Problem statement:
Sunbird system will allow user on-boarding with following ways:
- Self sign up
- Google plus login
- State login
Problem will have during user profile merging. Migrating self sign up user profile with Google plus login or state login.
Note : As create user required phone or email verification by sending OTP, so is our assumption is each adopter will be using sms gateway, if there user want to signup with phone.
User attribute required during sign up:
Attribute | Type | Required | purpose |
---|---|---|---|
name | string | true | name of user. can be combination of firstname , middle name and lastname |
username | alphanumeric | false | unique identity to identify user. user name will be unique per installation |
password | alphanumeric | true | |
phone | number | conditional | either phone or email is mandatory . but during creation time user can't pass both. |
alphanumeric | conditional | either phone or email is mandatory . but during creation time user can't pass both. | |
userType | string | internal | To identify user is Teacher or Other , as of now there is only two types |
isPhoneVerified | boolean | internal | will be true only when user verified phone otp |
isEmailVerified | boolean | internal | will be true only when user verified email otp |
otp | number | false | OTP can be passed during signup |
Self sign up work flow:
- User will enter all mandatory field (name, phone/email, username,password) on consumer portal/app
- Consumer will make call for generate OTP for either phone or email
- OTP Generation will be taken care by Design for One time password (OTP)
- Once User enter OTP, consumer will check OTP basic Validation and then it will call create user APi:
- System will check uniqueness of email/phone , username and OTP , if every thing is ok then it will create user under sunbird.
- if any validation fails then it will throw proper error
Create User api request body: URI: v2/user/create Method: POST Request body: { "request": { "firstName":"name of user", "email":"valid and unique email id", "phone":"valid phone number", "password":"user password", "username" : "unique user name. Optional", "channel" : "rootOrgchannel value (Optional)"// if user pass it , it must be valid and user will be associated with this as "PUBLIC" role. "organisationId": "", "OTP":"entered OTP by user(optional)", "VerificationType":"it can be OTP , Google , or some state" } } Note: * Now user creation won't ask user to enter phoneVerified, if user is providing phone number. * is username is auto generated unique value or user has to enter it - it's optional for user , if user not providing then system will generate it. * Do we need to take orgId or channel in create user to associate user with another rootOrg? * How to do validation for Indian phone number. As per PRD only Indian phone number is valid. * Are we taking country code as well from user , or always will associate user country code as "+91" * Do we need to make OTP mandatory or optional based on introducing signupType?
Storage of user data pre-user creation:
Requirement is sunbird should not create user into system unless or until it's verified.
Proposed solution 1:
Consumer (portal/app) can hold user data in local cache , and once OTP is verified then only they make create user api call.
Pros | Cons |
---|---|
|
|
Proposed solution 2:
User Data can be stored under sunbird as some temp table and once user verify OTP then , it will move data from temp table to different other places , from where they can used it.
Pros | Cons |
---|---|
|
|
Google sign In:
When user come to sunbird via Google sign in , Caller will do following check.
- If user already exist in sunbird and user status is not deleted , then allow that user to do login.
- If user does not exist in sunbird then make below api call
URI: Method: POST Request body: { "request": { "firstName":"", "email":"", "loginType":"", "verificationKey":"id_token in case of Google", } } Response: same as create user api * This api will do following validation: 1. Make Google api call by appending verificationkey in URL as follows: https://www.googleapis.com/oauth2/v3/tokeninfo?id_token={verificationKey} 2. once verified then it will make create user api call to create a user once user is created his/her email verified field will be true.
State sign-in
When user comes through state-portal, he/she will get a link to access Diksha portal.
- Once user clicks, internally user will check existence of the user in the diksha
- If found then user will be directly taken to the Diksha portal, through trampoline update.
- If not found, then we will invoke the user sing-up process, by reading the data from existing JWT token.
- OTP will be generated and sent to user's mobile phone. OTP Generation will be taken care by Design for One time password (OTP)
- On diksha user will be redirected to Enter OTP - for first time login.
- On successful OTP validation, user will be created within Diksha and user will be logged into the platform.
Create User api request body: URI: v2/user/create Method: POST Request body: { "request": { "firstName":"name of user", "phone":"valid phone number", "username" : "auto-generated username", "channel" : "rootOrgchannel value (Optional)"// if user pass it , it must be valid and user will be associated with this as "PUBLIC" role. "organisationId": "", "OTP":"entered OTP by user" } }
** Open Questions:
- What should be userName in this case? (As discussed username will be auto-generated - internally system will make sure that auto-generated username will be related to user and not very hard to remember.)
- Does system need to generate password for Google signup user? (As per discussion , no need to generate password.)
- Do we need to send any welcome email to user? if yes then what should be content? (As per discussion, for Google user creation no need to send any email.)
- What will happen if some old Google user won't have firstName or name itself?
- There might be scenario user already exist but his status is deleted? (As per discussion, user creation will fail.)
- Do we need to carry loginId as well?
- In Old implementation during user create we have to send phoneVerified as true?