Skip to main content

Create Users from 3rd Parties

This is a flow to sync a user's account from a third-party system.

Step 1: Login with none exists user

The flow first attempts to log in with a non-existent user's email and password, which should fail with a 401 Unauthorized error. This is done to ensure that the test user does not already exist in the system.

  1. Call POST /api/auth/login with the following request body:
{
  "type": "password",
  "clientId": "client-app-id",
  "clientSecret": "client-app-secret",
  "withPassword": {
    "emailOrUsername": "none-exists-email@gmail.com",
    "password": "arbitrary-password"
  }
}
  1. Request will failed with 401 Unauthorized - User not found error, this is expected behaviours.

Step 2: Sync or create new user from internal API calls

View architecture section about internal API calls

Next, the test calls PUT /api/users/ endpoint with a set of user data and credentials. This function is expected to create a new user account in the system based on the provided credentials. The newly synced user object is then checked to ensure that it is defined and not null.

  1. Call PUT /api/users/ with the following request body
Body
{
  "username": "cersei.lannister",
  "email": "cersei-lannister@gmail.com'",
  "password": "C3rs3i#L4nnist3r",
  "emailVerified": true // Importance
}
Importance

emailVerified must be set to true since, account is synced from other system, auth service with not know the email has been verified or not

  1. Also embeded request with system-user header or request will failed, since no admin user associated with the request
Headers
{
  "x-user-ctx": "based64-of-user-context"
}

Where context is built from:

var based64UserContext = JSON.stringify({ id: "__system", user: "__system" });

Or with admin authorization for public API access

Headers
{
  "Authorization": "Bearer your_token_here"
}
Importance

x-user-ctx header field only allowed in internal services comunication, which will be tripped on public api access via api gateway server.

In public API access, use Authorization instead.

  1. Expect code return 200 OK with new user information
{
  "emailVerified": true,
  "username": "cersei.lannister",
  "email": "cersei-lannister@gmail.com",
  // Note that the password field is hashed since we don't store raw password in our system.
  "password": "$2b$06$k2WcyM0iw0Jy3aYfFBi2MuNwunZtO0S9uTV1QEyqKtmM3t/4JwYcC",
  "id": "755243458806280480",
  "_guid": "user_3DqfWw6ZJoZf5waKSckJLMOtVu",
  "createdBy": "__system",
  "createdAt": "2023-05-04T01:34:03.320Z",
  "updatedAt": "2023-05-04T01:34:03.320Z",
  "deletedAt": null,
  "updatedBy": null,
  "deletedBy": null,
  "firstName": null,
  "lastName": null,
  "locale": null,
  "roles": null,
  "phoneNumber": null,
  "avatar": null,
  "birthday": null,
  "gender": null,
  "lockedAt": null,
  "isActive": true,
  "isLocked": false
}

Step 3: Login again with new created user

Finally, the test attempts to log in again with the same email and password as before. This time, the login should be successful since the user account has been synced into the system.

  • POST /api/auth/login: Login user.
  • PUT /api/users: Create new user.