Send admins a notification when a user registers

- Add log line regarding APP_URL in feature flag parser

Author: ml-evs

pydatalab/src/pydatalab/feature_flags.py

@@ -164,3 +164,8 @@ def _check_secret_and_warn(secret: str, error: str, environ: bool = False) -> bo
         LOGGER.warning(
             "No deployment metadata provided, please set `CONFIG.DEPLOYMENT_METADATA` to allow the UI to provide helpful information to users"
         )
+
+    if not CONFIG.APP_URL:
+        LOGGER.warning(
+            "Canonical URL for deployment is not set, please set `CONFIG.APP_URL` otherwise some features (redirects, email notifications) may not work correctly."
+        )

pydatalab/src/pydatalab/routes/v0_1/auth.py

@@ -22,7 +22,8 @@
 
 from pydatalab.config import CONFIG
 from pydatalab.errors import UserRegistrationForbidden
-from pydatalab.logger import LOGGER, logged_route
+from pydatalab.feature_flags import FEATURE_FLAGS
+from pydatalab.logger import LOGGER
 from pydatalab.login import get_by_id
 from pydatalab.models.people import AccountStatus, Identity, IdentityType, Person
 from pydatalab.mongo import flask_mongo, insert_pydantic_model_fork_safe
@@ -202,7 +203,6 @@ def set_applocal_session():
 orcid = LocalProxy(lambda: g.flask_dance_orcid)
 
 
-@logged_route
 def wrapped_login_user(*args, **kwargs):
     login_user(*args, **kwargs)
 
@@ -273,7 +273,6 @@ def _check_email_domain(email: str, allow_list: list[str] | None) -> bool:
     return True
 
 
-@logged_route
 def find_user_with_identity(
     identifier: str,
     identity_type: str | IdentityType,
@@ -332,7 +331,6 @@ def find_create_or_modify_user(
 
     """
 
-    @logged_route
     def attach_identity_to_user(
         user_id: str,
         identity: Identity,
@@ -416,7 +414,13 @@ def attach_identity_to_user(
             user_model = get_by_id(str(user.immutable_id))
             if user is None:
                 raise RuntimeError("Failed to insert user into database")
+
             wrapped_login_user(user_model)
+            # Send email notification to admins
+            _send_admin_email_notification(user)
+
+    if user is not None and user.account_status == AccountStatus.DEACTIVATED:
+        _send_admin_email_notification(user)
 
     # Log the user into the session with this identity
     if user is not None:
@@ -477,6 +481,56 @@ def _check_user_registration_allowed(email: str) -> None:
             )
 
 
+def _send_admin_email_notification(user: Person) -> None:
+    """Sends an email notification to the admin email address when an unverified user
+    attempts to register an account.
+
+    """
+    if not FEATURE_FLAGS.email_notifications:
+        LOGGER.info("Email notifications are disabled; not sending unverified user notification.")
+        return
+
+    admins = flask_mongo.db.users.aggregate(
+        [
+            {
+                "$lookup": {
+                    "from": "roles",
+                    "localField": "_id",
+                    "foreignField": "_id",
+                    "as": "role",
+                }
+            },
+            {"$unwind": "$role"},
+            {"$match": {"role.role": "admin"}},
+        ]
+    )
+
+    admin_emails = [a["contact_email"] for a in admins if a.get("contact_email")]
+
+    # Get contact emails of admin users via lookup in the roles and users collections
+    if user.account_status == AccountStatus.UNVERIFIED:
+        subject = "User Registration Notification"
+        subject += f": {CONFIG.APP_URL}" if CONFIG.APP_URL else ""
+        body = (
+            f"A new user with display name {user.display_name} attempted to register an account on {CONFIG.APP_URL}.\n\n"
+            "Please review the registration in your admin panel and verify the user if appropriate."
+        )
+
+    if user.account_status == AccountStatus.DEACTIVATED:
+        subject = "Deactivated User Login Attempt Notification"
+        subject += f": {CONFIG.APP_URL}" if CONFIG.APP_URL else ""
+        body = (
+            f"A deactivated user with display name {user.display_name} attempted to log in to the datalab instance at {CONFIG.APP_URL}.\n\n"
+            "No action is required unless you wish to reactivate this user."
+        )
+
+    try:
+        for email in admin_emails:
+            send_mail(email, subject, body)
+    except Exception as exc:
+        LOGGER.warning("Failed to send unverified user notification email: %s", exc)
+
+
 def _send_magic_link_email(
     email: str, token: str, referrer: str | None, purpose: str = "authorize"
 ) -> None:

pydatalab/src/pydatalab/send_email.py

@@ -21,7 +21,7 @@ def send_mail(recipient: str, subject: str, body: str):
         body (str): The body of the email.
 
     """
-    LOGGER.debug("Sending email to %s", recipient)
+    LOGGER.debug("Sending email to %s with subject %s", recipient, subject)
 
     sender = None
     if CONFIG.EMAIL_AUTH_SMTP_SETTINGS is not None:

pydatalab/tests/server/conftest.py

@@ -66,14 +66,14 @@ def app_config(tmp_path_factory, secret_key):
         "EMAIL_AUTH_SMTP_SETTINGS": {
             "MAIL_SERVER": "smtp.example.com",
             "MAIL_PORT": 587,
-            "MAIL_USERNAME": "",
-            "MAIL_PASSWORD": "",
+            "MAIL_USERNAME": "test",
             "MAIL_USE_TLS": True,
             "MAIL_DEFAULT_SENDER": "[email protected]",
         },
         "EMAIL_DOMAIN_ALLOW_LIST": ["example.org", "ml-evs.science"],
         "MAIL_DEBUG": True,
         "MAIL_SUPPRESS_SEND": True,
+        "MAIL_PASSWORD": "test",
         # Set to 10 MB to check that larger files fail; this should be larger than all of our example files.
         # Elsewhere, we can generate an artificial large file to check that it fails.
         "MAX_CONTENT_LENGTH": 10 * 1000**2,
@@ -240,13 +240,20 @@ def deactivated_user_id():
     yield ObjectId(24 * "3")
 
 
-def insert_user(id, api_key, role, real_mongo_client, status: AccountStatus = AccountStatus.ACTIVE):
+def insert_user(
+    id,
+    api_key,
+    role,
+    real_mongo_client,
+    display_name: str = "Test Admin",
+    status: AccountStatus = AccountStatus.ACTIVE,
+):
     from hashlib import sha512
 
     demo_user = {
         "_id": id,
         "contact_email": "[email protected]",
-        "display_name": "Test Admin",
+        "display_name": display_name,
         "account_status": status,
     }
     real_mongo_client.get_database(TEST_DATABASE_NAME).users.insert_one(demo_user)
@@ -272,21 +279,29 @@ def insert_demo_users(
     unverified_user_api_key,
     real_mongo_client,
 ):
-    insert_user(user_id, user_api_key, "user", real_mongo_client)
-    insert_user(another_user_id, another_user_api_key, "user", real_mongo_client)
-    insert_user(admin_user_id, admin_api_key, "admin", real_mongo_client)
+    insert_user(user_id, user_api_key, "user", real_mongo_client, display_name="Test User")
+    insert_user(
+        another_user_id,
+        another_user_api_key,
+        "user",
+        real_mongo_client,
+        display_name="Another User",
+    )
+    insert_user(admin_user_id, admin_api_key, "admin", real_mongo_client, display_name="Test Admin")
     insert_user(
         deactivated_user_id,
         deactivated_user_api_key,
         "user",
         real_mongo_client,
+        display_name="Deactivated User",
         status=AccountStatus.DEACTIVATED,
     )
     insert_user(
         unverified_user_id,
         unverified_user_api_key,
         "user",
         real_mongo_client,
+        display_name="Unverified User",
         status=AccountStatus.UNVERIFIED,
     )
 

pydatalab/tests/server/test_auth.py

@@ -26,9 +26,12 @@ def test_magic_link_account_creation(unauthenticated_client, app, database):
     doc = database.magic_links.find_one()
     assert "jwt" in doc
 
-    response = unauthenticated_client.get(f"/login/email?token={doc['jwt']}")
-    assert response.status_code == 307
-    assert database.users.find_one({"contact_email": "[email protected]"})
+    with app.extensions["mail"].record_messages() as outbox:
+        response = unauthenticated_client.get(f"/login/email?token={doc['jwt']}")
+        assert response.status_code == 307
+        assert database.users.find_one({"contact_email": "[email protected]"})
+
+        assert len(outbox) == 1  # Should be a notification to admins
 
 
 def test_magic_links_expected_failures(unauthenticated_client, app):