Company Applications and Approvals #54
Comments
|
As discussed in person with @imnotteixeira, each
A Company should have a flag On a rejected application the Account is deleted. |
|
@miguelpduarte Any thoughts? |
|
Additionally, it would be really helpful to have a virtual field More info about virtuals: https://mongoosejs.com/docs/guide.html#virtuals Regarding Companies, we should create a wrapper to fetch active companies only, since those will be the most requested in our API, and we must be careful to fetch those instead of all in order not to show information about unapproved companies. |
|
I think that this was already discussed, wasn't this in a photo of the whiteboard somewhere? Don't feel like we should delete the applications. Furthermore, wasn't an application supposed to have all the fields for the company? Or was that just for the account? Don't recall which one but this was definitely the case for one of them. |
|
Derp, it's in the issue description 🤦♂ |
|
Due to us working with mongo, I think it makes more sense to simply have all the data as a sort of blob in the companyapplication and then later on create the company and associated rep's account. Since references in mongo are weird, don't feel like the suggestion of links to things is the way to go. |
|
Basically my opinion is to defualt to what was already decided in the issue description... The creation of a company and account and then tagging them with a disabled attribute just seems like unnecessary confusion to me. Only creating them after approval makes more sense imo. As such, there would be no trouble only listing the active companies or not allowing login to some accounts. These two models would retain their semantic value with no problem whatsoever. However, agreed on the virtual field, seems useful. I was thinking of implementing it as a schema function or something like it but wasn't sure of the syntax and would be investigating in the docs, but I think that seems like what we want. |
|
@miguelpduarte after reading your comments, I agree that the Account would not be necessary for the CompanyApplication (@GuilhermeJSilva made me think it would, but I have reconsidered - if you have further arguments, please expose them :P), provided we have a communication email and the Account would only allow the applicant to log in without any benefits of doing so (since the account was pending approval) That being said, I propose the following:
And when the application is approved, a link would be sent to the applicant (something like This relieves the applicants from the burden of thinking about passwords when they don't actually have an account, and thinking of a bio for the same reasons. For us, it's better as we keep the CompanyApplication to a minimum, while still being able to create Account and Company instances since the user would provide further details once approved. |
|
I believe the idea at the time was to include the password in the companyapplication as well so that when the application was accepted, the account could be created straight away. The idea at the time, if I recall correctly, was to reduce implementation complexity, and prevent the potential problems with sending tokens in emails. A simple email saying "Your application has been accepted, please login using the credentials you entered in your application" would suffice. If there is a concern that the password might be lost between applying and being accepted, then that is a problem solvable with password resetting, and not with changing this procedure, imo. |
|
@miguelpduarte that was indeed the way we thought of initially, however, from the user's point of view, it makes no sense to provide a password when there is no account being created directly: it must be approved beforehand. The issue here would not be a lost/forgotten password in my opinion, but my proposal would solve that as well. Regarding the "token", I don't mean it as a security point of view, it's as simple as a random uuid/whatever that is generated when the application is approved, which is then associated with that application so that no one can redeem an accepted application simply by knowing an applicationID (even though that could suffice). We then send the built link with applicationId+randomstuff to the email and they only have to access it to finalize the process. In my opinion, this is a better process from a user point of view, as the extra work in the beginning (I don't necessarily mean the password, but company bio+details) might discourage them into applying at all ("oh.. it requires this, but I don't have it right now, I' ll do it later"... Proceeds to forget it and not use nijobs) Lastly, it does not involve that much more work: sure, it's an additional route, but the logic inside it will be needed anyway for company editing... |
What I meant in terms of security is that some investigation will be necessary to ensure this is done in a secure way, since there are ways of sending secrets via email that are unsafe. (I think generally sending things without a short expiry period via email are bad, and this token would likely not be able to have a short expiry period.) Other than that agree on the bio + company details. I believe some should be provided, in order to better validate the application. However, as you mention, it makes sense to be able to "create" a "profile" without filling in every bit of data that is possible to insert.
On this, we'll simply disagree. There will be additional investigation necessary in order to ensure that the implementation complies with security standards. Company editing will be a completely different subject since it will simply validate against a log-in session to see if the permissions match-up. I don't see how that relates to this. |
I have a KISS solution for that: since we have an
When I mentioned the logic would be needed I was talking about the more low-level stuff like
Of course, when editing the company details, additional security checks would be necessary, but the underlying functionality is the same, and that's what I was referring to. |
The problem is not in the timeout, imo. That part seems like simple enough to implement. The problem is with generating secure hashes for sending via e-mail. Ensuring they are not guessable, and just trusting email sending to be secure were the real security vulnerabilities I was looking at here.
Sure, but that's so low level that the implementation is trivial. Even using the services structure we are rolling with right now, which could possibly make things "more complicated", it would still be trivial to implement using mongoose models. That is not a problem at all. My biggest gripe at the moment is with sending an email with secrets in them. I would rather have the password pre-filled in order to not have to worry about that. I know that might seem bad for UX, but a compromise always has to be considered due to several factors, security being one of them. |
|
Ok, I am willing to concede on the password thing for the mentioned reasons. In this case the company application will have an email and password, but no Account to prevent candidates to log in (thus, no need for account verification). Regarding company details, only the name is needed, as the |
|
Yup, sounds good! @GuilhermeJSilva do you agree? I think that this will work and be a good compromise between good and easy implementation 😄 |
|
To make this clear and to summarize what has been decided, the CompanyApplication schema will be the following:
No field is unique except for the default ObjectId Additionally, there should be a virtual field to extract the status of the application based on the dates. If approved, the approvedAt should be set and an Account with the provided email and password should be created and associated with a Company (also created then with the provided company name) If rejected, the rejectedAt should be set and the rejectReason provided Both events (approval/rejection) should trigger an email regarding the status update. This proposal requires the following endpoints:
|
|
The model sounds good, yet it originates the need to remove the password hashing from the The endpoint to create an application is missing:
|
|
CompanyApplication creation is done through #67 and #68. The Review part is done at #74 The features include:
|
approvalDate+submitDate+rejectDate(the dates - except approval - are null until changed to represent that that event did not yet happen)The text was updated successfully, but these errors were encountered: