Enable Open Library to perform account activation + sign-in

[mekarpeles]

Proposal

A new xauthn endpoint that will enable the Internet Archive to send activation emails for Open Library patrons that perform activation + sign-on from openlibrary.org

If the service is openlibrary, the email should be updated point to openlibrary.org/account/verify
https://git.archive.org/ia/petabox/-/blob/master/www/common/Account.inc#L605-622

When the patron clicks on the link, the functions here:
https://github.com/internetarchive/openlibrary/blob/master/openlibrary/plugins/upstream/account.py#L627-L659

Should be replaced with a new account/verify, which uses xauthn https://github.com/internetarchive/openlibrary/blob/master/openlibrary/accounts/model.py#L711-L751 to activate the account, as described in https://git.archive.org/ia/petabox/-/tree/master/www/common/XAuthn#activate

Justification

Problem

What problem does this proposal address & for what audience(s)?

Without this new flow, patrons are instead confusingly ping-ponged between services and requiring login multiple times.

More seamless onboarding experience.

Breakdown

@jimbonator has prototyped here:
https://git.archive.org/ia/petabox/-/commits/jim-xauthn-activate

Requirements Checklist

• Extend **xauthn** to include an activate method that takes a verification_token and en email, verifies an account, and on success returns s3 credentials.
• Repurpose or extend the activate form to work with archive.org token

  openlibrary/openlibrary/plugins/upstream/account.py

  Lines 514 to 548 in 5594cda

  	class account_verify(delegate.page):
  	"""Verify user account."""
  	path = "/account/verify/([0-9a-f]*)"
  	def GET(self, code):
  	docs = web.ctx.site.store.values(type="account-link", name="code", value=code)
  	if docs:
  	doc = docs[0]
  	account = accounts.find(username=doc['username'])
  	if account and account['status'] != "pending":
  	return render['account/verify/activated'](account)
  	account.activate()
  	user = web.ctx.site.get("/people/" + doc['username']) # TBD
  	return render['account/verify/success'](account)
  	else:
  	return render['account/verify/failed']()
  	def POST(self, code=None):
  	"""Called to regenerate account verification code."""
  	i = web.input(email=None)
  	account = accounts.find(email=i.email)
  	if not account:
  	return render_template("account/verify/failed", email=i.email)
  	elif account['status'] != "pending":
  	return render['account/verify/activated'](account)
  	else:
  	account.send_verification_email()
  	title = _("Hi, %(user)s", user=account.displayname)
  	message = _(
  	"We've sent the verification email to %(email)s. You'll need to read that and click on the verification link to verify your email.",
  	email=account.email,
  	)
  	return render.message(title, message)

• Update archive.org activation email to direct Open Library ol patrons to new openlibrary.org activate endpoint

Related files

• https://github.com/internetarchive/openlibrary/blob/5594cda6d72135d5063dea14e77c1bf4a9a27

The files on petabox side are all in www/common/XAuthn. Transaction.inc contains the code for handling the HTTP request and producing the appropriate response. PetaboxAccountProxy.inc is where the verification could would live.

Stakeholders

• @bfalling

[Spaarsh]

@mekarpeles I worked on this PR that actually removes the account_verify function. If the path of extending this function is going to be taken, should I modify my PR? Or should the PR be blocked until this is decided upon?

[mekarpeles]

@Spaarsh I think removing these pieces in #10363 is OK -- it's good you've taken the step to linked your PR here so whomever works on this can see how it was implemented.