Currently, I am working on the OLMIS-4833 which is about adding the email verification mechanism to the OpenLMIS system. According to the ticket when a user updates his email address, the user should still retrieve notifications to the old email address until the new email will be verified (by clicking the link in the email that was send by the system).
Currently, the email field is only in the reference data user resource and the email verification mechanism is in the auth service. In other words currently the auth service does not know anything about user email but because of the ticket it has to know if the user changed his email address.
I am not sure how exactly implement this in our system. I thought about few solutions:
1. move email field from the reference data service to the auth service
In this solution the auth service and the mechanism have all needed information. Problem is that now if user details will be changed we would need to send two requests to the both services.
Other problem is that currently all services use only the reference data user resource and they do not know anything about the auth user resource. So we would probably need add additional call to the auth service when a service will try to send a notification to the user.
2. block possibility to edit email field by a request to the reference data service
In this case we still need to send two requests to the both services but the request to the reference data service will not contain email field (it would be also impossible to change the value of the field). Those details would be in the request to the auth service. The email field in the reference data user resource would be updated by the auth service when a user will click the link in the verification email.
Example of the happy path:
- user modify the email
- the reference data does not know anything about the change
- the auth service knows about the change and send verification email
- user clicks the verification link
- the auth service updates the email field in the reference data user resource
3. move mechanism to the reference data service
In this case we move email verification mechanism to the reference data service. All needed details are in one service. I am only not sure if the reference data service should have any advanced business logic. From what I see now it only contains data that are used by other services.
4. merge user requests to one and send it to the auth service
This is something I have been thinking about for some time. Currently when a user is created we need to send two requests. I think we could merge them and send a single one to the auth service and it would be responsible to send correct data to the reference data service. In this case from the UI perspective we have a single request to the backend. We would only need to disable some endpoints from the reference data for the users so they need to use endpoint in the auth service. Also in this case it should be easy to check if email address has been changed.
Example of the happy path:
- the auth service gets a user creation/update request
- verification of auth data
- send reference data to the correct service and wait for response
- save auth data to the database
- return response
The 3rd option looks also good but like I said I am not sure if this mechanism should be in this service.
In 1st and 2nd options we need to remember that some user details are updated by one endpoint and other details are updated by another endpoint and I think is incorrect behavior.
SolDevelo Sp. z o.o. [LLC] / www.soldevelo.com
Al. Zwycięstwa 96/98, 81-451, Gdynia, Poland
Phone: +48 58 782 45 40 / Fax: +48 58 782 45 41