(dev/core#4462) Afform - Fixes for page-token handling

[totten]

Overview

This is a follow-up to #30585 (5.79.alpha) to address some of remaining issues (for 5.79.beta). It is part of https://lab.civicrm.org/dev/core/-/issues/4462. There is still more to do for 5.79 after this. (But I just wanted to keep the patchset from getting too big in one PR.)

ping @ufundo @eileenmcnaughton @aydun

Steps to Reproduce

• Setup 5.79 on D7/BD.
• Create an "Individual" form.
  • Form Settings: Placement: Enable "Message Tokens".
  • Form Settings: Permission: "Generic: Allow all users (including anonymous)"
  • Individual 1: Security: Form-Based
  • Individual 1: Autofill: Current User
  • Individual 1: Allowed Actions: Create=>yes, Update=>yes
  • Individual 1: Accept ID from URL: No
• Send an email with the new token. The recipient should be someone has a User account.
• Read the rendered email. Open the link in a new/private browser.

Before (circa 5.79.alpha)

The general idea is that the baseline HTML page is shown anonymously -- and then any AJAX subrequests will be authenticated (setting the active Civi Contact and active CMS User based on the token).

However, this runs into some snags:

• Authx Bug: On the initial page-view, the site navigation looks anonymous. But it secretly initializes an authenticated session. This becomes obvious if you reload the page or manually open any other page.
  That defeats the whole point of 30585. The goal is to have a limited-use token that does not create a session.
• First-Request Does Not Set Identity: The initial HTTP request doesn't set the active contact/user. That only happens in the AJAX subrequests. Consequently, it only works if the page is viewable by anonymous.
• User-Loading Policy: You can kind of work-around problems by going to "System Settings > Authentication" and setting user-mapping policy for "HTTP X-Header" requests.
  • It requires work for site-builder to configure.
  • Those configuration steps are heavy-handed. They could impact other/unrelated customizations.
  • One size doesn't fit for all page-token use-cases. (CiviMail and cross-site IFRAMEs have some differing needs.)

After

This is an intermediate step/improvement.

The general idea is that you show the baseline HTML page (and its AJAX requests) as the target Contact and/or User.

Addressing those snags:

• Authx Bug: Fixed. It no longer creates the unintended session.
• First-Request Auth: It now sets the active Contact and/or User.
• User-Loading Policy:
  • We still have the fundamental trade-offs in deciding whether to set active Contact and/or User.
  • But given that trade-off exists, you can distinguish policies for different use-cases.

Technical Details

Recall the basic mechanism of the page-level auth-token. You can take any afform and generate a signed token to view that one page.

https://example.com/civicrm/my-form?_aff=Bearer+XXXXXXXXX

For email hyperlinks (in the current work), message-tokens are used to generate these kinds of links. The policy is to set the active Contact but leave the anonymous User.

• This should be closest analog to how "Profile+Checksum" behaves.
• This means that the CMS will render nav-menus that are suitable to anonymous. (It's confusing to see non-functional nav-links for "New Individual" or "My Account" or "Logout".)
• When configuring a form, you should set permissions suitable for anonymous users. (It's kinda hard to check the user-permissions if we don't load the user-accounts.)

For new/bespoke integrations (eg remote sites which embed IFRAMEs with auth-token links), it also defaults to "User-only". But:

• If you enable "User" accounts for this case, it should work fine. (Navbars are already suppressed -- so no conflict there.

• The integrator can decide whether to enable User account integration. They do this by putting a signed claim in the XXXXXXXX token:

  • Set JWT claim userMode=>ignore to disable user-loading.
  • Set JWT claim userMode=>optional or userMode=>require to enable user-loading.

[civibot]

🤖 Thank you for contributing to CiviCRM! ❤️ We will need to test and review this PR. 👷

Introduction for new contributors...

• If this is your first PR, an admin will greenlight automated testing with the command ok to test or add to whitelist.
• A series of tests will automatically run. You can see the results at the bottom of this page (if there are any problems, it will include a link to see what went wrong).
• A demo site will be built where anyone can try out a version of CiviCRM that includes your changes.
• If this process needs to be repeated, an admin will issue the command test this please to rerun tests and build a new demo site.
• Before this PR can be merged, it needs to be reviewed. Please keep in mind that reviewers are volunteers, and their response time can vary from a few hours to a few weeks depending on their availability and their knowledge of this particular part of CiviCRM.
• A great way to speed up this process is to "trade reviews" with someone - find an open PR that you feel able to review, and leave a comment like "I'm reviewing this now, could you please review mine?" (include a link to yours). You don't have to wait for a response to get started (and you don't have to stop at one!) the more you review, the faster this process goes for everyone 😄
• To ensure that you are credited properly in the final release notes, please add yourself to contributor-key.yml
• For more information about contributing, see CONTRIBUTING.md.

Quick links for reviewers...

• ➡️ PR Demo site (can be rebuilt with the command test this please).
• 📖 Review standards
• 🗒️ Review template (brief or verbose)

➡️ Online demo of this PR 🔗

[totten]

This was discussed on call, and it sounded like we could merge. Would like to get this out of the way so we can work on other subparts of 4462.

I'm just gonna throw some more aggressive test-suites at it to make sure they aren't regressive. (Here's an example baseline for 5.79-rc.)

[ufundo]

, it also defaults to "User-only"

Should that be "Contact-only" ?