appirio-tech / accounts-app Goto Github PK

https://appirio.atlassian.net/secure/RapidBoard.jspa?rapidView=9&projectKey=SEC&modal=detail&selectedIssue=SEC-36

We are currently using this in two of our apps - https://github.com/topcoder-platform/Lauscher and https://github.com/topcoder-platform/vorbote where both apps have built the ui using reactjs.

While this module works fine during development, when the app is built, we get the following build error:

> react-scripts build

Creating an optimized production build...
Failed to compile.

Failed to minify the code from this file: 

 	./node_modules/tc-accounts/connector/connector-wrapper.js:4 

Read more here: http://bit.ly/2tRViJ9

cc @cwdcwd

In the skill picker page, after activation of an account please detail the Cognitive option to On.

We need to streamline the SSO login and registration flows. Here is how we should handle it:

SSO login and registration should be a single form. Currently it is 2 separate forms. So, we should just have a "Login with SSO" form.

If a user attempts to login with sso and they don't have an account, we should automatically create a topcoder account for them. This will mimic the registration form in terms of creating the user, but the user should not have to enter any info.
- We should get the info from their sso provider.
- We should generate a handle for them using first name and last initial. We'll need logic to make sure we produce unique handles, abide by the character constraints, and 15 char max.
- Users should be auto activated.
- No activation email should be sent. Only the welcome email.

NOTE:
If the full automation is more than a couple days of work, then let's come up with an incremental solution. For example, we could still reduce it to a single sso login form but instead of fully creating the user record we could still return the user to our registration form (without the social login options) with as much info populated as possible. And then the user would still have to submit the form.

Case 1. If a user has two accounts with the same email address, from which one is active and other is inactive and tries to reset the password.

Expected solution: In case 1, reset password functionality should associate the password with the active account.

Case 2: If there are more than 2 active accounts of a user with the same email and a user tries to reset the password.

Expected solution: In case 2, reset password functionality should throw an error.

Currently its hard coded. so having different name on dev and prod are difficult.

Solution : Lets move this connection name to enviorment variable.

topcoder-platform/community-app#4307

we are missing the critical info of business phone number when creating lead in lead system.

fyi @mtwomey @gondzo

Expected behavior

Describe.
The connect app should support the segment 4.1.0 javascript app to support user consent (below).

<script>
  !function(){var analytics=window.analytics=window.analytics||[];if(!analytics.initialize)if(analytics.invoked)window.console&&console.error&&console.error("Segment snippet included twice.");else{analytics.invoked=!0;analytics.methods=["trackSubmit","trackClick","trackLink","trackForm","pageview","identify","reset","group","track","ready","alias","debug","page","once","off","on","addSourceMiddleware","addIntegrationMiddleware","setAnonymousId","addDestinationMiddleware"];analytics.factory=function(e){return function(){var t=Array.prototype.slice.call(arguments);t.unshift(e);analytics.push(t);return analytics}};for(var e=0;e<analytics.methods.length;e++){var t=analytics.methods[e];analytics[t]=analytics.factory(t)}analytics.load=function(e,t){var n=document.createElement("script");n.type="text/javascript";n.async=!0;n.src="https://cdn.segment.com/analytics.js/v1/"+e+"/analytics.min.js";var a=document.getElementsByTagName("script")[0];a.parentNode.insertBefore(n,a);analytics._loadOptions=t};analytics.SNIPPET_VERSION="4.1.0";
  analytics.load("bkPtWMUMTYDhww2zsJluzxtdhtmSsyd9");
  analytics.page();
  }}();
</script>

Additionally,
The following process should be followed to implement consent manager
https://github.com/segmentio/consent-manager#standalone-script

Specifically:

• The consent code should be included on the same page as this analytics script
• The analytics.load function should be commented out.
• The cookieDomain string should be set to topcoder.com

Actual behavior

Describe.
The current app is version 4.0.0.

Steps to reproduce the problem

Load any page.

Screenshot/screencast

Attach or link a resource.
this file needs to be updated.
https://github.com/appirio-tech/accounts-app/blob/dev/app/views/segment.io.jade

Environment

• OS:
• Browser (w/version):
• User role (client, copilot or manager):
• Account used:

Same message Thanks for joining Topcoder. is being rendered for both sso and non sso users after successful registration.

Hi Team,

I am facing Usability Issue, LOG IN TO TOPCODER page linking to the standard login page.

I have attached screen shot for reference. Please Check.

Join_Now_Login_Usability_Issue.docx

Thanks!
Deepak Anbarasan

Would be useful for warning and informational messages

I have already asked about it in some channels on Slack, but as it did not result in any changes, I open this ticket here :)

Right now, when authentication is handled by accounts connector, Topcoder auth token v2 is written into tcjwt cookie, under topcoder.com / topcoder-dev.com domains, but auth token v3 is written into v3jwt cookie under accounts.topcoder.com / accounts.topcoder-dev.com domains. As the result, when the user of connector sends a request to the server (from its own subdomain of topcoder.com), only tcjwt cookie is sent along with the request, while v3jwt is not (because it is explicitely set for a different subdomain). Can we ensure that v3jwt cookie is set for topcoder.com / topcoder-dev.com domains as well?

From @deepakanbarasan1 on March 8, 2018 13:23

Expected behavior

Describe.
Topcoder member should login successfully in Microsoft Edge 38 and Internet Explorer: 11.

Actual behavior

Describe.
Topcoder member is not able to login successfully in Microsoft Edge 38 and Internet Explorer: 11.

Steps to reproduce the problem

• TBD.
• TBD.
• TBD.

Screenshot/screencast

Attach or link a resource.
topgear.topcoder.com/

Environment

• OS: Windows 10
• Browser (w/version): Microsoft Edge 38.14393.2068.0
  Internet Explorer: 11.2068.14393.0
• User role (client, copilot or manager):
• Account used: Wipro topgear.topcoder

Note: Topcoder member able to login successfully in Microsoft Edge 40.15063.674.0

Copied from original issue: appirio-tech/connect-app#1860

New member registration via Google OAuth is not working.
New Sign up page
https://accounts.topcoder.com/member/registration

// This function is throwing error. the identities array is empty in auth.js
function extractSocialUserData(profile, accessToken) {
var socialProvider = profile.identities[0].connection;
}

When using our login page in Chrome on an iPhone the login button is not active.

Cancelled

@mtwomey @ajefts

In efforts to have single login/registration pages and having progressive registration implemented in Projects app(Connect), we should now remove the Projects app specific pages from accounts app.

As a user, I can ask TC to resend the activation email.

https://appirio.atlassian.net/secure/RapidBoard.jspa?rapidView=9&projectKey=SEC&modal=detail&selectedIssue=SEC-53

Right now, we hard code the retUrl and afterActivationURL in the accounts app. This means that the user is always sent back to the main my-dashboard page. This doesn't work well for situations when the user is starting on another site/page, like cognitive.topcoder.com and we want to keep them on that site.

Let's add support for the following:

1. After the user registers, return them to the page they came from. We should be able to support this if we make the retUrl work on the register links. For example, https://accounts.topcoder.com/member/registration?retURL=https://cognitive.topcoder.com would return to https://cognitive.topcoder.com after the registration form was submitted.

2. When the user activates their account, direct them back to a specified URL. I see the /users api supports an "afterActivationURL" param that handles this. However, the accounts app does not support this. The requirement to to have the activation link in the activation email included a custom retUrl. For example, https://api.topcoder.com/pub/activation.html?code=123KJHH&retUrl=https://cognitive.topcoder.com

https://topcoder.atlassian.net/browse/VULN-1981

and

https://topcoder.atlassian.net/browse/VULN-1547

1547 is fixed on the api side, but the access mechanism is still broken.

Since last few releases, we are observing multiple instance of following error in console. Though they does not seem to do any significant harm right now, it is better to handle it by identifying the root cause of it and fixing it.

app.c20966f….js:sourcemap:438 Error: transition prevented
    at L [as $get] (app.c20966f….js:sourcemap:23)
    at Object.a [as invoke] (app.c20966f….js:sourcemap:436)
    at app.c20966f….js:sourcemap:436
    at n (app.c20966f….js:sourcemap:436)
    at r (app.c20966f….js:sourcemap:436)
    at Object.a [as invoke] (app.c20966f….js:sourcemap:436)
    at app.c20966f….js:sourcemap:436
    at c (app.c20966f….js:sourcemap:436)
    at le (app.c20966f….js:sourcemap:436)
    at a (app.c20966f….js:sourcemap:436) "Possibly unhandled rejection: {}"

User is not able to Register using Github Login.

Browser Information:

• Firefox ESR 52.7.3 (64-bit)
• Debian 8
• Linux kernel 3.16.0-4-amd64

User record is found in Auth0, but no information was populated in the Registeration Form.

This is not an issue

Added new labels for qa-accessibility project

• Accessibility
• Code Review Failed
• Code Review Passed
• QA Pass
• Ready for QA
• Merged for QA

Steps to reproduce this issue are:

1. Open a chrome incognito window.
2. Put software.topcoder.com in URL.
3. It appears to log me out and returns me to login page (https://accounts.topcoder.com/member) again and again.

Please check and fix the issue.

@skyhit @ajefts @RiteshTC

fyi @ajefts @dmessing

Steps to reproduce -

1. Hit this URL on browser https://accounts.topcoder.com/member/registration-success?regSource=tcBusiness&retUrl=https://connect.topcoder.com/projects/24182
2. Fill the registration form and get the Activation link in email entered above
3. Activation link url received is https://api.topcoder.com/pub/activation.html?code={ACTIVATION_CODE}&retUrl=https://connect.topcoder.com/

Notice that though we provided retUrl during registration still the activation URL is redirecting to Connect Home page instead of specific project's page.

Fyi - @mtwomey
ref - https://github.com/appirio-tech/accounts-app/blob/dev/app/scripts/tc/register.controller.js#L170

Currently, we're only handling wipro adfs from the front end. We need to support any sso provider that we have configured.

Based on the domain, the appropriate sso provider should be used. If this will take more than a day, let's start by enabling wipro adfs as well as our sfdc.

If a user attempts to register a new account with a wipro.com email address, we should force them into the SSO login/reg flow and prevent them from creating a non-sso account with a wipro.com address.

We should implement this generically so that we can support other sso domains too. For wipro's case, we want to mandate it. For other sso providers, it might be optional. We should have some kind of setting on the sso_provider that will allow us to generically check if we should force them to the sso flow for a given provider/domain.

It has been reported by our security softwares that this domain doesn't contains CSP as response headers, Though this domain accounts.topcoder.com is not in use any more and just redirects to new login page still creating this issue to keep track and could be resolved once we remove entry for this domain from Route53

For more details follow here https://topcoder.atlassian.net/browse/VULN-1938

fyi @sachin-maheshwari @mtwomey

As of now we are making the SFDC lead creation call only when the call to the member trait creation is successful which is causing data to be missing for some users in SFDC when the member trait creation fails and we loose the data from both places.
We should be calling both APIs in parallel so that we can have better chances of data being ingested in one of the systems.

fyi @mtwomey @RishiRajSahu @gondzo

fyi @fnisen @vic-topcoder

isUrl returns false for http://localhost:3000 and validateUrl returns false for http://127.0.0.1:3000/. This make running locally more cumbersome - because the callbacks after logging in do not work properly.

I suggest updating to allow these.

When a user is registering via SSO and they land back on our registration form with fields pre-populated, we need to hide the social login options at the bottom.

Created as reference - Pls refer topcoder-platform/community-app#4307 for details.

As of now user can enter phone number in a format which is not acceptable by the member api (trait endpoint) which causes the api to fail while trying to create user trait.
Request:

Response:

In this particular example, I guess, the issue is missing + as prefix of the business phone string.
Ideally, our front end validation should have prevented user entering such value or automatically append the +.

fyi @maxceem @RishiRajSahu

Description

Users are unable to register themselves using Social log in pluginns like Git, Google or Facebook. They land upon the registartion page with details being filled but then the error pops up like below screenprint.

Example - https://github.com/topcoder-platform/admin-app/blob/cb7b898658a30a1049df7948dd70b7db26576e91/src/app/auth/auth.service.js#L232

We can use account-app - https://github.com/appirio-tech/accounts-app/blob/dev/core/token.js#L41