@W-16889880 - Complete Social Login Integration: Connect Backend API to UI

[yunakim714]

Description

Wire up Social Login API calls to the newly implemented UI.
Login should work in 3 locations:

1. Login modal
2. Login page
3. Checkout page

We have configured Google and Apple as OOTB IDPs.

Types of Changes

• Bug fix (non-breaking change that fixes an issue)
• New feature (non-breaking change that adds functionality)
• Documentation update
• Breaking change (could cause existing functionality to not work as expected)
• Other changes (non-breaking changes that does not fit any of the above)

Breaking changes include:

• Removing a public function or component or prop
• Adding a required argument to a function
• Changing the data type of a function parameter or return value
• Adding a new peer dependency to package.json

Changes

• Add commerce-sdk-react API calls to the newly implemented UI

• Add redirectURI as parameter, as this will be different from the default callback path that has already been set in app/components/_app-config here

• If there is an error with the login API call, there will be an error on the redirect page as so:
  

How to Test-Drive This PR

• Navigate to https://wasatch-mrt-social-login-poc.mrt-storefront-staging.com/ where social and passwordless login have been enabled
• Open the login modal
• Verify that you can log in with both Google and Apple
  • Verify that you can log in from all 3 locations: login page (/login), login modal, and checkout page (/checkout)
  • If using the login modal or checkout page, verify that you are redirected back to the page where you initiated login

To run the e2e test:

• Point the test to the deployed environment by setting an env var like so: export RETAIL_APP_HOME=https://wasatch-mrt-social-login-poc.mrt-storefront-staging.com
• Run npx playwright test --ui from the monorepo root
• Run the test: Registered shopper logged in through social retains persisted cart
• Verify that the user is logged in and sees their user details in the secure account page as well as the items they added to cart as a guest
• ⚠️I have added the NEW Google PWA Kit account credentials into Password Manager in the Imported Mobify - Product folder !!⚠️

Checklists

General

• Changes are covered by test cases
• CHANGELOG.md updated with a short description of changes (not required for documentation updates)

Accessibility Compliance

You must check off all items in one of the follow two lists:

• There are no changes to UI

or...

• Changes were tested with a Screen Reader (iOS VoiceOver or Android Talkback) and had no issues
• Changes comply with WCAG 2.0 guidelines levels A and AA
• Changes to common UI patterns and interactions comply with WAI-ARIA best practices

Localization

• Changes include a UI text update in the Retail React App (which requires translation)

[yunakim714]

Similar to loginIDPUser, if a user passes in a redirectURI, we want to prioritize using this value

[yunakim714]

We need to use the guest usid in order to run mergeBasket

[bendvc]

Can you tell me more about this change here? We are now ignoring a parameter that is being passed in? Why aren't we doing something like the fallback where const usid = parameters.usid || this.get('usid') like you did for the redirect uri?

[yunakim714]

I changed this to use this.get('usid')because merge basket will only work if the /authorize and /token calls receive the same guest usid. The Auth class stores the same usid until the user is logged in so this would work.

However, I can still also do const usid = parameters.usid || this.get('usid') - the /authorize response body will return the same usid that is passed in the request params, and will only generate a new usid if there isn't one provided.

[yunakim714]

Mocking the form's success state in order to render the Check Your Email modal

[yunakim714]

We merge the user's basket if the user is logged in successfully through social login!

[yunakim714]

I have added the redirectURI here so that users can configure the redirectURI they want to use specifically for social login. This may differ from the redirectURI they have configured in AppConfig here

[bredmond-sf]

[NIT] shopping cart :)

[yunakim714]

Hey @bendvc - Wanted to get your input on this. Nate, Pratik, and I have been discussing ways to resolve the "Social Login first" issue, where profiles that have been created through Social Login are unable to edit any profile credentials, because well, there aren't any.

For a short-term solution, I was thinking we could use local storage to denote that the current user is a social login user, and if so, disable edit in the Account page. I think in future work we're hoping the getCustomer endpoint will somehow be able to indicate whether the user profile was created through an external IDP or ECOM.

Here's how the account page would look like for social login users:

[bendvc]

That is an interesting problem. If there is absolutely no way to tell via the JWT, I think this should be an acceptable solution. To make things a little more robust I might seek to use something like loginSource = credentials|idp instead of isSocialProfile because you can imagine a non-social first profile that just happened to log in via IDP doesn't mean that it's a social profile.

I guess the next question is someone that has a "non-social first" account, but logs in via IDP.. can they change there password? If they can we there isn't really a way to tell if we should be limiting them on changing their password, and it would be more like an artificial limitation that we impose and they have to log in with their password in order to make those types of changes?

This might deserve a short convo

[bendvc]

NIT: The new prop disableEdit seems to have the same outcome as not passing in a onEdit value. This isn't a big deal, but typically you might have a different visual treatment if you were supplying 2 params like this. E.g. you have an onEdit callback, but it's disabled via disableEdit so it shows as disabled. But here we are not showing it, same as no passing in onEdit.

No action to take here, but just food for thought.

[bendvc]

As I get further down in this PR I see more and more prop drilling of this isSocialProfile. It's not a horrible pattern but no used as much these days.

Did you ever thing about having this information made available via a provider/hook combo? Something that comes to mind is to have it implemented in the commerce-sdk-react so you can reuse some code there.

[bendvc]

@kevinxh would be a good person to ask about whether or not thats a good idea to implement in that lib.

[kevinxh]

I think ideally the commerce-sdk-react library should handle the state isSocialProfile, it would be easy if that information is embedded in the jwt token, if not, we should seek to manually store the state in the Auth class as a class property.

something like

// commerce-sdk-react auth.js

class Auth {
  isSocialLogin = false
  
  loginSocial = () => {
    // ...do the login
    this.isSocialLogin = true
    
    // potentially also store the IDP information like google, facebook, etc
  }
}

// Then we can provide a utility hook
// commerce-sdk-react useSocialLogin()
export const useSocialLogin = () => {
   const auth = useAuth()
   return auth.isSocialLogin
}

[bendvc]

Think about inverting this condition so that your code is a little flatter, like:

        if (!searchParams.code || !searchParams.usid) {
            return
        }

        loginIDPUser.mutateAsync({
            code: searchParams.code,
            redirectURI: redirectURI
        })

Also.. what happens if that condition doesn't result in a login? Or if someone goes to this page without the params?

[yunakim714]

@bendvc I added error handling in case this condition doesn't result in a login.

If someone goes to this page without the params they will not be redirected to the secure account page as this login API will not be called.

[bendvc]

You can think about inverting this condition again. As a rule of thumb if all the code is wrapped in a condition, then it's a good candidate to invert, but if you have an equally size "else" then maybe not.

[bendvc]

Good call on checking for this value before navigating.

[bendvc]

I noticed that this is a copy of out other basket merge. I'm wondering if the commerce-sdk-react should be adding this for us. Kevin might be a good person to ask about that. Looking at the api docs the body is alway json, so I don't know why we would have to specify that all the time.

[yunakim714]

@kevinxh @bendvc The isb claim in the SLAS JWT access token tells us whether the user is an ecom user or not. Would it be okay to return this value as part of the existing useCustomerType hook ?

[kevinxh]

That useCustomerType hook has this return type:

export type CustomerType = null | 'guest' | 'registered'

Are you going to change that? what would the return type look like?

[yunakim714]

The return type is:

type useCustomerType = {
    customerType: CustomerType
    isGuest: boolean
    isRegistered: boolean
    uido: string | null
}

So I would just add uido !

[bendvc]

My gut is telling me that this right. First, the name of this type if probably not the best.. but imagine the type is called "CustomerType" ... you can see that it doesn't make sense to have anything but "type" in it. Is seems like we are sneaking uido into this hook. Maybe we can talk about it a little more.

[yunakim714]

If the user sets the redirectURI to be a different relative path in their config file, we want this reflected here in routes.jsx. The default will be /social-callback

[yunakim714]

Adding test to verify that non ECOM users cannot edit nor see the Password card

[bendvc]

I wonder if this is going to get caught by security? @shethj do we have an precedence for this, are we using secrets and environment variables for anything that we can copy the implementation?

@yunakim714 can you reach out to jainam for this.. I think he's knowledgable in the e2e landscape.

[shethj]

Yeah we set all secrets in Github Actions settings and they can be set as env vars at runtime.
Values can be read from process.env in the tests.
Refer this code where we read the storefront domain from env var:

pwa-kit/e2e/config.js

Line 10 in 57c24e1

process.env.RETAIL_APP_HOME ||

[bendvc]

Will the basket persist for this user over time. For example will the e2e run one day to the next and accumulate items in that cart until it potentially errors out?

We could possibly remove the item from the cart after checking for its existence to be safe.

[bendvc]

Under what circumstances would the usid on parameters be undefined?

[bendvc]

Is usid on LoginIDPUserParams type optional? .. seems a little odd that it would be.

[bendvc]

We are setting this value.. but where are we getting it?

[yunakim714]

We are getting it here const {uido} = this.parseSlasJWT(res.access_token) in line 582

[bendvc]

NIT: It would be safer to have the optional chaining throughout this chain. E.g. getConfig()?.app?.login?.social?.redirect

[bendvc]

Lets talk about this setLoginType.. it's being prop drilled pretty deep and I kinda gave up after a couple files.. maybe there is a better solution here.

[bendvc]

There might be other use cases for wanting to disable the password reset. Might be wise to make this a little more generic by making this literal.. like "canResetPassword" or "allowPasswordChange". This way the component will be more flexible.