Registration with Phone number #1662
Conversation
amplifi
added
PR: migration
PR: needs review
PR: needs testing
and removed
PR: migration
labels
valaparthvi
force-pushed
the
additional-login-options
branch
from
5bf21df to
12640f5
Compare
valaparthvi
force-pushed
the
phone/Registration
branch
from
eebd2b0 to
acc664b
Compare
cadasta/accounts/views/default.py
Outdated
| @@ -46,6 +79,7 @@ def get_context_data(self, *args, **kwargs): | |||
| emails_to_verify = EmailAddress.objects.filter( | |||
| user=self.object, verified=False).exists() | |||
| context['emails_to_verify'] = emails_to_verify | |||
| print(context) | |||
There was a problem hiding this comment.
Stray print statement. Can you remove that?
cadasta/accounts/backends.py
Outdated
|
|
||
|
|
||
| class AuthenticationBackend(Backend): | ||
| def _authenticate_by_username(self, **credentials): |
There was a problem hiding this comment.
I don't fully understand the use of the different authentication backends here. You extend AuthenticationBackend with _authenticate_by_username and add PhoneAuthenticationBackend. Could you explain why they are needed and what they do?
There was a problem hiding this comment.
According to the django docs,
An inactive user is one that has its is_active field set to False. The ModelBackend and RemoteUserBackend authentication backends prohibits these users from authenticating. If a custom user model doesn’t have an is_active field, all users will be allowed to authenticate.
Previously authenticate() returned a user, even if their is_active status was False. I added a method self.user_can_authenticate(user) to the condition(check line 12-13 & 29-30) , which makes sure that authenticate() only returns user whose is_active is True.
PhoneAuthenticationBackend allows authenticating a user with their phone. So authenticate(username='+12345678990',password='password@1234') or authenticate(phone='+12345678990',password='password@1234') will return an authenticated user with that phone.
There was a problem hiding this comment.
Previously authenticate() returned a user, even if their is_active status was False. I added a method self.user_can_authenticate(user) to the condition(check line 12-13 & 29-30) , which makes sure that authenticate() only returns user whose is_active is True.
I was reading django-allauth LoginForm and LoginView, and I don't think that changing this was a good idea. Every user is authenticated before they're allowed to login. If the user account has been set inactive, user will not be authenticated, and every time a user with inactive account tries to login, they will be shown an error The login and/or password you specified are not correct. So I think changing that back would be a better idea. Let me know your thoughts on this @oliverroick .
cadasta/accounts/forms.py
Outdated
| email = forms.EmailField(required=True) | ||
| email = forms.EmailField(required=False) | ||
|
|
||
| message = _("Phone must have format: +9999999999. Upto 15 digits allowed." |
There was a problem hiding this comment.
I think, "Phone numbers must be provided in the format +99999..." sounds better. Also "Upto" should be "Up to"
| message=_("Another user is already registered with this " | ||
| "email address") | ||
| )] | ||
| message=_("User with this Email address already exists.") |
There was a problem hiding this comment.
Why have you changed the error message?
There was a problem hiding this comment.
Now that we have set unique to True for email and phone inside the User model, I removed the lines of code which checked uniqueness of an identifier(phone/email) from RegistrationForm, so Django now provides a default message, 'User with this {identifier_label} already exists.`, if the identifier is not unique. So I changed this as well, to show the same message everywhere.
cadasta/accounts/serializers.py
Outdated
| allow_null=True, | ||
| required=False | ||
| ) | ||
| message = _("Phone must have format: +9999999999. Upto 15 digits allowed." |
There was a problem hiding this comment.
You're using the same message here and in the form. I would suggest moving the message into a separate file called messages.py and import the message from there. That way, if you want to change the message later, you only have to do that once.
| <button type="submit" name="Verify" class="btn btn-primary btn-lg btn-block text-uppercase">{% trans "Verify Token" %}</button> | ||
| </form> | ||
| {% endif %} | ||
| <p>{% blocktrans %} Click <a href="#">here</a> if you do not receive any email or text.{% endblocktrans %}</p> |
There was a problem hiding this comment.
It should be "did not receive any email ... "
|
|
||
| assert User.objects.count() == 0 | ||
|
|
||
| def test_signup_with_phone_only(self): |
There was a problem hiding this comment.
This case replicates test_password_contains_blank_email, doesn't it?
There was a problem hiding this comment.
It does replicate. But both test test_password_contains_blank_email and test_signup_with_phone_only, represented different test cases:- 1) user signs up with phone only and 2) password does not throw error when blank email is provided.
Same thing goes for test_signup_with_email_only and test_password_contains_blank_phone.
So I kept them separate. Should I write single test instead?
There was a problem hiding this comment.
Ok, it's not 100% obvious from the test itself. Maybe remove assert User.objects.count() == 0 from test_password_contains_blank_email because it's a bit misleading; you never attempt to create the user so of course there are no User instances.
| assert user.email is None | ||
| assert user.check_password('221B@bakerstreet') is True | ||
|
|
||
| def test_signup_with_email_only(self): |
There was a problem hiding this comment.
This case replicates test_password_contains_blank_phone, doesn't it?
cadasta/accounts/views/default.py
Outdated
|
|
||
| def get_user(self): | ||
| phone = self.request.session["unverified_phone"] | ||
| device = VerificationDevice.objects.get(unverified_phone=phone) |
There was a problem hiding this comment.
This breaks when I sign up with an email address only and I land on the page for the first time. get_user should only be called when a phone number is provided or at least you need to wrap this with try..except.
cadasta/accounts/views/default.py
Outdated
|
|
||
| def post(self, *args, **kwargs): | ||
| form = self.form_class(self.request.POST) | ||
| user = self.get_user() |
There was a problem hiding this comment.
The database calls are a bit inefficient here. In get_user you query the VerificationDevice to get the user and then you query the database again to get VerificationDevice for the user. So you end up querying the same information from the database twice.
You could make this more efficient by changing get_user to get_device, which returns a verification device instance, and the access the user through device.user where ever you need it.
|
I would recommend simplifying the ui to make it more obvious that the user can sign up with either an email OR a phone number. It seems the default should still be email so that should always be shown and perhaps a link with something like "Register with my phone number" would hide email address and would show phone number field. Something like this:
I'm sure you have other ideas as well so let me know if you want to talk ui. Looks good! |
cadasta/accounts/views/default.py
Outdated
| @@ -140,30 +138,23 @@ def get_context_data(self, **kwargs): | |||
| context['phone'] = user.phone | |||
| return context | |||
|
|
|||
| def post(self, *args, **kwargs): | |||
| form = self.form_class(self.request.POST) | |||
| def form_valid(self, form): | |||
| user = self.get_user() | |||
| device = user.verificationdevice_set.get() | |||
There was a problem hiding this comment.
Are we always certain that there is only one VerificationDevice instance per user. I believe this will break if there is more than one.
| @@ -180,10 +180,10 @@ def generate_challenge(self): | |||
|
|
|||
| return token | |||
|
|
|||
| def verify_token(self, token): | |||
| def verify_token(self, token, tolerance=0): | |||
There was a problem hiding this comment.
What does tolerance represent? Are we ever going to use anything other than 0? If not this should be a constant in line 186.
There was a problem hiding this comment.
tolerance checks a token against previously generated tokens.
Consider this,
tolerance = 1, token at time t0 =123456, and token at time t1 =234567- Consider a user entered token at time t1, token entered was
123456, so an error will be generated which says that "Token has expired and you need a new token."
If tolerance=2, token will be verified against previously generated 2 tokens.
I hope that makes sense.
|
|
||
| assert User.objects.count() == 0 | ||
|
|
||
| def test_signup_with_phone_only(self): |
There was a problem hiding this comment.
Ok, it's not 100% obvious from the test itself. Maybe remove assert User.objects.count() == 0 from test_password_contains_blank_email because it's a bit misleading; you never attempt to create the user so of course there are no User instances.
| </div> | ||
| {% endblock %} | ||
| {% endblock %} |
There was a problem hiding this comment.
Empty line missing at the end of the file.
valaparthvi
force-pushed
the
additional-login-options
branch
from
12640f5 to
9a51a27
Compare
valaparthvi
force-pushed
the
phone/Registration
branch
2 times, most recently
from
014952e to
888a5d4
Compare
cadasta/accounts/views/default.py
Outdated
| def form_valid(self, form): | ||
| token = form.cleaned_data.get('token') | ||
| user = self.get_user() | ||
| device = user.verificationdevice_set.get() |
There was a problem hiding this comment.
This line will throw an exception when there is more the one VerificationDevice instance for the user.
There was a problem hiding this comment.
A user will always have only one VerificationDevice instance, so it will not throw the error. I have tried to make VerificationDevice function in a similar way to EmailAddress.
There was a problem hiding this comment.
If that is always the case, then you should make user of VerificationDevice a OneToOneField instead of ForeignKey to enforce that assumption on the database level.
Currently, it is possible to add another VerificationDevice instance to the set. You can never know how VerificatioDevice instance will be created, so there might be a possibility that you end up with more the one VerificationDevice instance at some point.
There was a problem hiding this comment.
I had implemented OneToOneField before, but I don't know for some reason I did not go ahead with that. But if a user will only have one VerificationDevice object linked to it, then setting the OneToOneField sounds logical and safe way to go. I'll make the required changes there.
| @@ -693,3 +911,20 @@ def test_email_sent_reset(self): | |||
|
|
|||
| form = forms.ResetPasswordForm(data) | |||
| assert form.is_valid() is True | |||
|
|
|||
|
|
|||
| class PhoneVerificationFormTest(UserTestCase, TestCase): | |||
There was a problem hiding this comment.
Should there be a test for when an expired token is provided?
There was a problem hiding this comment.
I have added that test in test_views_default.py, here.
There was a problem hiding this comment.
What I was asking for is an isolated test for the form. If the view test fails it could be anywhere, the form, the model, you name it. If the test for the form fails, we know the form is broken.
valaparthvi
force-pushed
the
additional-login-options
branch
from
9a51a27 to
96095e5
Compare
valaparthvi
force-pushed
the
phone/Registration
branch
from
888a5d4 to
03855c6
Compare
Solve migration merge conflicts, and create a new migration file for phone and verification device Pass all tests after rebasing Make all tests pass
valaparthvi
force-pushed
the
phone/Registration
branch
from
03855c6 to
2302184
Compare
* Phone registration page, and authentication backend * Upgrade django-skivvy to 0.1.8 * 100% test coverage * Minor change to phone validator * Changes to default.py and tests as addressed by Oliver * Make all addressed changes * allow user to authenticate even if the account status is inactive * add changes addressed to PR * Minor changes to the code * Make VerificationDevice OneToOneField and make corresponding changes Solve migration merge conflicts, and create a new migration file for phone and verification device Pass all tests after rebasing Make all tests pass * change logger from info to debug
* Phone registration page, and authentication backend * Upgrade django-skivvy to 0.1.8 * 100% test coverage * Minor change to phone validator * Changes to default.py and tests as addressed by Oliver * Make all addressed changes * allow user to authenticate even if the account status is inactive * add changes addressed to PR * Minor changes to the code * Make VerificationDevice OneToOneField and make corresponding changes Solve migration merge conflicts, and create a new migration file for phone and verification device Pass all tests after rebasing Make all tests pass * change logger from info to debug
* Phone registration page, and authentication backend * Upgrade django-skivvy to 0.1.8 * 100% test coverage * Minor change to phone validator * Changes to default.py and tests as addressed by Oliver * Make all addressed changes * allow user to authenticate even if the account status is inactive * add changes addressed to PR * Minor changes to the code * Make VerificationDevice OneToOneField and make corresponding changes Solve migration merge conflicts, and create a new migration file for phone and verification device Pass all tests after rebasing Make all tests pass * change logger from info to debug
* Phone registration page, and authentication backend * Upgrade django-skivvy to 0.1.8 * 100% test coverage * Minor change to phone validator * Changes to default.py and tests as addressed by Oliver * Make all addressed changes * allow user to authenticate even if the account status is inactive * add changes addressed to PR * Minor changes to the code * Make VerificationDevice OneToOneField and make corresponding changes Solve migration merge conflicts, and create a new migration file for phone and verification device Pass all tests after rebasing Make all tests pass * change logger from info to debug
* Phone registration page, and authentication backend * Upgrade django-skivvy to 0.1.8 * 100% test coverage * Minor change to phone validator * Changes to default.py and tests as addressed by Oliver * Make all addressed changes * allow user to authenticate even if the account status is inactive * add changes addressed to PR * Minor changes to the code * Make VerificationDevice OneToOneField and make corresponding changes Solve migration merge conflicts, and create a new migration file for phone and verification device Pass all tests after rebasing Make all tests pass * change logger from info to debug
* Phone registration page, and authentication backend * Upgrade django-skivvy to 0.1.8 * 100% test coverage * Minor change to phone validator * Changes to default.py and tests as addressed by Oliver * Make all addressed changes * allow user to authenticate even if the account status is inactive * add changes addressed to PR * Minor changes to the code * Make VerificationDevice OneToOneField and make corresponding changes Solve migration merge conflicts, and create a new migration file for phone and verification device Pass all tests after rebasing Make all tests pass * change logger from info to debug
* Phone registration page, and authentication backend * Upgrade django-skivvy to 0.1.8 * 100% test coverage * Minor change to phone validator * Changes to default.py and tests as addressed by Oliver * Make all addressed changes * allow user to authenticate even if the account status is inactive * add changes addressed to PR * Minor changes to the code * Make VerificationDevice OneToOneField and make corresponding changes Solve migration merge conflicts, and create a new migration file for phone and verification device Pass all tests after rebasing Make all tests pass * change logger from info to debug
* VerificationDevice model and Removal of 48hr email verification period (#1606) * Registration with Phone number (#1662) * Add phone to User Profile (#1698) * Add Ansible provisioning for Twilio * Allow user to login with phone and add Resend Token Page (#1708) * Reset Password with Phone (#1717) * Twilio Integration and More update notification (#1719) * Add API endpoint for phone verification(2) (#1748)
* VerificationDevice model and Removal of 48hr email verification period (#1606) * Registration with Phone number (#1662) * Add phone to User Profile (#1698) * Add Ansible provisioning for Twilio * Allow user to login with phone and add Resend Token Page (#1708) * Reset Password with Phone (#1717) * Twilio Integration and More update notification (#1719) * Add API endpoint for phone verification(2) (#1748)
* VerificationDevice model and Removal of 48hr email verification period (#1606) * Registration with Phone number (#1662) * Add phone to User Profile (#1698) * Add Ansible provisioning for Twilio * Allow user to login with phone and add Resend Token Page (#1708) * Reset Password with Phone (#1717) * Twilio Integration and More update notification (#1719) * Add API endpoint for phone verification(2) (#1748)
* VerificationDevice model and Removal of 48hr email verification period (#1606) * Registration with Phone number (#1662) * Add phone to User Profile (#1698) * Add Ansible provisioning for Twilio * Allow user to login with phone and add Resend Token Page (#1708) * Reset Password with Phone (#1717) * Twilio Integration and More update notification (#1719) * Add API endpoint for phone verification(2) (#1748)
* VerificationDevice model and Removal of 48hr email verification period (#1606) * Registration with Phone number (#1662) * Add phone to User Profile (#1698) * Add Ansible provisioning for Twilio * Allow user to login with phone and add Resend Token Page (#1708) * Reset Password with Phone (#1717) * Twilio Integration and More update notification (#1719) * Add API endpoint for phone verification(2) (#1748)
* VerificationDevice model and Removal of 48hr email verification period (#1606) * Registration with Phone number (#1662) * Add phone to User Profile (#1698) * Add Ansible provisioning for Twilio * Allow user to login with phone and add Resend Token Page (#1708) * Reset Password with Phone (#1717) * Twilio Integration and More update notification (#1719) * Add API endpoint for phone verification(2) (#1748)
* VerificationDevice model and Removal of 48hr email verification period (#1606) * Registration with Phone number (#1662) * Add phone to User Profile (#1698) * Add Ansible provisioning for Twilio * Allow user to login with phone and add Resend Token Page (#1708) * Reset Password with Phone (#1717) * Twilio Integration and More update notification (#1719) * Add API endpoint for phone verification(2) (#1748)
* VerificationDevice model and Removal of 48hr email verification period (#1606) * Registration with Phone number (#1662) * Add phone to User Profile (#1698) * Add Ansible provisioning for Twilio * Allow user to login with phone and add Resend Token Page (#1708) * Reset Password with Phone (#1717) * Twilio Integration and More update notification (#1719) * Add API endpoint for phone verification(2) (#1748)
* VerificationDevice model and Removal of 48hr email verification period (#1606) * Registration with Phone number (#1662) * Add phone to User Profile (#1698) * Add Ansible provisioning for Twilio * Allow user to login with phone and add Resend Token Page (#1708) * Reset Password with Phone (#1717) * Twilio Integration and More update notification (#1719) * Add API endpoint for phone verification(2) (#1748)
* VerificationDevice model and Removal of 48hr email verification period (#1606) * Registration with Phone number (#1662) * Add phone to User Profile (#1698) * Add Ansible provisioning for Twilio * Allow user to login with phone and add Resend Token Page (#1708) * Reset Password with Phone (#1717) * Twilio Integration and More update notification (#1719) * Add API endpoint for phone verification(2) (#1748)
* VerificationDevice model and Removal of 48hr email verification period (#1606) * Registration with Phone number (#1662) * Add phone to User Profile (#1698) * Add Ansible provisioning for Twilio * Allow user to login with phone and add Resend Token Page (#1708) * Reset Password with Phone (#1717) * Twilio Integration and More update notification (#1719) * Add API endpoint for phone verification(2) (#1748)
* VerificationDevice model and Removal of 48hr email verification period (#1606) * Registration with Phone number (#1662) * Add phone to User Profile (#1698) * Add Ansible provisioning for Twilio * Allow user to login with phone and add Resend Token Page (#1708) * Reset Password with Phone (#1717) * Twilio Integration and More update notification (#1719) * Add API endpoint for phone verification(2) (#1748)
* VerificationDevice model and Removal of 48hr email verification period (#1606) * Registration with Phone number (#1662) * Add phone to User Profile (#1698) * Add Ansible provisioning for Twilio * Allow user to login with phone and add Resend Token Page (#1708) * Reset Password with Phone (#1717) * Twilio Integration and More update notification (#1719) * Add API endpoint for phone verification(2) (#1748)
* VerificationDevice model and Removal of 48hr email verification period (#1606) * Registration with Phone number (#1662) * Add phone to User Profile (#1698) * Add Ansible provisioning for Twilio * Allow user to login with phone and add Resend Token Page (#1708) * Reset Password with Phone (#1717) * Twilio Integration and More update notification (#1719) * Add API endpoint for phone verification(2) (#1748)
* VerificationDevice model and Removal of 48hr email verification period (#1606) * Registration with Phone number (#1662) * Add phone to User Profile (#1698) * Add Ansible provisioning for Twilio * Allow user to login with phone and add Resend Token Page (#1708) * Reset Password with Phone (#1717) * Twilio Integration and More update notification (#1719) * Add API endpoint for phone verification(2) (#1748)
* VerificationDevice model and Removal of 48hr email verification period (#1606) * Registration with Phone number (#1662) * Add phone to User Profile (#1698) * Add Ansible provisioning for Twilio * Allow user to login with phone and add Resend Token Page (#1708) * Reset Password with Phone (#1717) * Twilio Integration and More update notification (#1719) * Add API endpoint for phone verification(2) (#1748)
* VerificationDevice model and Removal of 48hr email verification period (#1606) * Registration with Phone number (#1662) * Add phone to User Profile (#1698) * Add Ansible provisioning for Twilio * Allow user to login with phone and add Resend Token Page (#1708) * Reset Password with Phone (#1717) * Twilio Integration and More update notification (#1719) * Add API endpoint for phone verification(2) (#1748)
* VerificationDevice model and Removal of 48hr email verification period (#1606) * Registration with Phone number (#1662) * Add phone to User Profile (#1698) * Add Ansible provisioning for Twilio * Allow user to login with phone and add Resend Token Page (#1708) * Reset Password with Phone (#1717) * Twilio Integration and More update notification (#1719) * Add API endpoint for phone verification(2) (#1748)
* VerificationDevice model and Removal of 48hr email verification period (#1606) * Registration with Phone number (#1662) * Add phone to User Profile (#1698) * Add Ansible provisioning for Twilio * Allow user to login with phone and add Resend Token Page (#1708) * Reset Password with Phone (#1717) * Twilio Integration and More update notification (#1719) * Add API endpoint for phone verification(2) (#1748)
* VerificationDevice model and Removal of 48hr email verification period (#1606) * Registration with Phone number (#1662) * Add phone to User Profile (#1698) * Add Ansible provisioning for Twilio * Allow user to login with phone and add Resend Token Page (#1708) * Reset Password with Phone (#1717) * Twilio Integration and More update notification (#1719) * Add API endpoint for phone verification(2) (#1748)
* VerificationDevice model and Removal of 48hr email verification period (#1606) * Registration with Phone number (#1662) * Add phone to User Profile (#1698) * Add Ansible provisioning for Twilio * Allow user to login with phone and add Resend Token Page (#1708) * Reset Password with Phone (#1717) * Twilio Integration and More update notification (#1719) * Add API endpoint for phone verification(2) (#1748)
* VerificationDevice model and Removal of 48hr email verification period (#1606) * Registration with Phone number (#1662) * Add phone to User Profile (#1698) * Add Ansible provisioning for Twilio * Allow user to login with phone and add Resend Token Page (#1708) * Reset Password with Phone (#1717) * Twilio Integration and More update notification (#1719) * Add API endpoint for phone verification(2) (#1748)
Proposed changes in this pull request
With this PR, the user can now register with a Phone number. Once a user has registered, an email with verification link or a text with a verification token will be sent to user's registered email or phone. Once a user registers, they will be redirected to an
Account Verification Page.Registration Page
Account Verification Page
Changes
AccountRegisterview toaccounts/views/default.pyand testsRegistraitionSerializerand testsAccountRegisterview inaccounts/views/api.piand testsPhoneAuthenticationBackend,tests and corresponding settings.AuthenticationBackendto only obtain user's who are activePhoneVerificationFormand testsConfirmPhoneview toaccounts/views/default.pyand testsAccountVerificationPage.When should this PR be merged
accounts/tests/test_views_default.pycurrently fail and are waiting for an update from django-skivvy. Once django-skivvy is updated and all the tests pass.Risks
None
Follow-up actions
-Install
phonenumberson stagingChecklist (for reviewing)
General
migrationlabel if a new migration is added.Functionality
Code
Tests
Security
Documentation