improve email verification, no popup, auto-verify Shib users #8579
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This was referenced Apr 6, 2022
…okens #5663 For Shib users we now set the emailconfirmed timestamp on login. (The guides say we do this already but are wrong. It was only being set on account creation.) For Shib users, I also prevent "check for your welcome email to verify your address" from being shown in the in-app welcome/new account notification. I put in a check to make sure Shib users never get a "verify your email address" email notification. Finally, I removed the hasNoStaleVerificationTokens check from the hasVerifiedEmail method. We've never worried about if there are stale verification tokens in the database or not and this check was preventing "Verified" from being shown, even when the user has a timestamp (the timestamp being the way we know if an email is verified or not).
8b1500c to
25dc681
Compare
sekmiller
approved these changes
Apr 15, 2022
|
Issues:
|
|
It turns out the "change email" bug exists in 5.10.1 (and who knows how many releases). I just wrote it up: |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
What this PR does / why we need it:
Users are confused the "Verify Email" button. Sometimes it shows a popup. Sometimes it shows a green message at the top. It's unclear when an email is sent.
In this pull request, we eliminate the popup and always send a fresh email when you click the button, which has been renamed to "Send Email Verification".
In addition, issues related to email verification of Shibboleth users were fixed. The guides had long suggested that the
emailconfirmedtimestamp is being set for Shibboleth users on login. It turns out this was only true for new Shibboleth users on their first login. If you converted your account from builtin to Shibboleth, the timestamp was not being set. Now we update the timestamp on every Shib login.I'm a Shib user of Harvard Dataverse and I saw a "Verify Email" button. Clicking it resulted in an email to me. We don't want Shib users to see that button or get these emails so I added a check to prevent the email from being sent.
In terms of why I was seeing the "Verify Email" button as Shib user, I think the hasNoStaleVerificationTokens check added in PR #6974 has been causing problems. I eliminated this check which should mean that the presence of the
emailconfirmedtimestamp is enough to know if an email has been verified or not. This was the original design in PR #3299. Instead of a boolean, we store a timestamp so we have more information. Any tokens in the database shouldn't matter.While testing, I noticed a weird empty "Account Information" dropdown for Shib users (#8223). I went ahead and removed this as well.
I noticed that when testing with two browsers, the browser where I did not click the verification link does not show "verified" until I log out and back in.
Which issue(s) this PR closes:
Special notes for your reviewer:
None.
Suggestions on how to test this:
Popup-related changes (#8227)
two browsers (login/logout behavior)
Shib-related changes (#5663)
emailconfirmed(authenticatedusertable) should be updated on each Shib login. You can inspect this via API ( http://localhost:8080/api/admin/authenticatedUsers/jharvard ).hasNoStaleVerificationTokenscheck.)Weird empty "Account Information" dropdown for Shib users (#8223)
Changes to error handling
Reverifying email on email change
emailconfirmedand sending a new verification email when you change your email but it would be good to test this.Does this PR introduce a user interface change? If mockups are available, please link/include them here:
Yes. The bulk of the screenshots below are for possible path through the verify email workflow. Then screenshots show some fixes specific to Shib users.
Verify email workflows
A few workflows are possible:
1. User clicks link in "user created" email
1a. creates account and reads email
Subject: Root: Your account has been created
Hello,
Welcome to Root! Get started by adding or finding data. Have questions? Check out the User Guide at https://guides.dataverse.org/en/5.10/user or contact Root Support Team at support@mailinator.com for assistance.
Please verify your email address at http://localhost:8080/confirmemail.xhtml?token=688597d1-1b41-4ae7-9950-a45d3f855a38 . Note, the verify link will expire after 24 hours. Send another verification email by visiting your account page.
You may contact us for support at support@mailinator.com.
Thank you,
Root Support Team
1b. clicks link and sees success message
1c. visits account page and sees that email shows as verified
(In the screenshot, I'm also showing the dropdown for how to get to "Account Information".)
2. User clicks "Send Notification Email" button
The user would click the "Send Notification Email" button for a few reasons:
2a. Clicking the button and seeing the success message (email sent)
2b. A new link is sent via email
Subject: Root: Verify your email address
Hello, e7a744.
Please verify your email address at http://localhost:8080/confirmemail.xhtml?token=bea7e595-3022-455e-bfeb-72de253bf3b1 . Note, the verify link will expire after 24 hours. Send another verification email by visiting your account page.
Please contact us if you did not intend this change or if you need assistance.
You may contact us for support at support@mailinator.com.
Thank you,
Root Support Team
2c. Go to success message above
Clicking the link before it has expired results in the same success message and "verified" state as above.
3. User clicks an expired link
(See also "error handling" below.)
3a. message for expired link
Shib in-app welcome (new account) message
In the welcome in-app notification (from creating their account) Shib users will no longer see "Also, check for your welcome email to verify your address." (reported in #5663). Instead, it should look like this:
Weird empty "Account Information" dropdown removed for Shib
This pull request also includes a fix to remove the weird empty "Account Information" dropdown for Shib users reported in #8223.
before (weird dropdown present)
after (weird dropdown absent)
Error handling
The highlighted area in the screenshot below can vary. It will most often say "Invalid token" for non-existent or expired tokens. As shown below, it can also say "Deactivated user".
Is there a release notes update needed for this change?:
Included.
Additional documentation:
The Admin guide has been updated. It incorrectly stated that the email address is re-verified on every login. This is now actually true. I also noted that the welcome email does not contain a URL to verify one's email.