Nurse can login (API Authentication) #57

ssrihari · 2018-06-05T10:14:09Z

How it works

User registers in admin interface, while in the facility
Someone from RTSL enters data in the admin interface
Backend sends a special SMS to a "registered" user's phone with a link
Link has special URL that opens the app (the app must be pre-installed on the user's device for the link to correctly work)
App picks up OTP that is part of the URL, and stores it temporarily
App shows the login screen and lets the user enter their phone number and PIN
App makes the login API call with phone number, PIN and OTP (that was part of SMS)
Server sends back the user "object" and an access token
App stores the access token for future use
From this point onward, every subsequent API call made by the app needs 2 headers...
-- X_USER_ID with value as the user ID that was returned in the login API call
-- HTTP_AUTHORIZATION with value as Bearer (insert access token from login API call)
App makes the facility API call to get the list of facilities
App starts the sync workers in the background, and shows the home screen to the user

If any API call receives 401 as status in response, the user should be logged out.
When the app is closed and opened, login screen should appear.

Should the PIN entry screen appear every time the app goes into background?
no, there should be a delay of 15 mins (configurable) after which user should be asked to enter the PIN again
Do sessions time out on the device? Is there a notion of sessions on the device?
no, they shouldn't, at least for the MVP release

Generate otp and otp_valid_until when user is created from admin console
Login user using phone number, pin and otp
Login responds with user record and access token
Respond to user with access-token. This token should be revocable from backend
Authenticate sync apis with user access token
Configure Twilio and ensure SMSs can be sent to Indian numbers
invalidate OTP after successful login (indicated by the first authenticated API call with given auth token)

UI
- Go through all the screens on zeplin and make layouts
API
- Setup the API call in Paw
- Study the responses and make models
Controller(s)
- Read SMS, extract OTP from SMS and store it somewhere
- Get phone number and PIN from the UI
- Make API call using phone number, PIN and OTP
- Store API results as the "user object"
- Make the facility API call with X_USER_ID and HTTP_AUTHORIZATION headers
- Store received facilities
- Fix loggedInUser() in UserSession class
- Update BP tests to do user login first, and use logged-in-user data
Retrofit
- Make header interceptors that works on all API calls except login
Elsewhere
- Don't start sync workers until login is successfully done
- Complete facility sync before start other sync workers

The text was updated successfully, but these errors were encountered:

ssrihari created this issue from a note in RedApp (Stories) Jun 5, 2018

ssrihari added android-pending labels Jun 5, 2018

ssrihari moved this from Stories to This Iteration (June 6 – June 12) in RedApp Jun 6, 2018

govindkrjoshi moved this from This Iteration (June 13 – June 19) to Doing in RedApp Jun 14, 2018

deobald assigned govindkrjoshi Jun 15, 2018

deobald changed the title ~~API Authentication~~ Nurse can login (API Authentication) Jun 18, 2018

ssrihari assigned pratul and unassigned pratul Jun 19, 2018

govindkrjoshi mentioned this issue Jun 19, 2018

User Login simpledotorg/simple-server#37

Merged

pratul self-assigned this Jun 19, 2018

pratul mentioned this issue Jun 21, 2018

Login: first cut of controllers and tests #112

Merged

govindkrjoshi added server-done and removed server-pending labels Jun 22, 2018

saket added android-done and removed android-pending labels Jun 29, 2018

saket moved this from Doing to QA in RedApp Jun 29, 2018

deobald unassigned pratul and govindkrjoshi Jul 2, 2018

deobald moved this from QA to In Production in RedApp Jul 2, 2018

deobald removed the qa label Jul 2, 2018

timcheadle removed this from In Production in RedApp Jul 10, 2018

saket closed this as completed Nov 8, 2018