[RW-7834][risk=low]Require TOS acceptance on login when users are not Terra-TOS compliant #6479
Conversation
api/src/main/java/org/pmiops/workbench/firecloud/FireCloudServiceImpl.java
Show resolved
Hide resolved
| hasAckedTermsOfService: boolean; | ||
| } | ||
|
|
||
| // TODO: Rename this to TermsOfService |
There was a problem hiding this comment.
Will be creating a follow up PR to rename this component
api/src/main/java/org/pmiops/workbench/api/ProfileController.java
Outdated
Show resolved
Hide resolved
api/src/main/java/org/pmiops/workbench/db/dao/UserServiceImpl.java
Outdated
Show resolved
Hide resolved
| boolean termsOfServiceAccepted = false; | ||
| try { | ||
| termsOfServiceAccepted = fireCloudService.getUserTermsOfServiceStatus(); | ||
| } catch (ApiException e) { |
There was a problem hiding this comment.
should we catch this exception, or simply let the underlying exception propagate?
There was a problem hiding this comment.
Out of curiosity, where does log.log get stored to? Does it go into GCP somewhere?
There was a problem hiding this comment.
I wanted to log the message with userId, was not sure if the underlying exception will do the same
@evrii yes it goes to google cloud console logger
api/src/main/java/org/pmiops/workbench/db/dao/UserServiceImpl.java
Outdated
Show resolved
Hide resolved
api/src/main/java/org/pmiops/workbench/firecloud/FireCloudServiceImpl.java
Show resolved
Hide resolved
| DbUser loggedInUser = userAuthenticationProvider.get().getUser(); | ||
| userService.submitAouTermsOfService(loggedInUser, termsOfServiceVersion); | ||
| userService.acceptTerraTermsOfService(loggedInUser); | ||
| return ResponseEntity.status(HttpStatus.NO_CONTENT).build(); |
There was a problem hiding this comment.
What does a HttpStatus of NO_CONTENT represent? Does it represent success or failure?
There was a problem hiding this comment.
It represents Success void return
There was a problem hiding this comment.
yes - this is HTTP 204
| boolean termsOfServiceAccepted = false; | ||
| try { | ||
| termsOfServiceAccepted = fireCloudService.getUserTermsOfServiceStatus(); | ||
| } catch (ApiException e) { |
There was a problem hiding this comment.
Out of curiosity, where does log.log get stored to? Does it go into GCP somewhere?
| } | ||
|
|
||
| @Test | ||
| public void testMe_UserHasNotAcceptedTerraTOS() |
There was a problem hiding this comment.
What does "Me" mean in this function name? I see it in the function below too.
There was a problem hiding this comment.
the profilecontroller has a function getMe() that returns the information about logged in user, thats why the test has tests like testMe_success() etc.
|
After the change to call the single endpoint (getUserTerraTOS), rather than throwing error in profileController. The terra TOS check will happen just the first time user logs in, not on every page |
api/src/test/java/org/pmiops/workbench/firecloud/FireCloudServiceImplTest.java
Outdated
Show resolved
Hide resolved
| DbUser loggedInUser = userAuthenticationProvider.get().getUser(); | ||
| userService.submitAouTermsOfService(loggedInUser, termsOfServiceVersion); | ||
| userService.acceptTerraTermsOfService(loggedInUser); | ||
| return ResponseEntity.status(HttpStatus.NO_CONTENT).build(); |
There was a problem hiding this comment.
yes - this is HTTP 204
| } | ||
|
|
||
| @Override | ||
| public ResponseEntity<Boolean> getUserTerraTermsOfServiceStatus() { |
There was a problem hiding this comment.
The AC for this story includes checking for AoU TOS compliance here as well. If false, we can exit early: we are not compliant. We can then check Terra only when aou-tos=true.
There was a problem hiding this comment.
OK, i did not check that because i assumed the account creation was successful hence the AoU TOS has been accepted.
I'll add the check and some tests
api/src/test/java/org/pmiops/workbench/api/ProfileControllerTest.java
Outdated
Show resolved
Hide resolved
| <AccountCreationTos | ||
| filePath='/aou-tos.html' | ||
| onComplete={() => { | ||
| onComplete={(tosVersion) => { |
There was a problem hiding this comment.
It looks like the associated spec file is not passing a tosVersion.
|
I am not sure if this is significant or not, but it looks like the TOS page for account creation and non-compliant TerraTOS do look different: Old TOS: |
|
@evrii Yes i had to update the HTML height for existing user TOS screen. I can tweek it a little more. In case there is something else i am missing do let me know |
There was a problem hiding this comment.
In my first pass, the functionality worked fine.
I was trying to see if I could get the TOS screen to show up again if I changed the TOS version. Instead of changing the TOS version, I deleted my record in user_terms_of_service. Now, I cannot seem to get passed the DAR page. I am not sure if this is something to be concerned about or not.
No worries. It does not seem like a big deal to me. The only things I noticed were the different background colors and the logo in the top left of the screen. |
|
@evrii Hmm i was not able to reproduce this, but would really like to debug it with you tomorrow to confirm whats happening |
| boolean | undefined | ||
| >(false); | ||
| useEffect(() => { | ||
| if ( |
|
|
||
| @Override | ||
| public void validateTermsOfService(Integer tosVersion) { | ||
| public void validateAllOfUsTermsOfService(Integer tosVersion) { |
There was a problem hiding this comment.
when this was originally written, we only checked AOU TOS when creating the user. If the TOS was wrong, it made sense to throw a Bad Request.
But now we should be more thoughtful. If an existing user has an outdated TOS, that's not really what I would call a Bad Request. So I'd prefer the previous signature with Boolean
There was a problem hiding this comment.
I prefer BadRequest (or maybe Unautorized) because it had message that helped identify why exactly the validation failed, is it a bad user who has not selected TOS (AoU or terra) in the first place or just outdated version .
That could also help in showing the user a more appropriate message if we need to change the UX.
I can make it boolean right now , so that we are unblocked and can discuss this further tomorrow
| // by approving the latest AOU Terms of Service, the user also approves the latest Terra TOS | ||
| try { | ||
| userService.validateTermsOfService(dbUser); | ||
| // getUserTermsOfServiceStatus and acceptTos will take care of scenario where user has not |
There was a problem hiding this comment.
the old comment has important context that we should retain here.
This new comment is good too, but it has some grammar issues that we should fix before merging.
| } | ||
| if (tosVersion != LATEST_AOU_TOS_VERSION) { | ||
| throw new BadRequestException("Terms of Service version is not up to date"); | ||
| throw new BadRequestException("All of Us Terms of Service version is not up to date"); |
api/src/main/java/org/pmiops/workbench/db/dao/UserServiceImpl.java
Outdated
Show resolved
Hide resolved
|
|
||
| // does not throw | ||
| userService.validateTermsOfService(user); | ||
| } |
There was a problem hiding this comment.
this test is not valid anymore. need to check for return value true
…ms of serviceaccepted
| return disabled; | ||
| }; | ||
|
|
||
| export const useNeedsToAcceptTOS = () => { |
There was a problem hiding this comment.
Cool, I don't think that I have ever seen useEffect used in a custom hook before.
| try { | ||
| final int tosVersion = | ||
| userTermsOfServiceDao.findByUserIdOrThrow(dbUser.getUserId()).getTosVersion(); | ||
| return tosVersion == LATEST_AOU_TOS_VERSION; | ||
| } catch (BadRequestException ex) { | ||
| // In case user doesnt have any terms of service | ||
| return false; | ||
| } |
There was a problem hiding this comment.
We don't need to throw an exception and catch it here. This also works:
| try { | |
| final int tosVersion = | |
| userTermsOfServiceDao.findByUserIdOrThrow(dbUser.getUserId()).getTosVersion(); | |
| return tosVersion == LATEST_AOU_TOS_VERSION; | |
| } catch (BadRequestException ex) { | |
| // In case user doesnt have any terms of service | |
| return false; | |
| } | |
| return userTermsOfServiceDao | |
| .findFirstByUserIdOrderByTosVersionDesc(dbUser.getUserId()) | |
| .map(u -> u.getTosVersion() == LATEST_AOU_TOS_VERSION) | |
| .orElse(false); |
… Terra-TOS compliant (#6479)
PR checklist
yarn test-localor yarn test-local-devup