|
| 1 | +# 33. Make email address primary for `Access` |
| 2 | + |
| 3 | +Date: 2023-11-20 |
| 4 | + |
| 5 | +## Status |
| 6 | + |
| 7 | +Accepted |
| 8 | + |
| 9 | +## Areas of impact |
| 10 | + |
| 11 | +- [ ] Compliance |
| 12 | +- [ ] Content |
| 13 | +- [x] CX |
| 14 | +- [ ] Design |
| 15 | +- [x] Engineering |
| 16 | +- [x] Policy |
| 17 | +- [ ] Product |
| 18 | +- [ ] Process |
| 19 | +- [ ] UX |
| 20 | + |
| 21 | +## Related documents/links |
| 22 | + |
| 23 | +* [If a user deletes and recreates their login.gov account, we retain a copy of both accounts](https://github.com/GSA-TTS/FAC/issues/2782) |
| 24 | + |
| 25 | +## Context |
| 26 | + |
| 27 | +Our current user login/creation path: |
| 28 | + |
| 29 | +1. Get info from login. |
| 30 | +2. Look to see if the login.gov identifier is in our system. |
| 31 | +3. If yes, log that user in and skip remaining steps. |
| 32 | +4. If no, create new user with this login.gov identifier and primary email address. |
| 33 | +5. Go through all email addresses in user’s login.gov info and associate any _unclaimed_ `Access` entries with any of those email addresses with this user. |
| 34 | + |
| 35 | +This turns out to not work if users delete their login.gov accounts and create new ones with the same email address (which is the login.gov recommended path for dealing with losing access to your account), which is creating problems for our users. The problem looks something like this: |
| 36 | + |
| 37 | +1. User creates login account A with email address [email protected] |
| 38 | +2. User logs in to FAC; we create user with loginid A, email [email protected], and associate it with _submissions set X _ with loginid A. |
| 39 | +3. User deletes login account A, creates B with email [email protected] |
| 40 | +4. User logs in to FAC; we create user with loginid B, email [email protected]. This does not get associated with _submissions set X _. |
| 41 | +5. The user has lost access to account A, but can log in with the email address that should have access to _submissions set X_. Our system currently cannot reconcile this. |
| 42 | + |
| 43 | +## Decision |
| 44 | + |
| 45 | +Change the user login path to this instead (the first four steps are unchanged): |
| 46 | + |
| 47 | +1. Get info from login. |
| 48 | +2. Look to see if loginid is in our system. |
| 49 | +3. If yes, log that user in. |
| 50 | +4. If no, create new user with loginid and primary email address. |
| 51 | +5. Go through all email addresses in user’s login.gov info and associate _any_ (claimed or not) `Access` entries with any of those email addresses with this user. |
| 52 | + |
| 53 | +The key change is that we no longer only associate unclaimed `Access` entries with the user upon login, but will update all `Access` entries with those email addresses to point at this user. |
| 54 | + |
| 55 | +## Consequences |
| 56 | + |
| 57 | +This will solve the above bug around users deleting their login.gov accounts and creating new ones with the same email address. |
| 58 | + |
| 59 | +This has the effect of making the ownership of an email address according to login.gov absolutely primary: if login.gov thinks you own [email protected] and you log in to FAC, you will then have access to _all _ submissions that granted access to [email protected], regardless of how long ago they were created or who might have owned [email protected] in the past. |
| 60 | + |
| 61 | +We will need to document the above primacy of email addresses in our system for user awareness, since it’s not clear that the implications are immediately evident. |
| 62 | + |
| 63 | +This will leave dangling `User` entries in the system that we probably need to clean up. |
| 64 | + |
| 65 | +Since we don’t have relevant indexes on `Access`, this may eventually cause performance issues that we’ll have to look at in future. |
0 commit comments