Story #15088

[Workbench2] Replicate Workbench1 merge account feature

Added by Tom Morris 3 months ago. Updated about 2 months ago.

Status:
Resolved
Priority:
Normal
Assigned To:
Category:
-
Target version:
Start date:
05/02/2019
Due date:
% Done:

100%

Estimated time:
(Total: 0.00 h)
Story points:
2.0
Release relationship:
Auto

Description

https://doc.arvados.org/user/topics/link-accounts.html

The original story for doing this in WB1 is #12995


Subtasks

Task #15091: Review 15088-merge-accountResolvedPeter Amstutz


Related issues

Related to Arvados - Feature #15061: Redirect users to log in with correct federated identityResolved04/18/2019

Related to Arvados - Task #15141: Workbench2 updatesResolved04/18/2019

History

#1 Updated by Tom Morris 3 months ago

  • Parent task deleted (#15061)

#2 Updated by Tom Morris 3 months ago

  • Tracker changed from Task to Story

#3 Updated by Tom Morris 3 months ago

  • Related to Feature #15061: Redirect users to log in with correct federated identity added

#4 Updated by Eric Biagiotti 3 months ago

  • Assigned To set to Eric Biagiotti

#5 Updated by Tom Morris 3 months ago

  • Description updated (diff)

#6 Updated by Peter Amstutz 3 months ago

  • Description updated (diff)

#8 Updated by Peter Amstutz 3 months ago

  • Description updated (diff)

#9 Updated by Eric Biagiotti 3 months ago

  • Status changed from New to In Progress

#10 Updated by Eric Biagiotti 3 months ago

  • Target version changed from 2019-04-24 Sprint to 2019-05-08 Sprint

#11 Updated by Eric Biagiotti 2 months ago

Latest at 13700efea8cd742fbb4888252f3d06788f5fd845 in the workbench 2 repository. Adds functionality for linking accounts and some exceptions detailed below.

Notes and Todos:
  • From some reason projects are inaccessible after linking an account. I need to investigate this further. In the mean time, you can refresh the page to see the projects.
  • Times in the link account UI are listed in local time. I will update this to be UTC.
  • Still need to write tests.
  • Doesn't look like I need to update any docs. https://doc.arvados.org/user/topics/link-accounts.html is still accurate.
Test for typical use case:
  • Create 2 accounts. Log into A. Click "Add another login to this account". Log into B. Accept linking. Should be logged into A with a migrated project from B.
  • Same, but click "Use this login to access another account". Should be logged into B with a migrated project from A.
Tests for exceptions:
  • Create admin account A and non-admin account B. Log into B. Click "Use this login to access another account". Log into A. Should disallow.
  • Linking the same account should be disallowed.

#12 Updated by Peter Amstutz 2 months ago

  • The "account inactive" page needs to have an option to start account linking.
  • Link accounts on the user page should have button styling
  • I tried "use this log in to access another account" to link an active account to an inactive account (should not be allowed)
    • It takes me to the wb2 login page, instead of sending me directly to the API server login process
    • After logging in, instead of taking me to the link accounts page, I'm at the inactive user page (but not a page telling me the account linking is disallowed)
    • Then I logged out and logged in as a different user, and arrived at the link accounts page. Explicitly logging out should cancel the linking.
  • I tried using "add another log in to this account" to add an inactive account to log in to the current account (should be allowed)
    • I logged in as inactive user
    • I arrived at the inactive user page instead of the links accounts page
  • I tried "add another log in to this account" to add a login associated with an admin account to a non-admin account
    • It gave me the link account confirmation, but did not warn or give an error that by linking the admin account to the non-admin account, I would lose admin privileges
  • I tried "use this login to access another account" to add it to an admin account
    • I got an error that I can't link admin account to non-admin account.

Seems like at minimum the logic that checks for linking admin / non-admin is flipped (it is ok to link a non-admin login to admin, but not the other way around.)

If I navigate away from the link accounts page, and then come back, the account linking is still active. It would probably be better if the user can't navigate (no left sidebar or top menu items) during account linking.

Regardless of how the user initiates link account, the current user account in the wb2 UI should be the target account (the one the secondary account will be redirected to after the user clicks "link").

#13 Updated by Eric Biagiotti 2 months ago

Latest at: bdfda992c607ed4ca591dbf310e659faa370a881 including the following work.

Link accounts on the user page should have button styling

Removed the link from the my-account page and added it to the Account Management drop down in dcab8d69b5fb93c025c49fd85bf39d038c4fb3d0

Regardless of how the user initiates link account, the current user account in the wb2 UI should be the target account (the one the secondary account will be redirected to after the user clicks "link").

Seems like at minimum the logic that checks for linking admin / non-admin is flipped (it is ok to link a non-admin login to admin, but not the other way around.)

Fixed in 2f857ebcd67a607b7fde9c0ea4808ac30c591876

If I navigate away from the link accounts page, and then come back, the account linking is still active. It would probably be better if the user can't navigate (no left sidebar or top menu items) during account linking.

Addressed in d329bdf89ea30acc0e9a95bcb7bc4338f8beeebb.
- Removes navigation after second login.
- Deletes link account session data if the user logs off.
- Second login goes directly to the arvados login.
- After the second login, a page reload or browser navigation cancels the link operation. This is necessary because if we are merging into the account we have stored in session data, once the user logs in the second time, we switch the account we are merging into. Subsequently, if the page is reloaded, the account in session storage is the same as the account we are logged into, which will result in a failed account link.

The "account inactive" page needs to have an option to start account linking.

Added in bdfda992c607ed4ca591dbf310e659faa370a881.

#14 Updated by Eric Biagiotti 2 months ago

  • Target version changed from 2019-05-08 Sprint to 2019-05-22 Sprint

#15 Updated by Peter Amstutz 2 months ago

If the user is inactive and clicks "Link account" from the inactive user page it goes directly to the SSO server. It should go to the link accounts page and explain to the user what is about to happen (however the user only has the option "link login to another account").

#16 Updated by Peter Amstutz 2 months ago

If I select "Link account" and then "Add another login to this account" which takes me to the SSO server, then reconsider and hit the back button to go back to Workbench, I will be shown the wb2 login page but the browser URL will have the path "/link_account". Logging in again will take me to the link account confirmation/cancel page. This is confusing.

What I would expect to happen is the back button to take me back to the link account page I was just looking at.

#17 Updated by Peter Amstutz 2 months ago

Peter Amstutz wrote:

If I select "Link account" and then "Add another login to this account" which takes me to the SSO server, then reconsider and hit the back button to go back to Workbench, I will be shown the wb2 login page but the browser URL will have the path "/link_account". Logging in again will take me to the link account confirmation/cancel page. This is confusing.

What I would expect to happen is the back button to take me back to the link account page I was just looking at.

Looking at the code, this is happening because in startLinking() you call logout() and then login(). What happens if you don't call logout() ?

#18 Updated by Eric Biagiotti 2 months ago

Peter Amstutz wrote:

If the user is inactive and clicks "Link account" from the inactive user page it goes directly to the SSO server. It should go to the link accounts page and explain to the user what is about to happen (however the user only has the option "link login to another account").

If I select "Link account" and then "Add another login to this account" which takes me to the SSO server, then reconsider and hit the back button to go back to Workbench, I will be shown the wb2 login page but the browser URL will have the path "/link_account". Logging in again will take me to the link account confirmation/cancel page. This is confusing.

Addressed the above issues in e954cfb45dbe418c151144cc42847b848c9b0ebf.

I also played with keeping the top bar during the link operation, but I would have to disable pretty much everything on it, so I'm not sure there is any value in having it. For now I formatted the link page a little bit better instead, but let me know if you want the bar on top also.

#19 Updated by Peter Amstutz 2 months ago

The "cancelLinking" block "index.tsx" seems like it should go somewhere else (such as initAuth() in auth-action.ts) to minimize clutter in the top-level initializer for the application. It should call LinkAccountService.getAccountToLink() instead of calling sessionStorage.getItem() directly.

Otherwise I think this LGTM.

#20 Updated by Eric Biagiotti 2 months ago

  • Status changed from In Progress to Resolved

#21 Updated by Eric Biagiotti 2 months ago

#22 Updated by Peter Amstutz about 2 months ago

Reload page bug:

  1. Log in as federated user
  2. Select link accounts
  3. Log in as local user
  4. At the confirmation page, do a browser refresh
  5. It will flicker the link accounts page as the original user, then render a page saying you can't link the user to the same user. It will offer a cancel button.
  6. Pushing cancel returns you to workbench link_accounts page but it will be empty until you do another browser refresh.

#23 Updated by Tom Morris about 2 months ago

  • Release set to 15

Also available in: Atom PDF