CoderDojo integration with Profile

[Jeddf]

Stages

0. Existing CoderDojo auth functionality
1. In production but only accessible by our developers Users directed to RPI Profile for all authentication flows, new linked RPI - CoderDojo accounts can be created with previously unknown email addresses but existing accounts are not affected.
2. In production but only accessible by our developers Users directed to RPI Profile for all authentication flows, existing CD accounts can be linked and taken over by an RPI account with a matching email address.
3. Full migration of recently active users, other users can still login using zen password and are then migrated on demand.
4. Remove Zen login and have all auth through rpi profile.

User goals

Stages 0 - 3

• As an existing user When I am not yet migrated to Profile I want to be able to use the CoderDojo login flow without issue.

Stages 2-4

• As a new user When I go 1o sign up I want to be directed through the new Profile system and have all flows work correctly.
• As an existing user When I am prompted to reset my password for the new Profile auth I want the communication to be clear and the process to be simple.

Tasks

Task Size: [T]iny / [S]mall / [M]edium / [L]arge / e[X]tra Large

Stage 0

• [T] Smoke tests for CoderDojo login flow #1291 Smoke tests for CoderDojo login flow
• [T] Save additional password hash in profile compatible format cp-users-service#307 On user sign up or login, also hash using Platform algo and save in new column

Stage 1 (Behind Flag) Tracked at CoderDojo/cp-zen-platform#1382

Alpha (New accounts only)

• Profile - Add hydra client for coder dojo
• Zen Platform API New oauth flow routes /rpi/login /rpi/cb /rpi/logout /rpi/register
• Zen Platform API Register new profile acct on /rpi/cb arrival of unknown rpi account
• Zen Platform API New login, register & logout actions -> User service
• Zen Platform FE Rough login/register/logout catch and redirect (if profileAuth local storage true)
• Zen FE Rough login/register/logout catch and redirect (if profileAuth local storage true)
• Zen Users New profileId on user model, get user by profileId action
• Zen Users Trusted path for login action, bypassing recaptcha etc.

Stage 2 (Behind Flag)

Beta (Existing account takeover)

• Zen Platform API Link existing account on /rpi/cb arrival of matching email rpi acc't
• Zen Platform Audit child account adding routes (u13 & o13) and adapt for rpi auth as needed.
• Docs Wiki record of 1. rpi account -> zen mappings/transformations (e.g full name -> name) & 2. Technical guide to where the oauth flow code is in Zen code and tips on debugging issues.
• Zen Platform Terms and Conditions accept screen post register. (RPI profile edit & update cp-zen-platform#1387)
• Zen Platform API Update zen user on rpi login/cb (email, name, country) (RPI profile edit & update cp-zen-platform#1387)
• Profile Register page w/ country & postcode for dojo
• Profile - Chase ongoing work to reduce min age from 16 to 13
• Profile - Add coder dojo branded login and register pages (recent similar work on register page for vouchers app https://github.com/RaspberryPiFoundation/profile/pull/1026/files )
• Zen Platform rpi oauth flow error handling and display to user
• Zen Platform FE Edit profile page w/ only Zen specific details, link to rpi to edit email, name, country (RPI profile edit & update cp-zen-platform#1387)
• Zen Platform Decide which Zen information to keep, e.g twitter, Bio, gender etc.
• Zen Platform FE Display age as under/over 13 (from acc't type) rather than exact age from DOB (No longer available / stored)
• Zen Platform FE Remove gender display, not stored in RPI (if getting rid of gender on zen)
• Zen Platform store & serve profilePicture links from rpi profile if available, prevent profile pic upload for rpi accounts.

Stage 3

• Zen Platform FE T&C's specific page or more clear messaging for missing T&C acceptanc on edit profile page.
• Zen Platform Email entry page to direct users to raspberry pi or zen for login - ensure clear messaging for user so it's clear why they are being redirected to rpi profile.
• Profile - Add coder dojo alongside code club as connected application
• [S/M] Migration script for active users batch to create RPI accounts & link to zen
• [S] Run Migration script for active users batch - monitoring + testing

Stage 4

• [S] Remove zen email login page, all users auth through rpi.

Proposed Migration Plan

Since Dec. 2019, all zen users logging in have had a salted hash saved of their password in the same format as rpi, for users without an existing rpi account under the same address, an rpi account can be created and linked. Next time they try to log in it will redirect to rpi where they'll be able to use the same password.

A new zen login page would then be put in that has just the email address input like google & microsoft & explains the transition to raspberry pi accounts. After submitting the email address there'll be a few possible cases:

• Email matches zen account that is linked to an rpi account:
  • User redirected to rpi for login, email is preferably prefilled so they don't need to enter twice.
• Email matches zen account without a linked rpi account:
  • Next screen is a password entry still on zen
  • Once logged in with zen the previous active user migration is automatically run for that user to create an account, user is shown an informative loading screen.
  • User is directed to rpi login for that new account where the email will be prefilled but they'll need to enter the password again to login there.
• Email matches zen account but unlinked rpi account already exists for that email
  • User informed of this and invited to continue on to the rpi login page
  • Once logged in there, it'll return to zen automatically and in the background the existing account takeover flow with recognized email will be followed.

Developed from Planning Document by @josephwilk