Feature/678 add guid to gspc emails

Procfile

@@ -1 +1 @@
-web: gunicorn -b :$PORT training.main:app --workers $NUM_WORKERS --worker-class uvicorn.workers.UvicornWorker
+web: gunicorn -b :$PORT training.main:app --workers $NUM_WORKERS --worker-class uvicorn.workers.UvicornWorker --timeout 1200

alembic/versions/db581ea0a1c3_gspc_updates.py

@@ -0,0 +1,59 @@
+"""gspc_updates
+
+Revision ID: db581ea0a1c3
+Revises: 12049328fd0a
+Create Date: 2025-02-12 09:56:53.397539
+
+"""
+from alembic import op
+import sqlalchemy as sa
+
+
+# revision identifiers, used by Alembic.
+revision = 'db581ea0a1c3'
+down_revision = '12049328fd0a'
+branch_labels = None
+depends_on = None
+
+
+def upgrade() -> None:
+    # Add new columns
+    op.add_column('gspc_invite', sa.Column('gspc_invite_id', sa.UUID(as_uuid=True), nullable=True))
+    op.add_column('gspc_invite', sa.Column('second_invite_date', sa.DateTime(timezone=True), nullable=True))
+    op.add_column('gspc_invite', sa.Column('final_invite_date', sa.DateTime(timezone=True), nullable=True))
+    op.add_column('gspc_invite', sa.Column('completed_date', sa.DateTime(timezone=True), nullable=True))
+
+    # Create unique index for gspc_invite_id
+    op.create_index(
+        'ix_gspc_invite_gspc_invite_id',
+        'gspc_invite',
+        ['gspc_invite_id'],
+        unique=True
+    )
+
+    # Add foreign key column to gspc_completions
+    op.add_column('gspc_completions', sa.Column('gspc_invite_id', sa.UUID(as_uuid=True), nullable=True))
+
+    # Create foreign key constraint
+    op.create_foreign_key(
+        'gspc_completions_x_gspc_invite',
+        'gspc_completions',
+        'gspc_invite',
+        ['gspc_invite_id'],
+        ['gspc_invite_id']
+    )
+
+
+def downgrade() -> None:
+    # Drop foreign key constraint and column from gspc_completions
+    op.drop_constraint(None, 'gspc_completions', type_='foreignkey')
+    op.drop_column('gspc_completions', 'gspc_invite_id')
+
+    # Drop index
+    op.drop_index('ix_gspc_invite_gspc_invite_id', table_name='gspc_invite')
+
+    # Drop columns
+    op.drop_column('gspc_invite', 'completed_date')
+    op.drop_column('gspc_invite', 'final_invite_date')
+    op.drop_column('gspc_invite', 'second_invite_date')
+    op.drop_column('gspc_invite', 'gspc_invite_id')

dev/uaa/uaa.yml

@@ -37,7 +37,7 @@ scim:
   users:
     - paul|wombat|[email protected]|Paul|Smith|openid
     - stefan|wallaby|[email protected]|Stefan|Schmidt|openid
-
+    - mark|wombat|[email protected]|Mark|openid
 oauth:
   user:
     authorities:

package.json

@@ -2,7 +2,7 @@
     "scripts": {
         "build:frontend": "cd training-front-end && npm install && npm run build && cd ..",
         "federalist": "npm run build:frontend",
-        "dev": "(trap 'kill 0' SIGINT; npm run dev:frontend & npm run dev:backend)",
+        "dev": "(npm run dev:frontend & npm run dev:backend)",
         "dev:frontend": "cd training-front-end && npm run dev",
         "dev:backend": "uvicorn training.main:app --reload",
         "dev:db-start": "docker-compose up -d",

training-front-end/src/components/GspcRegistration.vue

@@ -45,8 +45,8 @@
   const quizStarted = ref(false)
   const quizSubmitted = ref(false)
   const error = ref(props.error)
-  let redirectExpirationDateString = ""
-  let expirationDate = ""
+  let gspcInviteId = ""
+  let redirectGspcInviteIdString = ""
   const certTypeGspc = 2
 
   const questions = 
@@ -63,8 +63,8 @@
 
   onBeforeMount(async () => {
     const urlParams = new URLSearchParams(window.location.search);
-    expirationDate = urlParams.get('expirationDate')
-    redirectExpirationDateString = 'expirationDate=' + expirationDate
+    gspcInviteId = urlParams.get('gspcInviteId')
+    redirectGspcInviteIdString = 'gspcInviteId=' + gspcInviteId
   })
 
   function startLoading() {
@@ -91,7 +91,7 @@
           'Content-Type': 'application/json',
           'Authorization': `Bearer ${user.value.jwt}`
         },
-        body: JSON.stringify({'responses':{'responses': user_answers}, 'expiration_date': expirationDate}) 
+        body: JSON.stringify({'responses':{'responses': user_answers}, 'gspc_invite_id': gspcInviteId}) 
       })
     } catch {
       const err = new Error("There was a problem connecting with the server")
@@ -145,7 +145,7 @@
               title="gspc_registration"
               :header="header"
               link-destination-text="the GSA SmartPay Program Certification (GSPC)"
-              :parameters="redirectExpirationDateString"
+              :parameters="redirectGspcInviteIdString"
               @start-loading="startLoading"
               @error="setError"
             >

training/api/api_v1/auth.py

@@ -26,23 +26,21 @@ def auth_exchange(
 ):
     db_user = user_repo.find_by_email(uaa_user.get("email"))
     if not db_user:
-        logging.info(
-            f"UAA authenticated, but not found in database: {uaa_user['email']}"
-        )
+        logging.info("UAA authenticated, but not found in database", extra={'user': uaa_user['email']})
         raise HTTPException(
             status_code=status.HTTP_403_FORBIDDEN,
             detail="Invalid user."
         )
 
     user = User.model_validate(db_user)
     if not user.is_admin():
-        logging.info(f"UAA authenticated, but not an admin: {uaa_user['email']}")
+        logging.info("UAA authenticated, but not an admin", extra={'user': uaa_user['email']})
         raise HTTPException(
             status_code=status.HTTP_403_FORBIDDEN,
             detail="Not authorized to login."
         )
 
     jwt_user = UserJWT.model_validate(db_user)
     encoded_jwt = jwt.encode(jwt_user.model_dump(), settings.JWT_SECRET, algorithm="HS256")
-    logging.info(f"Token exchange success for {db_user.email}")
+    logging.info("Token exchange success", extra={'user': db_user.email})
     return {'user': jwt_user, 'jwt': encoded_jwt}

training/api/api_v1/gspc.py

@@ -1,3 +1,4 @@
+from dataclasses import asdict
 from typing import Any
 import logging
 import csv
@@ -7,10 +8,10 @@
 from training.services import GspcService
 from training.repositories import GspcInviteRepository, GspcCompletionRepository
 from training.api.deps import gspc_invite_repository, gspc_completion_repository, gspc_service
-from training.api.email import send_gspc_invite_email
+from training.api.email import InviteTuple, send_gspc_invite_emails
 from training.api.auth import RequireRole
-from training.config import settings
 from training.api.auth import JWTUser
+from fastapi import BackgroundTasks
 
 
 router = APIRouter()
@@ -19,27 +20,25 @@
 @router.post("/gspc-invite")
 async def gspc_admin_invite(
     gspcInvite: GspcInvite,
+    background_tasks: BackgroundTasks,
     repo: GspcInviteRepository = Depends(gspc_invite_repository),
     user=Depends(RequireRole(["Admin"]))
 ):
     '''
     Given a list of emails we parse them into two list (valid and invalid).
-    Then we log each of the valid emails to the db and shoot of an email to each.
+    Then we log each of the valid emails to the db and shoot off an email to each.
     '''
     try:
         # Parse emails string into valid and invalid email list
         gspcInvite.parse()
 
-        for email in gspcInvite.valid_emails:
-            repo.create(email=email, certification_expiration_date=gspcInvite.certification_expiration_date)
-            # If performance becomes an issue use multithreading to send the emails
-            try:
-                params = gspcInvite.certification_expiration_date.strftime('%Y-%m-%d')
-                link = f"{settings.BASE_URL}/gspc_registration/?expirationDate={params}"
-                send_gspc_invite_email(to_email=email, link=link)
-                logging.info(f"Sent gspc invite email to {email}")
-            except Exception as e:
-                logging.error("Error sending gspc invite email", e)
+        entities = repo.bulk_create(emails=gspcInvite.valid_emails, certification_expiration_date=gspcInvite.certification_expiration_date)
+
+        # Explicitly load needed props into memory before passing to the background task
+        entities_data = [InviteTuple(entity.gspc_invite_id, entity.email) for entity in entities]
+
+        # Add email sending to background tasks
+        background_tasks.add_task(send_gspc_invite_emails, invites=entities_data)
 
         # Return object with both list for success and failure messages
         return gspcInvite

training/api/api_v1/loginless_flow.py

@@ -89,8 +89,10 @@ def send_link(
             # and try the link.
             if not all(role in role_names for role in required_roles):
                 logging.info(
-                    f"{user.email} does not have the required role to access {page_id_lookup[dest.page_id]['path']}"
+                    "unauthorized access attempt",
+                    extra={'user': user.email, 'path': page_id_lookup[dest.page_id]['path']}
                 )
+
                 raise HTTPException(
                     status_code=status.HTTP_401_UNAUTHORIZED,
                     detail="Unauthorized"
@@ -114,7 +116,7 @@ def send_link(
     url = f"{settings.BASE_URL}{path}?{parameters}"
     try:
         send_email(to_email=user.email, name=user.name, link=url, training_title=dest.title)
-        logging.info(f"Sent confirmation email to {user.email} for {path}")
+        logging.info("Sent confirmation email", extra={'user': user.email, 'path': path})
     except Exception as e:
         logging.error("Error sending mail", e)
         raise HTTPException(
@@ -151,6 +153,6 @@ async def get_user(
     if not db_user:
         db_user = repo.create(user)
     user_return = UserJWT.model_validate(db_user)
-    logging.info(f"Confirmed email token for {user.email}")
+    logging.info("Confirmed email token", extra={'user': user.email})
     encoded_jwt = jwt.encode(user_return.model_dump(), settings.JWT_SECRET, algorithm="HS256")
     return {'user': user_return, 'jwt': encoded_jwt}

training/api/auth.py

@@ -1,4 +1,5 @@
 import json
+import logging
 from typing import Annotated
 from urllib.request import urlopen
 
@@ -29,6 +30,7 @@ async def __call__(self, request: Request):
 
         user = self.decode_jwt(credentials.credentials)
         if user is None:
+            JWTUser.log_invalid_jwt(credentials.credentials, request.url.path)
             raise HTTPException(status_code=403, detail="Invalid or expired token.")
         return user
 
@@ -38,27 +40,28 @@ def decode_jwt(self, token: str):
         except InvalidTokenError:
             return
 
+    @staticmethod
+    def log_invalid_jwt(token: str, path: str):
+        try:
+            invalid_claim = jwt.decode(token, options={"verify_signature": False})
+            logging.info("Invalid token", extra={'decoded': invalid_claim, 'path': path})
+        except InvalidTokenError:
+            logging.warning("Unprocessable token", extra={'token': token, 'path': path})
+
 
-class UAAJWTUser(HTTPBearer):
+class UAAJWTUser(JWTUser):
     '''
     Represents a JWT issued by an OAuth server.
     Used as part of the Admin SecureAuth flow
     '''
 
-    async def __call__(self, request: Request):
-
-        credentials: HTTPAuthorizationCredentials | None = await super().__call__(request)
-        user = self.decode_jwt(credentials.credentials)
-        if user is None:
-            raise HTTPException(status_code=403, detail="Invalid or expired token.")
-        return user
-
     def decode_jwt(self, token: str):
         token_header = jwt.get_unverified_header(token)
         key_id = token_header.get("kid")
         jwk = self.get_jwks().get(key_id)
 
         if jwk is None:
+            logging.info("Unknown jwk", extra={'key_id': key_id})
             raise HTTPException(
                 status_code=status.HTTP_403_FORBIDDEN,
                 detail="Unrecognized token."
@@ -88,6 +91,7 @@ def get_jwks(self):
             jwks = json.load(res)
 
         if jwks.get("keys") is None:
+            logging.warning("Unable to get JSON Web keys from server")
             raise HTTPException(
                 status_code=status.HTTP_503_SERVICE_UNAVAILABLE,
                 detail="Unable to get required data from authentication server (public keys)."
@@ -118,6 +122,7 @@ def discover_jwks_endpoint(self) -> str:
             jwks_endpoint_uri = data.get("jwks_uri")
 
         if jwks_endpoint_uri is None:
+            logging.warning("Unable to get jwks endpoint from server")
             raise HTTPException(
                 status_code=status.HTTP_503_SERVICE_UNAVAILABLE,
                 detail="Unable to get required data from authentication server (JWKS URI)."
@@ -144,15 +149,17 @@ def __call__(self, user=Depends(JWTUser())):
         try:
             user_roles = user['roles']
         except KeyError:
+            logging.info("Unauthorized Access", extra={'user': user, 'required_roles': self.required_roles})
             raise HTTPException(status_code=401, detail="Not Authorized")
 
         if all(role in user_roles for role in self.required_roles):
             return user
         else:
+            logging.info("Unauthorized Access", extra={'user': user, 'required_roles': self.required_roles})
             raise HTTPException(status_code=401, detail="Not Authorized")
 
 
-def user_from_form(jwtToken: Annotated[str, Form()]):
+def user_from_form(jwtToken: Annotated[str, Form()], request: Request):
     '''
     This allows POST requests to send a token as part of form-encoded request.
     There are places in the front-end where we want to download a file, but we also
@@ -163,5 +170,6 @@ def user_from_form(jwtToken: Annotated[str, Form()]):
     '''
     try:
         return jwt.decode(jwtToken, settings.JWT_SECRET, algorithms=["HS256"])
-    except jwt.exceptions.InvalidTokenError:
+    except InvalidTokenError:
+        JWTUser.log_invalid_jwt(jwtToken, request.url.path)
         raise HTTPException(status_code=401, detail="Not Authorized")