1415: Revoke existing cards via user import endpoint

[seluianova]

Short description

Revoke cards by entitlementId, when user entitlements are revoked or the expiration date is updated to a past date

Proposed changes

• when user entitlements are updated, check whether they have been revoked or whether the endDate has been moved back in time and revoke existing cards
• add new tests

Side effects / open questions

• do we want to update cards if the startDate (in the user entitlements) has been moved to the future?
• do we want to handle the case, when regionId (in the user entitlements) is updated?

Testing

Full testing is currently blocked, until the app config is ready.
Currently the following can be checked:

1. Open administration --> login as a koblenz project admin --> go to settings --> create token
2. Try to import users using curl or Postman
   curl -H "Authorization: Bearer <my_token>" -F file=@import_testdata_local.csv http://0.0.0.0:8000/users/import

CSV content:

regionKey,userHash,startDate,endDate,revoked
07111,"$argon2id$v=19$m=19456,t=2,p=1$cr3lP9IMUKNz4BLfPGlAOHq1z98G5/2tTbhDIko35tY",01.01.2024,01.01.2025,false

3. Go to http://localhost:3000/ and select Koblenz
4. Go to http://localhost:3000/erstellen, create a card with a birthday 10.06.2003 and a reference number 123K
5. Update the CSV file to import users, change revoked to ‘true’ or endDate to past
6. Import users again --> check in the database that previously created cards (dynamic and static) have been revoked

Resolved issues

Fixes: #1415

[f1sh1918]

Just a general question. Does it make sense to also revoke cards where the DateEnd is in the past.
I think we we agreed on that koblenz revokes cards by setting revoked: true as this is a clean process.
To give another opportunity to revoke cards by changing the EndDate makes it just more complex i think.
I can't remember that there is a reason why we need that

[seluianova]

Does it make sense to also revoke cards where the DateEnd is in the past

as discussed, I will remove that

[ztefanie]

I updated base branch, so I can fully test it.

[f1sh1918]

I updated base branch, so I can fully test it.

I think the removal of the end date check is missing. So not sure if its ready for review

[ztefanie]

I tested this and it only partly works as expected:

Use cases:

1. If I import non revoked user data, then create a card and activate it in the app, then upload a new csv where the card is revoked, the card is revoked in the app and it is displayed properly to the user
2. If I import non revoked user data, then create a pdf, then upload a new csv where the card is revoked and then try to activate the card in the app, with the pdf previously created, i get the error message "Fehler beim lesen des codes", here should be a message: "Your card was revoked"
3. it i go to self service (/erstellen) and try to create a card for a revoked user entitlement i get the error "Sie sind scheinbar nicht berechtigt einen KoblenzPass zu erstellen. Bitte prüfen Sie Ihre Eingaben" i think this is missleading, i think the error message should be "You are no longer entitlet for a koblenzpass" or something like thi.

[seluianova]

2. If I import non revoked user data, then create a pdf, then upload a new csv where the card is revoked and then try to activate the card in the app, with the pdf previously created, i get the error message "Fehler beim lesen des codes", here should be a message: "Your card was revoked"

@ztefanie it's just our current behaviour. if we revoke a card in bayern and the user tries to activate it, he gets the same message. it might be nice to add a separate message for this case, but I think that's a separate task.

Upd. created #1692

3. it i go to self service (/erstellen) and try to create a card for a revoked user entitlement i get the error "Sie sind scheinbar nicht berechtigt einen KoblenzPass zu erstellen. Bitte prüfen Sie Ihre Eingaben" i think this is missleading, i think the error message should be "You are no longer entitlet for a koblenzpass" or something like thi.

tbh it doesn't sound like a big difference to me. if a user is no longer entitlet, it also means, he is not entitlet. So, I don't find it measleading.
however, if we decide, there is a benifit, I don't mind adding a separate message for that. @f1sh1918 what do you think?

[seluianova]

Updated:

• removed the condition for revoking cards when the user's entitlement endDate is in the past
• refactored importData() function a bit to reduce complexity, not sure we need even more splitting

[f1sh1918]

Some thoughts to 3) @seluianova
The "Sie sind scheinbar nicht berechtigt...." was not final and the message will be adjusted to

Wir konnten Ihre Angaben nicht im System finden. Bitte überprüfen Sie Ihre Angaben und versuchen Sie es erneut.

design

Due to this upcoming adjustments it will make sense to throw a different error and show a different message to the user as steffi mentioned
@hauf-toni
So we have another state that should be handled and we need a proper error message for that.
If the user data can be found but the user is no longer entitled.
This should be reflected in the design

[seluianova]

The "Sie sind scheinbar nicht berechtigt...." was not final and the message will be adjusted to

Updated the message when the user entitlement is not found. Will add an additional message once provided.
Do we also want to separate errors when the user entitlement is revoked and when it has expired?

[f1sh1918]

i think the expiration info will be fetched from another endpoint when the app was started and there should already be an error message.

[seluianova]

@f1sh1918 you mean we should allow card creation when the user entitlement is expired?
(Currently we return an error in this case when a user tries to create a card)

[f1sh1918]

Ah okay i thought the issue is about what to show if an activated card is expired in the app.

I think we don't need separate errors but this depends on the error message. I think the user does not have to know if its revoked or the entitlement is expired the important thing is that the entitlement is not valid anymore

[f1sh1918]

Works great. Tested on ios.
Please address the one issue i mentioned

[f1sh1918]

I think we have to throw different exceptions here. At least we should create a TODO and ticket if it will not be done here.
We have to distinguish between the input data does not match the entitlement hash then we throw UserEntitlementNotFoundException()

If revoked or expired i would throw
UserEntitlementExpiredException or sth similar with a separate message

[seluianova]

I will need to associate a new exception with some error message.
Do you think Sie sind nicht mehr berechtigt, einen KoblenzPass zu erstellen is fine?

[ztefanie]

not tested again

[hauf-toni]

Here is the error display for the third variant that @ztefanie mentioned.
Here is also the updated version (only the text has been changed), which includes the changes from Koblenz.