Add POST /users/invite and extend /confirm with optional password

[pbn4]

Pull Request Template

Issue

Addresses # (#1653)

• This change addresses the issue in full
• This change addresses only certain aspects of the issue
• This change is a dependency for another issue
• This change has a dependency from another issue

Description

This change add POST /users/invite endpoint and extends PUT /users/confirm with optional password change.

There is a new required environment variable: PARTNERS_PORTAL_URL which has to be added to every heroku app, otherwise an app will crash.

Invite flow:

1. Frontend posts UserInviteDto to /users/invite
2. Backend creates a new unconfirmed user account and sends an email to the new user with a user id bound JWT confirmation token (24h expiration)
3. User clicks the confirmation URL and is redirected to http://partners_portal_hostname/?token=<token>
4. Frontend displays a password update form
5. Frontend submits ConfirmDto with new optional password field
6. Backend verifies confirmation token, confirms the user and sets a new password

Type of change

• Bug fix (non-breaking change which fixes an issue)
• New feature (non-breaking change which adds functionality)
• Breaking change (fix or feature that would cause existing functionality to not work as expected)
• Prototype/POC (not to merge)
• This change is a refactor/address technical debt
• This change requires a documentation update
• This change requires a SQL Script

How Can This Be Tested/Reviewed?

Please describe the tests that you ran to verify your changes. Provide instructions so we can review. Please also list any relevant details for your test configuration

• Desktop View
• Mobile View
• Test A
• Test B

Checklist:

• My code follows the style guidelines of this project
• I have performed a self-review of my own code
• I have reviewed the changes in a desktop view
• I have reviewed the changes in a mobile view
• I have commented my code, particularly in hard-to-understand areas
• I have made corresponding changes to the documentation
• My changes generate no new warnings
• I have added tests that prove my fix is effective or that my feature works
• New and existing unit tests pass locally with my changes
• Any dependent changes have been merged and published in downstream modules
• I have assigned reviewers
• I have updated the changelog to include a description of my changes

[netlify]

✔️ Deploy Preview for dev-storybook-bloom ready!

🔨 Explore the source changes: a6b73ca

🔍 Inspect the deploy log: https://app.netlify.com/sites/dev-storybook-bloom/deploys/61405947f8b79e00070a2b00

😎 Browse the preview: https://deploy-preview-1801--dev-storybook-bloom.netlify.app

[netlify]

✔️ Deploy Preview for dev-partners-bloom ready!

🔨 Explore the source changes: a6b73ca

🔍 Inspect the deploy log: https://app.netlify.com/sites/dev-partners-bloom/deploys/61405947287529000829119a

😎 Browse the preview: https://deploy-preview-1801--dev-partners-bloom.netlify.app

[netlify]

✔️ Deploy Preview for dev-bloom ready!

🔨 Explore the source changes: a6b73ca

🔍 Inspect the deploy log: https://app.netlify.com/sites/dev-bloom/deploys/61405947c6f74d00076a415f

😎 Browse the preview: https://deploy-preview-1801--dev-bloom.netlify.app

[netlify]

✔️ Deploy Preview for clever-edison-cd22c1 ready!

🔨 Explore the source changes: 609ce3b

🔍 Inspect the deploy log: https://app.netlify.com/sites/clever-edison-cd22c1/deploys/6138cf30e9ffad0007ca1dbc

😎 Browse the preview: https://deploy-preview-1801--clever-edison-cd22c1.netlify.app

[seanmalbert]

Hey @pbn4 ,
For the most part this looks great. I do have a few questions though:

1. should roles be required when inviting a user? If we don't assign them any roles, then they won't be able to login
2. I think jurisdiction should also be required and not empty
3. should the invite endpoint check if the user exists? What happens with what's here and a user with that email already exists?

If we make roles and jurisdiction required, then I think we should have the tests you wrote updated to include cases where those values are not passed in. Likewise with trying to invite a user with an email that already exists.

[seanmalbert]

Should roles be optional for the invite? If we don't assign them isPartner, then they won't be able to access the portal.

[pbn4]

should roles be required when inviting a user? If we don't assign them any roles, then they won't be able to login

@seanmalbert We don't have any logic in place to prevent partners portal login based on roles, any user can login in (applicants too), but yet for this use case it makes sense to make them required

I think jurisdiction should also be required and not empty

I have not made it required because in the designs there is no jurisidction input.

should the invite endpoint check if the user exists? What happens with what's here and a user with that email already exists?

invite reuses UserService.createUser which in turn checks that and throws:

  EMAIL_IN_USE: { message: "emailInUse", status: HttpStatus.BAD_REQUEST },

[pbn4]

@seanmalbert Why jurisdictions should be required?

[seanmalbert]

@pbn4 ,
This doesn't matter so much for user's assigned with isPartner, since they are directly assigned listings and can't create them, but for admin users, they need to be assigned a jurisdiction so we can know which jurisdictions they can create listings in. The mocks don't show it, but if an admin has access to more than one jurisdiction there needs to be an option to select which jurisdictions the new user has. If the admin is only assigned to one, which will be the case for everyone but us (for now anyway), then the input will be hidden with the value set to the jurisdiction they have. So on the backend with these new endpoints, we also need to ensure that the jurisdictions passed into creating a partner user are limited to what the current user has. I think we already updated the user update function to check this.