fix: prevent HTML/URLs in the Full Name field

[mudassir-hafeez]

What are the relevant tickets?

#4211

Description (What does it do?)

This PR adds validation for the full name. It also introduces an API to validate registration on Open edX to ensure a valid full name is provided. This change affects both the registration details page and the edit profile page.

Screenshots (if appropriate):

Validation error on registration details page:

Validation error on edit details page:

How can this be tested?

• Fetch, check out to this branch, install edx-api-client PR feat: validate user registration api edx-api-client#106 with editable mode, and make sure edx is configured.

• Test the front-end validation (registration/edit details pages):

  • The full name should not start with a special character (~!@&)(+:'.?/,-), and should not contain any of (/^$#*=[]%_;<>{}|").
  • Test by including any of these characters, HTML, or URL in the full name.

• Test the back-end validation (registration/edit details pages):

  • Disable the front-end validation temporarily by commenting out this line.
  • Check if the validation error appears by entering any URL or HTML.

• Test rate limiting/non-field errors (registration/edit details pages):

  • Disable the front-end validation as mentioned above.
  • Set REGISTRATION_VALIDATION_RATELIMIT to a low number of requests per IP address (e.g., 10/7d). By default, the validation registration endpoint is rate-limited to 30 requests per IP address per week.
  • Ensure the notification error appears when the rate limit is exceeded.

Note: The last two pointers are for testing validation/API with backend.

Additional Context

Further screenshots of the back-end validation:

[arslanashraf7]

This is the code review. However, I would like to mention a couple of things:

1. Long ago we implemented the same thing in MITx Online but with username. (734 - registration validate username against openedx mitxonline#757). This was implemented in MITx Online and not edx-api-client.
2. The future of this registration validation would be to serve as a common functionality for both MITx Online and xPRO. So, we should implement it that way. (This is related to edx-api-client but adding it here to keep things together)
3. Once we are done with above, We also need to refactor the code in MITx Online so that it uses the edx-api-client

[arslanashraf7]

One of the following should be done here since this is a repetitive code and we should avoid it and make it reusable:

1. Move this to TestCaseSetup if exists
2. Create a fixture for this mock e.g. mock_email_send in code (Recommended)

[arslanashraf7]

I don't think this is needed. Isn't the validation API public? Because if the ACCESS_TOKEN isn't set it will stop the operation.

Now if we remove this check, We might as well not need a method at all. The initialization can be done on demand wherever needed.

[arslanashraf7]

This should not be a part of the courseware. This should either be moved to users or opened directory

[arslanashraf7]

This should not be a part of the courseware. This should either be moved to users or opened directory

[mudassir-hafeez]

We don't have an openedx directory in xPro, but it exists in MITx Online in replace of courseware for handling all API interactions with the edX platform. This is beneficial as it centralizes interactions with Open edX.

In xPro, courseware serves a similar role e.g. both course-related and user-specific Open edX API interactions.
The name courseware can be misleading since it implies only course-specific API interactions, while it actually includes other APIs interactions. I would recommend to lets keep it here to have common directory to interact with openedx similar to what we have in mitxonline and should have some meaningful name in future that serves the purpose to interact with openedx.

[arslanashraf7]

Alright, I agree. Let's keep it here for now. But my recommendation would be to create and openedx app and move this there but we can do that later in a refactoring PR.

[arslanashraf7]

not OK is not a good representation of what we are trying to say. It should say 200 or HTTP_200_OK

[arslanashraf7]

Looks like an incorrect docstring

[arslanashraf7]

Should it be validate_full_name?

[mudassir-hafeez]

I have used general validation outside of validate_full_name in order to make name validation required in case if openedx fails and returns an object-level error. We will not allow account creation to proceed and a proper error message will be displayed:

We have something similar mitodl/mitxonline#1389 (review) suggestion for an object-level error message/handling done in mitxonline. The error message is subjective to what we want to use but I have used it what we were used https://github.com/mitodl/mitxpro/blob/master/authentication/serializers.py#L177 in such cases.

[arslanashraf7]

Stopping account creation can still be done even we do general validate or not. A general validate would be more useful when we want to throw multiple errors to the frontend at the same time.

[arslanashraf7]

Can we utilize the functionality of the Validation exception from the backend instead of making this code change in the frontend? But in reality are we sending multiple error messages from the backend?

[mudassir-hafeez]

Can we utilize the functionality of the Validation exception from the backend instead of making this code change in the frontend?

Is that change break anything with existing functionality?

I'm not sure if you have this question due to email: errors[0],, I tried to check email but did not get it's usage in on edit profile

[arslanashraf7]

I mean, when we return ValidationError from the backend would that become part of the field_errors?

Currently, We return a Validation Error in case legal address validation, But that doesn't get displayed on the frontend, That however, stops the registration process keeping the user on the same page. Take a look at this for reference. And I see that you are also throwing a validation error message. So, we don't need these frontend changes If that's still not going to be shown on the fields.

[arslanashraf7]

Same as above message in EditProfile page

[arslanashraf7]

If we show the validation character message in this case as well, the would be fine. We don't need a new message for it.

[arslanashraf7]

@mudassir-hafeez Could you rebase this PR ?

[arslanashraf7]

It is always cleaner to get the API response in a variable i.e. response. Also, We unnecessarily ignored C408. We should try to resolve the issue instead of suppressing it here. e.g. You can pass a plain dictionary here.

[arslanashraf7]

Suggested change

	def get_edx_api_registration_client():
	def get_edx_api_registration_validation_client():

[arslanashraf7]

We should use Open edX in comments everywhere. I'm adding the suggestion here but you can check other cases like this.

Suggested change

	Gets an edx api client instance for the user registration
	Gets an Open edX api client instance for the user registration

[arslanashraf7]

This API is not authenticated, We don't need to send a token maybe? you can directly send ""?

[arslanashraf7]

I don't think these will ever be thrown. In validate_name_with_edx we catch a general exception and raise a EdxApiRegistrationValidationException every time.

[mudassir-hafeez]

@arslanashraf7 I've addressed all the request changes you mentioned in the current iteration along with mitodl/edx-api-client#106. They are ready for review now.

[arslanashraf7]

While testing the PR I was having some weird issues, I don't know what's causing them but I wanted to check with you anyway.

1. I'm unable to load the dashboard page (Complaints about missing column)
2. I'm unable to load the profile page (Complaints about undefined value, likely related to ramada package)

Screenshots:

While loading the dashboard:

While loading profile:

[mudassir-hafeez]

While testing the PR I was having some weird issues, I don't know what's causing them but I wanted to check with you anyway.

I'm unable to load the dashboard page (Complaints about missing column)
I'm unable to load the profile page (Complaints about undefined value, likely related to ramada package)

Both issues seem to be unrelated to this PR. For the first issue, please check if the migrations have been applied correctly or if there have been any local changes related to the external course run. For the second issue, ensure that assets are compiling properly and that your local branch is up-to-date with mudassir/fix-html-urls--full-name-field, which includes the updated Ramda package.

I have also re-based this branch again in the meantime, and retested. I don't see any issues related to this. We can connect if those issues still persist.

[arslanashraf7]

While testing the PR I was having some weird issues, I don't know what's causing them but I wanted to check with you anyway.

I'm unable to load the dashboard page (Complaints about missing column)
I'm unable to load the profile page (Complaints about undefined value, likely related to ramada package)

Both issues seem to be unrelated to this PR. For the first issue, please check if the migrations have been applied correctly or if there have been any local changes related to the external course run. For the second issue, ensure that assets are compiling properly and that your local branch is up-to-date with mudassir/fix-html-urls--full-name-field, which includes the updated Ramda package.

I have also re-based this branch again in the meantime, and retested. I don't see any issues related to this. We can connect if those issues still persist.

I'm not sure what was causing it but it only worked for me when I pulled your rebased branch.

[arslanashraf7]

👍 Looks good. Thanks for making all the changes and your patience on this.

Just on thing that we discussed over call about the error message in top bar. It stays there even if user fixes the issue and moved to the next page. Since this behaviour is pre-existing for Success case as well, we can work on that in a followup PR.

I would like to note that we should get the edx-api-client release out before merging this. We need to publish edx-api-client first and then pin the new version here for proper functioning.

[mudassir-hafeez]

@arslanashraf7 I've pinned the newly released edx-api-client version and tested it. Could you please review this final change?