224 confirmation email when companies register

[FranciscoCardoso913]

Confirmation email when companies register

Important:

Although this is a back-end issue it also has changes in the Front-End! See the changes made in the Front-End here: NIAEFEUP/nijobs-fe#309

Issue: #224

Discussed solution:

-When created, applications should have a state UNVERIFIED by default instead of the current PENDING state;

-After creating an application an email with a link should be sent to the company so they can validate their application, the link should expire in 10 minutes;

-A company should not be able to create an application with an email associated with an UNVERIFIED application whose link is yet to expire;

-If the link of an application expires and the company tries to create another application the previous application of that company should be deleted;

-The link should send the user to a page where the application is validated, when validating the application its state should change to pending and an email should be sent to the company.

Back-End changes:

-The application model now has a new attribute called "isVerified" which indicates if the application has already been validated or not by the company, the attribute is set to false when the application is created;

-There is a new application state, an application is UNVERIFIED when the isVerified is false, and PENDING when isVerified is true and both of the approvedAt and the rejectedAt are null;

-Before creating a new application the Back-End now checks if an application with the same email as the new application had been created in less than 10 minutes from the time the request for a new application is sent, if so the Back-End returns an error to the Front-End, otherwise, the Back-End deletes the old application( if it exists) and creates a new one;

-If the Front-End requests it the Back-End validates the application, returning an error if for some reason the validation is illegal (token has expired, the token is not valid, the application is already validated, etc...) ;

-Emails have been changed! Now when a new application is created a single email with a link is sent to the company, only after the application is validated that two other emails are sent, one of them sent to the NIJobs team informing that a company has created a new application and the other sent to the company to inform that everything went well and that we will review their request.

-The function verifyAndDecodeToken now returns a different error when the token expires and when the token is invalid, unlike before when the error returned was the same;

Emails new order:

-The first email which is sent to the company when the application is created:

-The second email sent to the NiJobs team when the application is validated.

-The third email which is sent to the company after the application is validated.

What is yet to be done:

-Tests;

Doubts:

-Should we change any of the email's text/order?

-Did we use the API errors correctly or should we have done something differently?

-Is everything in the correct place or is there anything that is more adequate somewhere else?

-Should the UNVERIFIED applications, which can no longer be verified, be deleted automatically from time to time or should we let it be like it is now (it's only deleted when a new application with the same email is created  )?

[render]

Your Render PR Server URL is https://nijobs-be-pr-306.onrender.com.

Follow its progress at https://dashboard.render.com/web/srv-cfk2gnhgp3jgtsvl5cu0.

[FranciscoCardoso913]

New workflow

Discussed solution

• When creating a new application companies will need to verify their account by clicking on a link sent by email.
• After that, the company will be able to finish its registration. In addition to that, an email will be sent to the NiJobs team to inform us that a new company wants to register so that we can evaluate its application
• After finishing their registration, companies will be able to create offers, however, these offers will only be made public when the company's application is accepted (its status will be "pending")
• When the company is accepted by us it will have full access to the NiJobs website.

[Naapperas]

@FranciscoCardoso913 @dsantosferreira Updates on this?

[Naapperas]

Regarding the check annotations, GH does not have the ability to do an E2E security audit, from the looks of it. Most of the times the security issues that it signals are already being mitigated my validators/middleware. We should still see if these are valid just in case something slips through

[codecov]

Codecov Report

Attention: Patch coverage is 90.82569% with 10 lines in your changes are missing coverage. Please review.

Project coverage is 90.55%. Comparing base (82886d0) to head (4f35451).

Files	Patch %	Lines
src/services/application.js	88.23%	4 Missing ⚠️
src/api/routes/application.js	83.33%	2 Missing ⚠️
src/api/routes/company.js	77.77%	2 Missing ⚠️
src/services/company.js	60.00%	2 Missing ⚠️

Additional details and impacted files

@@             Coverage Diff             @@
##           develop     #306      +/-   ##
===========================================
+ Coverage    90.34%   90.55%   +0.21%     
===========================================
  Files           54       55       +1     
  Lines         1470     1546      +76     
  Branches       246      257      +11     
===========================================
+ Hits          1328     1400      +72     
- Misses         137      141       +4     
  Partials         5        5              

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

[DoStini]

Why gone? This should just be forbidden, no?

"The HyperText Transfer Protocol (HTTP) 410 Gone client error response code indicates that access to the target resource is no longer available at the origin server and that this condition is likely to be permanent."

[Naapperas]

@FranciscoCardoso913 did you give an explanation regarding this?

[DoStini]

Why this change?

[FranciscoCardoso913]

It was an accident

[Naapperas]

@FranciscoCardoso913 this does not seem to have changed, was it a typo or not?

[Naapperas]

Most of the comments I made serve as introductions for discussion, not necessarily requested changes. There are some, however, hence this.

Besides this, I just remembered something: what is the behavior of offers belonging to a company that gains full access to NIJobs if there are more than the allowed amount of concurrent offers pending? (I might have forgotten, sorry 🥲)

[Naapperas]

@FranciscoCardoso913 did you give an explanation regarding this?

[Naapperas]

I just thought of something: although the token was generated as part of the process of a company applying to use NIJobs, the token itself is not part of the company. As such, I would suggest restructuring the code a bit, following the comments I'll be leaving next.

The general idea is that a token is part of an application but not a company, so having /apply/company/:token seemed a bit odd to me. What do you think?

[Naapperas]

Feel free to ignore the following comments if you don't agree with this opinion, given that you reason about it.

[Naapperas]

Suggested change

	router.post("/", validators.create, applicationMiddleware.exceededCreationTimeLimit, async (req, res, next) => {
	router.post("/company", validators.create, applicationMiddleware.exceededCreationTimeLimit, async (req, res, next) => {

I cannot edit unmodified lines but above, on line 12, it should become:

app.use("/apply", router);

This change should not break existing functionality/tests.

[Naapperas]

All tests that hit this route should take into account the change made on the comment above.

[Naapperas]

On way for this to "look cleaner" is if the "pending" state could be computed from the account object itself. Take a look at Mongoose Schema Virtuals and see if you agree with this.

[Naapperas]

Also, maybe this could be hidden behind a service call? Don't we have an AccountService ?

[Naapperas]

Same thing as last comment.

[Naapperas]

I believe that, although companies should already know this, we should warn them about our imposed limits on concurrent offers.

[Naapperas]

@FranciscoCardoso913 any comments on this?

[Naapperas]

Why did you move the error handling logic out of this method? I recall you returning different errors based on the thrown exception. Couldn't we abstract those jwt exceptions into our custom, more semantic, ones? Food for thought.

[DoStini]

I agree with this comment, I think the error handling error should be inside and outside a simpler null check

[Naapperas]

@FranciscoCardoso913 this does not seem to have changed, was it a typo or not?

[Naapperas]

Some of the comments appear outdated and I don't know why: when I open the respective files nothing changed. Please resolve or answer the conversations as if they were not outdated.

[DoStini]

As of my comments, everything seems to be fine. Before merging address the comments @Naapperas suggested