Re-send validation email, refactor to APIViews

[GergiH]

Ref.: #737

Changes

• Refactored all PublicJsonPostViews and PublicJsonRequestViews to be APIViews instead
• Added ResendValidation View which requires a username and resends the registration validation email to the user (if it's within a day of the registration, the same as it is handled by the main registration process)

Frontend PR: IFRCGo/go-frontend#1490

[thenav56]

We should avoid using PublicJsonPostView and instead try to use DRF for any API views.

Something like this

go-api/api/views.py

Lines 51 to 62 in c1e11c4

	class UpdateSubscriptionPreferences(APIView):
	authentication_classes = (authentication.TokenAuthentication,)
	permissions_classes = (permissions.IsAuthenticated,)
	def post(self, request):
	errors, created = Subscription.sync_user_subscriptions(self.request.user, request.data, True) # deletePrevious
	if len(errors):
	return Response({
	'status': 400,
	'data': 'Could not create one or more subscription(s), aborting'
	})
	return Response({'data': 'Success'})

[GergiH]

All the other similar views use the same pattern, like ShowUsername or RecoverPassword. Should I also change those to use APIView?

[GergiH]

4847a24

[thenav56]

We would need to refactor so that all API views are using DRF views instead of the custom PublicJsonPostView.
It will be cool to follow this for any new addition to the go-api.
We planned to do this right? @batpad @GregoryHorvath

[GergiH]

@thenav56 Since these are public Views we don't need these for the PublicJsonPostView->APIViews, right?

go-api/api/views.py

Lines 52 to 53 in c1e11c4

	authentication_classes = (authentication.TokenAuthentication,)
	permissions_classes = (permissions.IsAuthenticated,)

The part here is what confusing me, though it doesn't seem that we use this anywhere atm:

go-api/api/views.py

Lines 283 to 286 in c1e11c4

	def get_authenticated_user(self, request):
	auth_header = request.META.get('HTTP_AUTHORIZATION')
	if not auth_header:
	return None

[thenav56]

@GregoryHorvath Yeah we don't need them. The best way will be to just define empty permissions_classses

permissions_classes = []

Basically we should use request.user directly instead of get_authenticated_user, and for any custom logic, we should create a custom authentication class and add it to DRF DEFAULT_AUTHENTICATION_CLASSES. But yeah it isn't used anywhere so we don't need to worry about it.

[GergiH]

@batpad @thenav56 Removed most of these unnecessarily abstracted functions. Most of these can be found now inside the Views, ex. this one:
b8b8e9e#diff-8e4a20b18006b7a31a84250b0828251eR182

[GergiH]

@batpad @thenav56 No clue if there's a nicer way to achieve this so I just made this a function from Zoltán's code. I don't even know why are we saving IPs here...

[GergiH]

@batpad @thenav56 This felt redundant to me since we're already throwing a bad_request above if it fails. Is there any scenario where we might want to keep this in?

[GergiH]

@batpad @thenav56 I hope I used with transaction.atomic() right. Also I guess we don't to save half-good Form Data so if one would fail, all should?

[GergiH]

@batpad @thenav56 I guessed this part (repeating in most Views below) is just a custom way for doing:

authentication_classes = (authentication.TokenAuthentication,)
permissions_classes = (permissions.IsAuthenticated,)

So I just switched them out.

[GergiH]

@batpad @thenav56 This didn't need authentication before but I added it now: https://app.circleci.com/pipelines/github/IFRCGo/go-api/613/workflows/4c8458c8-22d6-491e-81e5-7f1e37800d85/jobs/2529

Should I remove the auth from this? It was weird to me why we allowed insertion without auth...

[GergiH]

@batpad @thenav56 Also removed PublicJsonRequestView totally, tested the affected endpoints, all good on my side.