Save your answers suggesting you need to make an account

[BryceStevenWilley]

The Navigation and Saving Your Form page says:

If you can’t finish today, you can save your answers by creating a username and password. This lets you log back into the site later and finish, or go back and change any of your answers.

While this works, users don't have to create an account; their answers will be saved, even if they close out the tab. They'd have to have the correct link to get back to the same interview, but if you visit something like https://da-dev.mplp.org/run/Simpmotion/simpmotion and haven't cleared your browser's cookies or gone past the 60 days that DA will auto-delete interviews, you can continue as normal.

It's definitely a bit complicated to explain all that though. I'd consider maybe saying "Create a username and password, or bookmark this page to continue where you left off".

(Realized the best way to review existing code was just to make individual issues about stuff I wasn't sure how to change, and I'll make a PR with changes that I'm more confident about).

[scoellis]

Hey Bryce, do you know if anyone is successfully using Google, Facebook, Apple, Microsoft, or any of the common Oauth providers to allow users to create accounts and save their answers? I looked into creating an Oauth app in our Google Workspace domain, but we decided to wait and talk to others about it before going down that path.

---

Scott Ellis (he/him) IT Systems Administrator Michigan Poverty Law Program (734) 714-3234 @.***

This electronic communication may be subject to the attorney-client privilege and may contain confidential information. If you are not the intended recipient, any distribution, copying or disclosure is strictly prohibited. If you have received this communication in error, please notify the sender immediately and delete this copy from your system. Thank you for your cooperation.

On Wed, Oct 4, 2023 at 12:38 PM Bryce Willey @.***> wrote:

The Navigation and Saving Your Form page says:

If you can’t finish today, you can save your answers by creating a username and password. This lets you log back into the site later and finish, or go back and change any of your answers.

While this works, users don't have to create an account; their answers will be saved, even if they close out the tab. They'd have to have the correct link to get back to the same interview, but if you visit something like https://da-dev.mplp.org/run/Simpmotion/simpmotion and haven't cleared your browser's cookies or gone past the 60 days that DA will auto-delete interviews, you can continue as normal.

It's definitely a bit complicated to explain all that though. I'd consider maybe saying "Creat a username and password, or bookmark this page to continue where you left off".

(Realized the best way to review existing code was just to make individual issues about stuff I wasn't sure how to change, and I'll make a PR with changes that I'm more confident about).

— Reply to this email directly, view it on GitHub https://github.com/mplp/docassemble-Simpmotion/issues/17, or unsubscribe https://github.com/notifications/unsubscribe-auth/AAGAC4KB37LUJOTYUE3GE7DX5WGGZAVCNFSM6AAAAAA5S5K2BKVHI2DSMVQWIX3LMV43ASLTON2WKOZRHEZDMNRQGE4DEMQ . You are receiving this because you are subscribed to this thread.Message ID: @.***>

[BryceStevenWilley]

I don't know of anyone I've worked with before using it, but it is in docassemble, and is something Jonathan is actively maintaining. It's something I'll likely be working on / implementing for Massachusetts next year (our e-filing process will need to be more tightly integrated to OAuth at that point). Totally understand if we don't want to be the first to try it out though.

https://docassemble.org/docs/config.html#oauth is the docassemble documentation (in case you haven't seen it yet). I think the most complicated part would be generating the OAuth secret in Google, if you wanted to do that, we could integrate it in the dev server, and it'd be pretty clear if it works well or not.

[scoellis]

I think I can generate the Oauth secret in Google. I'll work on that and put in Bitwarden and let you all know when I add it.

---

Scott Ellis (he/him) IT Systems Administrator Michigan Poverty Law Program (734) 714-3234 @.***

This electronic communication may be subject to the attorney-client privilege and may contain confidential information. If you are not the intended recipient, any distribution, copying or disclosure is strictly prohibited. If you have received this communication in error, please notify the sender immediately and delete this copy from your system. Thank you for your cooperation.

On Wed, Oct 4, 2023 at 1:04 PM Bryce Willey @.***> wrote:

I don't know of anyone I've worked with before using it, but it is in docassemble, and is something Jonathan is actively maintaining. It's something I'll likely be working on / implementing for Massachusetts next year (our e-filing process will need to be more tightly integrated to OAuth at that point). Totally understand if we don't want to be the first to try it out though.

https://docassemble.org/docs/config.html#oauth is the docassemble documentation (in case you haven't seen it yet). I think the most complicated part would be generating the OAuth secret in Google, if you wanted to do that, we could integrate it in the dev server, and it'd be pretty clear if it works well or not.

— Reply to this email directly, view it on GitHub https://github.com/mplp/docassemble-Simpmotion/issues/17#issuecomment-1747307682, or unsubscribe https://github.com/notifications/unsubscribe-auth/AAGAC4N6HPDKH3MYE3EOPQDX5WJLLAVCNFSM6AAAAAA5S5K2BKVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMYTONBXGMYDONRYGI . You are receiving this because you commented.Message ID: @.***>

[scoellis]

Okay, I created an Oauth secret and added it to the Bitwarden docassemble development server item.

I'm not sure how well it will work but I'd like to give it a try. As of right now I only have it set up to use with one test account (my personal account).

I don't mind adding the information to the Config YML file, unless we want one person to be making changes to that file since it does restart the server.

Thanks, Scott

---

Scott Ellis (he/him) IT Systems Administrator Michigan Poverty Law Program (734) 714-3234 @.***

This electronic communication may be subject to the attorney-client privilege and may contain confidential information. If you are not the intended recipient, any distribution, copying or disclosure is strictly prohibited. If you have received this communication in error, please notify the sender immediately and delete this copy from your system. Thank you for your cooperation.

On Thu, Oct 5, 2023 at 10:25 AM Scott Ellis @.***> wrote:

I think I can generate the Oauth secret in Google. I'll work on that and put in Bitwarden and let you all know when I add it.

---

Scott Ellis (he/him) IT Systems Administrator Michigan Poverty Law Program (734) 714-3234 @.***

This electronic communication may be subject to the attorney-client privilege and may contain confidential information. If you are not the intended recipient, any distribution, copying or disclosure is strictly prohibited. If you have received this communication in error, please notify the sender immediately and delete this copy from your system. Thank you for your cooperation.

On Wed, Oct 4, 2023 at 1:04 PM Bryce Willey @.***> wrote:

I don't know of anyone I've worked with before using it, but it is in docassemble, and is something Jonathan is actively maintaining. It's something I'll likely be working on / implementing for Massachusetts next year (our e-filing process will need to be more tightly integrated to OAuth at that point). Totally understand if we don't want to be the first to try it out though.

https://docassemble.org/docs/config.html#oauth is the docassemble documentation (in case you haven't seen it yet). I think the most complicated part would be generating the OAuth secret in Google, if you wanted to do that, we could integrate it in the dev server, and it'd be pretty clear if it works well or not.

— Reply to this email directly, view it on GitHub https://github.com/mplp/docassemble-Simpmotion/issues/17#issuecomment-1747307682, or unsubscribe https://github.com/notifications/unsubscribe-auth/AAGAC4N6HPDKH3MYE3EOPQDX5WJLLAVCNFSM6AAAAAA5S5K2BKVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMYTONBXGMYDONRYGI . You are receiving this because you commented.Message ID: @.***>

[ekressmiller]

I don't have strong feelings about only one person changing the config file, but I'm also happy to do it if you want.

[scoellis]

Okay, I'll go ahead and try it out one evening and see if it works. If it doesn't work I'll just revert the Config file. Thanks.

---

Scott Ellis (he/him) IT Systems Administrator Michigan Poverty Law Program (734) 714-3234 @.***

This electronic communication may be subject to the attorney-client privilege and may contain confidential information. If you are not the intended recipient, any distribution, copying or disclosure is strictly prohibited. If you have received this communication in error, please notify the sender immediately and delete this copy from your system. Thank you for your cooperation.

On Mon, Oct 9, 2023 at 3:17 PM ekressmiller @.***> wrote:

I don't have strong feelings about only one person changing the config file, but I'm also happy to do it if you want.

— Reply to this email directly, view it on GitHub https://github.com/mplp/docassemble-Simpmotion/issues/17#issuecomment-1753551074, or unsubscribe https://github.com/notifications/unsubscribe-auth/AAGAC4MADYW7ISHSTRJUS3LX6REWPAVCNFSM6AAAAAA5S5K2BKVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMYTONJTGU2TCMBXGQ . You are receiving this because you commented.Message ID: @.***>

[ekressmiller]

Returning to @BryceStevenWilley's original point in this thread, my instinct is that we should err on the side of telling people to make an account. If they're in a public library or if someone else uses their computer and clears the cache or something, the session would be lost, right? I wouldn't want people to depend on it still being there.

But in our instructions article and when dealing with users on livehelp, if someone is trying to get back to saved answers, we could tell them that just returning to the interview might get them back in.

Does that make sense to others?

[BryceStevenWilley]

You're right that making an account does make things easier for users, but it is a fairly large ask that will turn a lot of people away. Looking back at the original wording, I think that my issue is with the implication that their answers will be lost if they can't finish it within a certain time period.

If you can’t finish today, you can save your answers by creating a username and password.

IMO something like this would be better, and still suggest people make an account while being a bit more precise about when they might need to.

If you need to close this window before you finish, you can save your answers by creating a username and password.

(depending on browser settings, they can sometimes clear all cookies when the browser is closed, so our suggestions should probably be meant for the strictest settings)

---

if someone is trying to get back to saved answers, we could tell them that just returning to the interview might get them back in.

That is right, links like https://apps-dev.suffolklitlab.org/run/ThePackageName/the_yaml_name (that have "run" in them) will get you back to the interview's most current session with the current user (either from the logged in user or from the cache). Links with "start" instead of "run" will start the interview over from the beginning, and I think if the user isn't logged in, they won't be able to access that older session (another point towards encouraging people to login).

[ekressmiller]

Yeah, I like your language edit to the first part @BryceStevenWilley. @normon66 tagging you too in case you have thoughts.

To increase the chances that people can get back into an interview they started if they didn't create an account, I guess we would want all the links from Michigan Legal Help to be /run/ links instead of /start/ links. That way if the same user is coming back, they should return to the same point in their interview, but if it's a new user, it will default to the start page.

There's a chance for confusion for some people with shared computers or if they opened the interview in the past, maybe fiddled around with it, but are now expecting to start it over for real. Also could be an increased safety risk for PPO-type cases. (If abuser opens /run/ version of interview and sees survivor's answers there.) Maybe we'd want to consider using /start/ links or adding some specific warnings for those.

This is probably something to run by at least Ang and maybe more team members too.

[BryceStevenWilley]

There's a chance for confusion for some people with shared computers or if they opened the interview in the past, maybe fiddled around with it, but are now expecting to start it over for real. Also could be an increased safety risk for PPO-type cases. (If abuser opens /run/ version of interview and sees survivor's answers there.) Maybe we'd want to consider using /start/ links or adding some specific warnings for those.

Good points. For safety risk, there would be other ways to access the answers, like going through someone's browser history, as the links there are /run/ links. I feel like the chance that an abuser navigates to the MLH homepage / launch page but not directly to the interview itself (or that a survivor would delete their history of the interview but not the landing page) seems very low, but I'm not 100% sure.

I definitely agree that it should be a discussion with more people; unfortunately a lot of the changes necessary for safety do result in a worse user-experience, so we do need to decide which to prioritize.

[normon66]

Thanks for looping me in! I had not thought about this yet, specifically in regards to how docassemble saves progress, regardless.

If we want users to be able to start from where they left off, I think it's necessary that they should only do so with saved answers in their own account. They can still use it as a guest (as with LHI), but should have an account to save anything.

Whether a protection order, a fee waiver, or just a simple letter, we shouldn't have users' information out and available for the next person who happens to use the same interview with the /run/ in it. Similarly, since multiple users might use the same library computer or self-help kiosk to create forms, I think we should always go with the /start/ option. If user A gets part way through an interview and user B picks up the same interview later, even if they don't see any of user A's personal information, they still might miss other important information that was in previous screens.

As with many of our discussions, I'm certain we're not the first group to discuss this! Along with looping in Ang/MLH members, this might be useful to put into Teams next week or bring up on Monday.

[ekressmiller]

Agree this could be a good one to discuss on the Monday calls. It slipped my mind yesterday, but maybe next week!