Add passwordless login support for the current os user in an app context

[rtibbles]

Summary

• A created os user does not have a password set
• When you log out of that user, it is not then possible to log back in without creating a password for that user
• This PR rectifies this by using the retained auth_token in the app context to reauthenticate as the relevant os user

References

Fixes #11717

Reviewer guidance

Run the app devserver.
Open the initialize link.
See that you are logged in automatically.
Log out.
Try to log back in again as the 'os user' user.
Succeed.
Rejoice.

---

Testing checklist

• Contributor has fully tested the PR manually
• If there are any front-end changes, before/after screenshots are included
• Critical user journeys are covered by Gherkin stories
• Critical and brittle code paths are covered by unit tests

PR process

• PR has the correct target branch and milestone
• PR has 'needs review' or 'work-in-progress' label
• If PR is ready for review, a reviewer has been added. (Don't use 'Assignees')
• If this is an important user-facing change, PR or related issue has a 'changelog' label
• If this includes an internal dependency change, a link to the diff is provided

Reviewer checklist

• Automated test coverage is satisfactory
• PR is fully functional
• PR has been tested for accessibility regressions
• External dependency files were updated if necessary (yarn and pip)
• Documentation is updated
• Contributor is in AUTHORS.md

[github-actions]

Build Artifacts

Asset type	Download link
PEX file	kolibri-0.16.0b10.dev0_git.170.g60b5d498.pex
Windows Installer (EXE)	kolibri-0.16.0b10.dev0+git.170.g60b5d498-unsigned.exe
Debian Package	kolibri_0.16.0b10.dev0+git.170.g60b5d498-0ubuntu1_all.deb
Mac Installer (DMG)	kolibri-0.16.0b10.dev0+git.170.g60b5d498-0.3.0.dmg
Android Package (APK)	kolibri-0.16.0b10.dev0+git.170.g60b5d498-0.1.0-debug.apk
TAR file	kolibri-0.16.0b10.dev0+git.170.g60b5d498.tar.gz
WHL file	kolibri-0.16.0b10.dev0+git.170.g60b5d498-py2.py3-none-any.whl

[marcellamaki]

I'm not sure how the os_user stuff actually is supposed to be working, but this is just to check that there is an operating system user (presumably the one who is currently logged in/the active os user of the device), with the same name as an existing kolibri user. And if so, just proceed using that, otherwise do normal kolibri authentication?

But, does Kolibri use some other sort of credential (like a password or token) in the os_authentication? I'm asking because I'm wondering if there would be a scenario where there is a os user and a kolibri user with the same username, but some other part of the authentication goes wrong (i.e. OS user resets their password?). It's very hypothetical

[rtibbles]

It's not super hypothetical, as due to syncing, you can have multiple facility users created in a facility with the same username.

The os_user look up, however, is not actually based on the username, but the auth token that is encoded in APP_AUTH_TOKEN_COOKIE_NAME, so all we are doing here is attempting to see if there is an os user with an active auth token, and if the username of the FacilityUser that resolves to matches the username sent to the backend in the API request. In this case, and this case only, we side step the usual authentication procedure, because this user is 'pre-authenticated' by virtue of the app context providing the auth token.

[marcellamaki]

This looks good, and manual QA confirms it works. There is one slightly wonky intermediary state that one can get into in a very particular set of circumstances where the password field shows up briefly before the os login proceeds, but I think that's not blocking, and I'll open a follow up issue for it and then link it here. (see below)

os-user-sign-in.mp4

Follow up issue: #11777