call auth service to update email address
• [ ] If the change occurs on Application > Personal details form then also update the application document

Admin

• [ ] In Candidate view remove login email tab
• [ ] Change email address in candidate document

Digital-Platform

• [ ] Remove callable function updateEmailAddress
• [ ] Amend the onCandidatePersonalDetailsUpdate background function to also check for email address changes:
  • If email has changed then
  • Get auth email
  • If auth email is different then
  • Update auth email

[nickaddy]

Hey team! Please add your planning poker estimate with Zenhub @drieJAC @HalcyonJAC @tomlovesgithub @warrensearle

[warrensearle]

@tomlovesgithub and @warrensearle to refine ticket content

[warrensearle]

@tomlovesgithub and I have reviewed this ticket and progressed it to ready to play

[warrensearle]

@nickaddy, @tomlovesgithub and @warrensearle the improvements suggested in this ticket are still relevant:

• ensure candidate only has one email address for login and contact
• make it clear to the user that they are changing their login & contact email
• improve security by removing cloud function updateEmailAddress

However the ticket needs further re-writing as the original bug described is no longer a problem.