27368 - Allow users to initiate and accept magic links (#3387)

Author: seeker25

auth-api/poetry.lock

@@ -33,7 +33,7 @@ marshmallow = "<4.0.0"
 # VCS dependencies
 sql-versioning = { git = "https://github.com/bcgov/sbc-connect-common.git", subdirectory = "python/sql-versioning", branch = "main" }
 flask-jwt-oidc = {git = "https://github.com/seeker25/flask-jwt-oidc.git", branch = "main" }
-build-deps = { git = "https://github.com/bcgov/sbc-auth.git", rev = "dependency_upgrades_p2", subdirectory = "build-deps" }
+build-deps = { git = "https://github.com/seeker25/sbc-auth.git", rev = "27368", subdirectory = "build-deps" }
 
 [tool.poetry.group.test.dependencies]
 pytest = "^8.3.2"

auth-api/pyproject.toml

@@ -44,6 +44,10 @@ class Error(Enum):
         "The affiliation invitation is in an invalid state for this action.",
         HTTPStatus.BAD_REQUEST,
     )
+    INVALID_AFFILIATION_INVITATION_TYPE = (
+        "The affiliation invitation type is invalid.",
+        HTTPStatus.BAD_REQUEST,
+    )
     INVALID_AFFILIATION_INVITATION_TOKEN = (
         "The affiliation invitation token is invalid.",
         HTTPStatus.BAD_REQUEST,

auth-api/src/auth_api/exceptions/errors.py

@@ -42,7 +42,7 @@
 from auth_api.services.org import Org as OrgService
 from auth_api.services.user import User as UserService
 from auth_api.utils.enums import AccessType, AffiliationInvitationType, InvitationStatus, LoginSource, Status
-from auth_api.utils.roles import ADMIN, COORDINATOR, STAFF
+from auth_api.utils.roles import ADMIN, COORDINATOR, STAFF, USER
 from auth_api.utils.user_context import UserContext, user_context
 
 from ..schemas.affiliation_invitation import AffiliationInvitationSchemaPublic
@@ -270,7 +270,9 @@ def create_affiliation_invitation(
         if from_org_id == to_org_id:
             raise BusinessException(Error.DATA_ALREADY_EXISTS, None)
 
-        check_auth(org_id=from_org_id, one_of_roles=(ADMIN, COORDINATOR, STAFF))
+        AffiliationInvitation.check_auth_for_invitation(
+            invitation_type=affiliation_invitation_type, from_org_id=from_org_id
+        )
 
         entity, from_org, business = AffiliationInvitation._validate_prerequisites(
             business_identifier=business_identifier,
@@ -365,10 +367,10 @@ def get_business_name_from_alternative_name(business, business_name, business_id
 
     def update_affiliation_invitation(self, user, invitation_origin, affiliation_invitation_info: Dict):
         """Update the specified affiliation invitation with new data."""
-        check_auth(org_id=self._model.from_org_id, one_of_roles=(ADMIN, COORDINATOR, STAFF))
-
         invitation: AffiliationInvitationModel = self._model
 
+        AffiliationInvitation.check_auth_for_invitation(invitation=self._model)
+
         # Don't do any updates if the invitation is not in PENDING state
         if invitation.invitation_status_code != InvitationStatus.PENDING.value:
             return AffiliationInvitation(invitation)
@@ -413,7 +415,7 @@ def delete_affiliation_invitation(invitation_id):
         if not (invitation := AffiliationInvitationModel.find_invitation_by_id(invitation_id)):
             raise BusinessException(Error.DATA_NOT_FOUND, None)
 
-        check_auth(org_id=invitation.from_org_id, one_of_roles=(ADMIN, COORDINATOR, STAFF))
+        AffiliationInvitation.check_auth_for_invitation(invitation=invitation)
 
         if invitation.status == InvitationStatus.ACCEPTED.value:
             invitation.is_deleted = True
@@ -746,3 +748,20 @@ def refuse_affiliation_invitation(invitation_id: int, user: UserService):
         )
 
         return AffiliationInvitation(invitation)
+
+    @staticmethod
+    def check_auth_for_invitation(
+        invitation: AffiliationInvitationModel = None,
+        invitation_type: AffiliationInvitationType = None,
+        from_org_id: int = None,
+    ):
+        """Check if the user has the right to view the invitation."""
+        invitation_type = invitation_type or AffiliationInvitationType.from_value(invitation.type)
+        from_org_id = from_org_id or invitation.from_org_id
+        match invitation_type:
+            case AffiliationInvitationType.REQUEST:
+                check_auth(org_id=from_org_id, one_of_roles=(ADMIN, COORDINATOR, STAFF))
+            case AffiliationInvitationType.EMAIL:
+                check_auth(org_id=from_org_id, one_of_roles=(ADMIN, COORDINATOR, USER, STAFF))
+            case _:
+                raise BusinessException(Error.INVALID_AFFILIATION_INVITATION_TYPE, None)

auth-api/src/auth_api/services/affiliation_invitation.py

@@ -221,8 +221,9 @@ class AffiliationInvitationType(Enum):
     @classmethod
     def from_value(cls, value):
         """Return instance from value of the enum."""
+        # Change this back to None after business-ui gets pushed to production.
         return (
-            AffiliationInvitationType(value) if value in cls._value2member_map_ else None
+            AffiliationInvitationType(value) if value in cls._value2member_map_ else AffiliationInvitationType.EMAIL
         )  # pylint: disable=no-member