EP-2362 - Okta

[dr-bizz]

Description

Replacing our login/logout functionality with Okta. This PR allows users to login and create an account with Okta.

Sign in

To sign, it's very much like other applications where the user gets redirected to Okta and brought back to the redirect URL.
We no longer maintain login/session data on our local storage or session storage. This is now stored via Okta.

Register

The user enters their email, first name and last name. On submit, we do a post request to create an account on Okta while keeping the user on the Give site.
Once that is complete, they go into the next phase of activating their email. Once activated it will automatically update the modal to send the user to the next step.

Jira

[wrandall22]

Doesn't seem to like import { afterEach } from 'node:test'

[wrandall22]

Tell me more about this new function

[dr-bizz]

On adding an item to the cart, we check to see if the user has a public role, is logged into Okta and has no items in their account. If so, we automatically force the user to logout.

This was happening before, but when it was logging out, it didn't require a refresh. Okta requires a refresh since we send the user to the Okta site to clear Okta's session data and then return to the Give site.

We handle this here src/common/services/api/cart.service.js - Lines 164 - 181

On the sessionService.oktaSignOut we pass a prop which tells session data to store a prop called forcedUserToLogout. We also ensure Okta returns the user to the same page.
src/common/services/session/session.service.js Lines 317 - 322

Onsrc/app/productConfig/productConfigForm/productConfigForm.component.js, we watch for the forcedUserToLogout session data and show the warning to the user if present.

[wrandall22]

Thanks!

[wrandall22]

the *cloud and nonprod environments are not in use anymore and can just be deleted, with the exception of devcloud.

[wrandall22]

Not sure if the latest has been merged to stage yet or not, but something is still sending me to the home page when hitting branded checkout. You can test by going to https://give-stage2.cru.org/branded-checkout.html

[wrandall22]

Here is a test branded checkout page that is not on give itself, we'll need to make sure the Okta logout works on pages like this as well.

[wrandall22]

Working through the files again to try and find anything we might have missed. Haven't gotten through it all, but want this feedback at least to get through.

[wrandall22]

We should probably check if it is ok to modify branded checkout like this. I'm guessing they will want to only do this for the sign up process, not during checkout and branded checkout which is what is being done here.

[wrandall22]

Got through a few more.

[wrandall22]

I wonder if we should handle timeouts (503 response) differently. It currently brings the donor back to the home page with no indication that something went wrong. Probably out of scope for this PR since it is handling it the same way as before.

[wrandall22]

Got through all the files, hopefully caught all the interesting things.

[dr-bizz]

I left a few comments and recommendations.

We should also add a index.page.ts which forwards /settings -> /settings/preferences/

[dr-bizz]

Logging the err to the this.errorMessage variable was in the original version of this file, so I've added it, but nowhere uses errorMessage so we can take it out unless you think we could use it in the future.

[wrandall22]

I'm not seeing this in the master branch. If it fails, it redirects to the home page. However, I do see $ctrl.errorMessage being used on the sign in form. Would that show this error message?

[dr-bizz]

Here again with the errorMessage I've added it in, but since we don't use errorMessage we can remove it.

[wrandall22]

I would think the signInForm would inherit this error message

[dr-bizz]

Suggested change

	if (includes([Roles.identified, Roles.registered], this.sessionService.getRole())) {
	if (this.sessionService.getRole() !== 'PUBLIC')) {

[wrandall22]

This is probably fine since we aren't planning to add more roles anytime soon I think.

[dr-bizz]

Test if we need this in If statement or if we should wrap the whole this.sessionService.checkCreateAccountStatus in the email If statement.

[dr-bizz]

We should do all these the same. angular.isUndefined or !this.donorDetails...

[wrandall22]

Is this not just a duplicate of the one above now (it('should call onHandleOktaRedirect onInit')?

[wrandall22]

Does this actually get called?

[wrandall22]

Remove semicolon

[wrandall22]

Suggested change

	it('should delete cookies and addItem to cart when not authenicated', () => {
	it('should delete cookies and addItem to cart when not authenticated', () => {

[wrandall22]

Here is a case where it would have been helpful to have a constant that we reference instead of hard-coding the language in multiple places.

[wrandall22]

I'm not seeing this in the master branch. If it fails, it redirects to the home page. However, I do see $ctrl.errorMessage being used on the sign in form. Would that show this error message?

[wrandall22]

I would think the signInForm would inherit this error message

[wrandall22]

This is probably fine since we aren't planning to add more roles anytime soon I think.

[wrandall22]

I noticed the last commit didn't make it to stage, maybe due to being out of sync

[wrandall22]

What are your thoughts about the register-account vs sign-up language differences throughout the code?

[wrandall22]

This should be dynamic language based on the logic in the controller.

[wrandall22]

These should also get translate properties in case they get translated at some point.