Commit Graph

3057 Commits

Author SHA1 Message Date
Chris Hill-Scott
e2ef8cd36e Show error message if checkbox wasn’t checked
Because we were redirecting in all cases the error message wasn’t being
shown.

This commit changes the endpoint to respond with content (including an
error message) if the `POST` is not successful.
2021-05-18 15:58:41 +01:00
Chris Hill-Scott
7d66dadcd7 Add a confirmation checkbox for live broadcasts
We want people to be really sure before sending a live broadcast, not
just clicking through the green buttons.

This commit adds a checkbox which explains exactly the consequences of
what they’re about to do, tailored to the channel they’re on, and the
area chosen by the person creating the alert.
2021-05-18 15:58:41 +01:00
Chris Hill-Scott
362189d562 Merge pull request #3879 from alphagov/add-government-channel
Add an option to set a service to the government channel for emergency alerts
2021-05-13 15:10:15 +01:00
Pea Tyczynska
714afff156 Merge pull request #3884 from alphagov/add-webauthn-as-auth-type
Add webauthn as an auth type
2021-05-13 14:32:03 +01:00
Ben Thorner
a7d7cb3421 Merge pull request #3878 from alphagov/register-security-key
Allow registering WebAuthn authenticators in memory
2021-05-13 12:43:16 +01:00
Ben Thorner
957dba4356 Avoid registering the same authenticator twice
This passes existing credentials in the server response, to allow
the browser to prevent re-registering the same key for the same
user. Registering the same key multiple times doesn't seem to be
an issue technically; the user has likely got their keys mixed up.

- Chrome says "you don't need to register it again".
- Safari exits with an InvalidStateError.
- Firefox exits with a DOMException.
2021-05-13 10:22:24 +01:00
Ben Thorner
e2cf3e2c70 Support registering a new authenticator
This adds Yubico's FIDO2 library and two APIs for working with the
"navigator.credentials.create()" function in JavaScript. The GET
API uses the library to generate options for the "create()" function,
and the POST API decodes and verifies the resulting credential. While
the options and response are dict-like, CBOR is necessary to encode
some of the byte-level values, which can't be represented in JSON.

Much of the code here is based on the Yubico library example [1][2].

Implementation notes:

- There are definitely better ways to alert the user about failure, but
window.alert() will do for the time being. Using location.reload() is
also a bit jarring if the page scrolls, but not a major issue.

- Ideally we would use window.fetch() to do AJAX calls, but we don't
have a polyfill for this, and we use $.ajax() elsewhere [3]. We need
to do a few weird tricks [6] to stop jQuery trashing the data.

- The FIDO2 server doesn't serve web requests; it's just a "server" in
the sense of WebAuthn terminology. It lives in its own module, since it
needs to be initialised with the app / config.

- $.ajax returns a promise-like object. Although we've used ".fail()"
elsewhere [3], I couldn't find a stub object that supports it, so I've
gone for ".catch()", and used a Promise stub object in tests.

- WebAuthn only works over HTTPS, but there's an exception for "localhost"
[4].  However, the library is a bit too strict [5], so we have to disable
origin verification to avoid needing HTTPS for dev work.

[1]: c42d9628a4/examples/server/server.py
[2]: c42d9628a4/examples/server/static/register.html
[3]: 91453d3639/app/assets/javascripts/updateContent.js (L33)
[4]: https://stackoverflow.com/questions/55971593/navigator-credentials-is-null-on-local-server
[5]: c42d9628a4/fido2/rpid.py (L69)
[6]: https://stackoverflow.com/questions/12394622/does-jquery-ajax-or-load-allow-for-responsetype-arraybuffer
2021-05-13 10:22:23 +01:00
Pea Tyczynska
2a756f90d4 Add webauth as an auth type
When showing what auth type user uses to sign in, add a text
for users with webauthn.

On password change or sign in, throw not implemented error
if user uses webauthn auth.
2021-05-12 17:40:31 +01:00
Chris Hill-Scott
e45bd485e8 Add conditional reveal to network selection
Rather than try to explain all/only just through words we can use some
interaction design to make the hierarchy of choices more explicit.
2021-05-12 16:22:44 +01:00
Chris Hill-Scott
a0f54539cc Add a second step for choosing networks
Only the test channel has the option to isolate messages to one network.

This commits makes the choices less confusing by only showing the
network choice to those who have selected the test channel.
2021-05-12 16:22:44 +01:00
Chris Hill-Scott
f640767f3d Add government channel
We have been asked to support the government channel so that:
- it can be tested
- the option to use it is available for the most severe of emergencies,
  where the public’s choice to opt-out is outweighed by the widespread
  risk to life
2021-05-12 16:22:43 +01:00
Chris Hill-Scott
ffd844b2a7 Add confirmation step to emergency alert settings
It feels quite dangerous that it’s just one click to make an emergency
alerts service live.

This commit adds a confirmation step which explains the consequences of
what you’re about to do.
2021-05-12 14:53:49 +01:00
Ben Thorner
ebb82b2e80 Add page for security keys with stubbed data
This adds a new platform admin settings row, leading a page which
shows any existing keys and allows a new one to be registered. Until
the APIs for this are implemented, the user API client just returns
some stubbed data for manual testing.

This also includes a basic JavaScript module to do the main work of
registering a new authenticator, to be implemented in the next commits.

Some more minor notes:

- Setting the headings in the mapping_table is necessary to get the
horizontal rule along the top (to match the design).

- Setting caption to False in the mapping_table is necessary to stop
an extra margin appearing at the top.
2021-05-12 13:41:53 +01:00
Katie Smith
f7036825df Stop checking for allowed_broadcast_provider being None
The current_service.allowed_broadcast_provider is now always "all" or
one of the four providers, which means we can simply the code by not
checking if it is None.
2021-05-11 12:20:03 +01:00
Katie Smith
3485475270 Allow provider_restriction to be None or "all"
Until all the data is updated to always be "all", we have to handle the
case of provider_restriction being set to None or "all" (which mean the
same thing).

The code can be tidied up once the broadcast provider_restriction is never None.
2021-05-10 16:18:14 +01:00
Katie Smith
2f9e2dbc9d Send api the broadcast provider restriction of 'all', not 'None'
We're replacing the value of None with the value of all. API has been
updated to accept both values
(1767535def)
so this change starts sending notifications-api the value of "all".
2021-05-10 16:18:14 +01:00
Rebecca Law
5495de0b3b Remove some of the option we have for broadcast services.
This is the first step in making the UI easier for setting the
options for a broadcast service. Here we remove the options for
"Training mode" test channels. When we create a broadcast message for a trail mode service it is marked as stubbed and does not create a broadcast event that is sent to a provider.

The label for the form and setting page have been updated to reflect the
change.
2021-05-05 14:04:51 +01:00
Pea Tyczynska
c55cc4574e Merge pull request #3854 from alphagov/admin-cancel-broadcast
Allow platform admins to cancel broadcasts.
2021-04-21 12:52:14 +01:00
Pea Tyczynska
002dd7485d Allow platform admins to cancel broadcasts.
Do not allow platform admins to:
- create broadcasts
- approve broadcasts
- reject broadcasts

that is, unless they have a send_messages permission
for a given service.

This is so platform admins have the minimum permissions necessary
to cancel a broadcast that might have been sent out accidentally.
2021-04-20 17:27:55 +01:00
Rebecca Law
007fa5fa19 Merge pull request #3855 from alphagov/set-annual_billing-in-the-api
Let the API handle setting the default free allowance.
2021-04-20 07:17:57 +01:00
Rebecca Law
ac0b8ed95c If the job is for letters do not add the sender_id.
How this happens: a user starts to send a letter job, then in another tab starts a SMS
or email job, the sender_id is set in the session. Then the user goes
back to the letter job tab and creates the job. The sender_id is set in
the metadata of the csv file, and causes an exception when trying to persist
the letter notification.

This PR adds a check to ensure the sender_id is not set for letter jobs.

This will catch a small use case where the user has multiple tabs open
and has started sending an SMS or email job, then tries to send a letter
job.
2021-04-15 13:51:48 +01:00
Chris Hill-Scott
c95b2ef8b3 Allow users of the API to search templates by ID
For someone who has retrieved a template ID from their system the only
way to find it in Notify is:
- hack the URL
- click through every template, visually inspecting the ID shown on the
  page until you find the right one

Neither of these is ideal.

This commit adds searching by ID, for those services who have an API
integration. This means we don’t need to confuse teams who aren’t using
the API by talking about IDs.

This is similar to how we let these teams search for notifications by
reference[1]

1. https://github.com/alphagov/notifications-admin/pull/3223/files
2021-04-13 15:24:29 +01:00
Chris Hill-Scott
9b256de4a9 Refactor to reduce duplication
> Rule of three ("Three strikes and you refactor") is a code refactoring
> rule of thumb to decide when similar pieces of code should be
> refactored to avoid duplication. It states that two instances of
> similar code don't require refactoring, but when similar code is used
> three times, it should be extracted into a new procedure

– https://en.wikipedia.org/wiki/Rule_of_three_(computer_programming)
2021-04-08 14:19:36 +01:00
Chris Hill-Scott
dc4db4951a Add a separate page for rejected alerts
We don’t want to mix these up with alerts that actually went out.
2021-04-08 14:19:36 +01:00
Chris Hill-Scott
9977028a83 Make Jinja template generic
This will let us reuse the same code for displaying pages of previous
and rejected alerts.
2021-04-08 13:38:54 +01:00
Chris Hill-Scott
0bdd5cab2d Show rejected broadcasts on ‘Previous alerts’ page
Two reasons to not hide rejected broadcasts:
- if a broadcast was rejected by mistake then it’s useful to have an
  audit of who did that
- it means you can still see old broadcasts without having to leave
  in pending-approval, which is dangerous because they might
  accidentally be approved
2021-04-08 10:51:01 +01:00
Rebecca Law
b1d78ada83 Let the API handle setting the default free allowance.
The API has a method to handle setting the default SMS free allowance. This will save a call to the API and remove some code duplication between the two apps.

Needs to be merged after https://github.com/alphagov/notifications-api/pull/3197
2021-04-07 09:32:18 +01:00
Chris Hill-Scott
18a96d3243 Merge pull request #3830 from alphagov/remove-2020-allowances
Remove 2020/21 free allowance data
2021-04-01 10:40:29 +01:00
Pea Tyczynska
f7142a1518 Catch validation error from API
When dates chosen for billing report are not in the same
financial year, API throws an error. This error was not being
caught so far. This PR starts to catch it and display a banner
with error message on the page, instead of page crashing.
2021-03-30 14:13:57 +01:00
Pea Tyczynska
38cfee6390 Rename usage report to billing report
Because only services with bills to pay are included, and
we started including billing details.

Also rename endpoints and file names to match this.
2021-03-30 14:13:54 +01:00
Pea Tyczynska
95f46ced8a Add billing details fields to Usage for all services report 2021-03-30 14:11:42 +01:00
Leo Hemsted
62ce3c0696 Merge pull request #3842 from alphagov/remove-last-of-the-backwards-compat-invite-stuff
Remove last of the backwards compat invite stuff
2021-03-18 16:46:01 +00:00
Chris Hill-Scott
2a7f972a8a Merge pull request #3821 from alphagov/find-services-by-id
Support service IDs in ‘find services by name’
2021-03-18 13:16:36 +00:00
Leo Hemsted
0d350bdaf8 remove invited_user from session entirely
now that we no longer set it since
https://github.com/alphagov/notifications-admin/pull/3841 was merged, we
don't need to remove it either. And we can remove checks that expect it
when cleaning up the session. And the unit tests that make sure we
ignore it if it's in the session.

So long, session['invited_user'] and session['invited_org_user']!
2021-03-17 12:27:26 +00:00
Leo Hemsted
fb1345494c Merge pull request #3841 from alphagov/remove-old-invite-stuff
stop putting invite user objects in the session
2021-03-17 12:27:04 +00:00
Leo Hemsted
8a2fec6f18 stop putting invite user objects in the session
the invited_user objects can be arbitrarily large, and when we put them
in the session we risk going over the session cookie's 4kb size limit.
since https://github.com/alphagov/notifications-admin/pull/3827 was
merged, we store the user id in the session. Now that's been live for a
day or two we can safely stop putting the rich object in the session.

Needed to change a bunch of tests for this to make sure appropriate
mocks were set. Also some tests were accidentally re-using fake_uuid.

Still pop the object when cleaning up sessions. We'll need to remove
that in a future PR.
2021-03-16 18:14:04 +00:00
Chris Hill-Scott
01c651d224 Merge pull request #3836 from alphagov/remove-performance-platform-report
Remove performance platform report
2021-03-16 10:19:28 +00:00
Leo Hemsted
dc02d036f1 Merge pull request #3827 from alphagov/invited-user-id
Invited user
2021-03-15 13:42:16 +00:00
Leo Hemsted
45297eae43 store invited user ids in session
same as the invited org user ids in the previous commit
2021-03-15 12:21:58 +00:00
Chris Hill-Scott
c8943cec8b Report performance platform report
We used to upload this to performance platform to show the list of
services and organisations.

There is no longer a performance platform to upload this file to.
2021-03-15 10:21:36 +00:00
Chris Hill-Scott
3ea9cba0bc Fix bug when live services have no organisation
The performance page expects all live services to have an organisation.
This should be true on production, but it isn’t always the case in
other environments.

When the organisation name is `None`, the frontend can’t sort the list
of organisations alphabetically and so raises an exception.
2021-03-15 09:42:06 +00:00
Leo Hemsted
6d62c9ba36 store invited org user ids in session
first of a two step process to remove invited user objects from the
session. we're removing them because they're of variable size, and with
a lot of folder permissions they can cause the session to exceed the 4kb
cookie size limit and not save properly.

this commit looks at invited org users only.

in this step, start saving the invited org user's id to the
session alongside the session object. Then, if the invited_org_user_id
is present in the next step of the invite flow, fetch the user object
from the API instead of from the session. If it's not present (due to a
session set by an older instance of the admin app), then just use the
old code to get the entire object out of the session.

For invites where the user is small enough to persist to the cookie,
this will still save both the old and the new way, but will always make
an extra check to the API, I think this minor performance hit is totally
fine. For invites where the user is too big to persist, they'll still
fail for now, and will need to wait until the next PR comes along and
stops saving the large invited user object to the session entirely.
2021-03-12 16:36:02 +00:00
Chris Hill-Scott
5fa6639b52 Add count of orgs and services
This uses the existing endpoint so it matches what’s on the homepage.
It will be more up-to-date than the list of services, but no-one’s going
to be adding things up to check they match exactly.
2021-03-12 14:44:32 +00:00
Chris Hill-Scott
8106d6fdf2 Limit data to last 7 days
Otherwise the page gets really long. Also matches what we have on our
dashboards by default.
2021-03-12 14:44:24 +00:00
Chris Hill-Scott
646075f61f Put some stuff on the page
This basically copies the same sections from the existing performance
platform page, with the frontend cobbled together from our existing
patterns.
2021-03-12 14:44:06 +00:00
Chris Hill-Scott
25a6788d66 Use arguments rather than passing around a dict
This makes it harder to write code which will pass tests but fail in
real life.
2021-03-12 14:43:50 +00:00
Chris Hill-Scott
fce4082fff Rename to performance
This is consistent with the old performance platform URLs, which were
gov.uk/performance, and others that we have like /pricing and /features
2021-03-12 13:56:21 +00:00
Rebecca Law
3ca2840652 Rename to performance-dashboard 2021-03-12 11:17:51 +00:00
Rebecca Law
042527e74c Start to build a page to performance platform page. 2021-03-12 11:17:44 +00:00
Chris Hill-Scott
79bbd0fd98 Don’t show future financal years on org page
There’s no useful information in the page for the future financial year
because there’s no way for any of the services to have yet used
anything.

Changes this matches the change we made to the service usage page in
https://github.com/alphagov/notifications-admin/pull/3439/files
2021-03-10 15:39:06 +00:00