Skip to content

HIDP-280 as a user i want to be able to change my email address using #376

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 29 commits into
base: feature/api
Choose a base branch
from
Open

HIDP-280 as a user i want to be able to change my email address using #376

wants to merge 29 commits into from

Conversation

@mkirkeng-leukeleu
Copy link
Member

@mkirkeng-leukeleu mkirkeng-leukeleu commented Nov 5, 2025
edited
Loading

  • Adds a viewset at /api/email-change/
    • POST creates new email change requests and sends the appropriate emails (to the current and proposed email addresses)
    • DELETE cancels an existing email change request
  • Adds a separate view at /api/email-change-confirm/
    • PUT confirms the email change request using the tokens sent in the emails from creating the email change request
    • This could, in the future, possibly also be combined into the email change viewset but that requires a bit of refactoring for forex. the get_object() method and PATCH should not be added (which is done automatically by the UpdateModelMixin).
  • Adds the corresponding serializers for the viewsets/views mentioned above
    • Generally speaking put the logic from the original HIdP forms into these serializers and the HTML view logic into the API views
  • Updates the mailers to allow overriding the the links sent in the emails themselves (as these should refer to a link in the application frontend not one of the HIdP HTML views.
    • Also added some settings to allow the application creator to configure these URLs as HIdP doesn't know about the URLs of frontend.
    • Also added some checks to make sure the application creator configures these settings when using the API (giving it a default will just result in the views silently sending emails with the wrong URLs).
  • Added tests for the serializers and views mostly based on the tests for the existing views, but slightly changed to fit the API and the way the logic is spread across serializers and views.

@github-actions github-actions bot added the documentation Improvements or additions to documentation label Nov 7, 2025
@fvanderpost
Copy link
Contributor

fvanderpost commented Nov 7, 2025
edited
Loading

I looked at the custom url logic for the mailers and will implement similar logic in related PRs. Some thoughts:

  • Would prefer argument naming like cancel_url over confirmation_url_template, template to me conveys more a multi line file instead of single string interpolation
  • In line with that I would just add a check to checks.py that, for urls needing a {token} placeholder, verifies that it exists.
  • Maybe move settings.EMAIL_CHANGE_CONFIRMATION_URL etc checking to the mailer itself and build URLs in that class over having it in send_mail of the API view so we can more easily reuse the logic in both the template view and the API view -> Downside is that for template view logic we specifically do not want to take the setting based URLs since we rely on our hardcoded routes to redirect to correct spot

But overal it seems like the most straightforward implementation and seems to be in line with other packages.

@mkirkeng-leukeleu
Copy link
Member Author

mkirkeng-leukeleu commented Nov 7, 2025

I looked at the custom url logic for the mailers and will implement similar logic in related PRs. Some thoughts:

* Would prefer argument naming like `cancel_url` over `confirmation_url_template`, template to me conveys more a multi line file instead of single string interpolation

* In line with that I would just add a check to `checks.py` that, for urls needing a `{token}` placeholder, verifies that it exists.

Yeah I also didn't love "template" for the same reason but wanted to communicate that one is a simple url string and the other needs the interpolation/replacement field. But as long as the checks exist I'm fine with removeing the "_template"

* Maybe move `settings.EMAIL_CHANGE_CONFIRMATION_URL` etc checking to the mailer itself and build URLs in that class over having it in `send_mail` of the API view so we can more easily reuse the logic in both the template view and the API view -> Downside is that for template view logic we specifically do not want to take the setting based URLs since we rely on our hardcoded routes to redirect to correct spot

I actually would like to kind of go the other direction in future as I'd like to separate view logic from business logic more. And which url to use depending on whether the its the API or html views is view logic while the actual mail sending is business logic. At least to me.

@mkirkeng-leukeleu mkirkeng-leukeleu marked this pull request as ready for review November 9, 2025 21:23
@mkirkeng-leukeleu
Remove _template postfix for clarity
0b57d29
@mkirkeng-leukeleu
Merge branch 'feature/api' into HIDP-280-as-a-user-i-want-to-be-able-…
3bca90c 
…to-change-my-email-address-using

# Conflicts:
#	packages/hidp/hidp/api/urls.py
#	packages/hidp/hidp/api/views.py
fvanderpost
fvanderpost reviewed Nov 10, 2025
View reviewed changes
fvanderpost
fvanderpost reviewed Nov 10, 2025
View reviewed changes
packages/hidp/hidp/api/serializers.py

if (
not token_data
or not set(token_data.keys()) == {"recipient", "uuid"}
Copy link
Contributor

@fvanderpost fvanderpost Nov 10, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Not wrong to check if this is true, but different from the view based implementation. If we refactor stuff perhaps should move this check to EmailChangeTokenMixin.validate_token_data and make the mixin more general

Copy link
Member Author

@mkirkeng-leukeleu mkirkeng-leukeleu Nov 10, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think it's a good thing to look at this again during a future refactor.

fvanderpost
fvanderpost reviewed Nov 10, 2025
View reviewed changes
fvanderpost
fvanderpost reviewed Nov 10, 2025
View reviewed changes
fvanderpost
fvanderpost reviewed Nov 10, 2025
View reviewed changes
packages/hidp/hidp/api/views.py
):
authentication_classes = [SessionAuthentication]
permission_classes = [IsAuthenticated]
serializer_class = EmailChangeSerializer
Copy link
Contributor

@fvanderpost fvanderpost Nov 10, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

For consistency (and perhaps for allowing overrides) we should use setting class variables for:

  token_generator = tokens.email_change_token_generator
  email_change_request_mailer = mailers.EmailChangeRequestMailer
  proposed_email_exists_mailer = mailers.ProposedEmailExistsMailer

These things might move in a similar way to a mixin in the future as well

Copy link
Member Author

@mkirkeng-leukeleu mkirkeng-leukeleu Nov 10, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

For now I've not considered how friendly the endpoints are to subclassing/overriding, so I decided to not support that functionality either. After all the API endpoints already are structured differently compared to the views with all their mixins. So similar to this comment, I suggest looking at this again during a possible future refactor.

fvanderpost
fvanderpost reviewed Nov 10, 2025
View reviewed changes
@mkirkeng-leukeleu
Use HTTPStatus enum instead of drf status
e5c3aa0
@mkirkeng-leukeleu
Address some PR review comments
03b713b
@mkirkeng-leukeleu
Use try...except to check for existing account
74d0154
@mkirkeng-leukeleu
Add comment noting default token timeout
c22e690
@mkirkeng-leukeleu
Merge branch 'feature/api' into HIDP-280-as-a-user-i-want-to-be-able-…
47122b9 
…to-change-my-email-address-using

# Conflicts:
#	packages/hidp/docs/openapi/schema.json
#	packages/hidp/hidp/api/urls.py
#	packages/hidp/hidp/api/views.py
#	packages/hidp/hidp/config/checks.py
#	packages/hidp/hidp/spectacular_settings.py
#	packages/hidp/tests/test_settings.py
#	project/hidp_sandbox/settings.py
#	project/tests/test_settings.py
@mkirkeng-leukeleu
Add email verification url to example local config file
54be921
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@fvanderpost fvanderpost fvanderpost left review comments

@wadevries wadevries Awaiting requested review from wadevries wadevries is a code owner

@153957 153957 Awaiting requested review from 153957 153957 is a code owner

@bsimons bsimons Awaiting requested review from bsimons bsimons is a code owner

@dbunskoek dbunskoek Awaiting requested review from dbunskoek dbunskoek is a code owner

@bheesink bheesink Awaiting requested review from bheesink bheesink is a code owner

@ivanhulzen-leukeleu ivanhulzen-leukeleu Awaiting requested review from ivanhulzen-leukeleu ivanhulzen-leukeleu is a code owner

@ramonakira ramonakira Awaiting requested review from ramonakira ramonakira is a code owner

Assignees

No one assigned

Labels

documentation Improvements or additions to documentation package project

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@mkirkeng-leukeleu @fvanderpost