From da55dddade3149c262be4f66f6dead2a74b2bda4 Mon Sep 17 00:00:00 2001
From: Artur Gaspar <artur@opencraft.com>
Date: Fri, 13 Oct 2023 12:17:04 -0300
Subject: [PATCH] feat: redirect to custom URL when third-party auth account is
 unlinked

(cherry picked from commit abad25c00348481b4f2a9350c62828f845ab9189)
---
 .env                               |  1 +
 README.rst                         |  6 +++-
 src/config/index.js                |  1 +
 src/login/LoginPage.jsx            | 12 ++++++++
 src/login/tests/LoginPage.test.jsx | 46 ++++++++++++++++++++++++++++++
 5 files changed, 65 insertions(+), 1 deletion(-)

diff --git a/.env b/.env
index 33da6f0904..893bd7be39 100644
--- a/.env
+++ b/.env
@@ -13,6 +13,7 @@ ORDER_HISTORY_URL=null
 REFRESH_ACCESS_TOKEN_ENDPOINT=null
 SEGMENT_KEY=''
 SITE_NAME=null
+TPA_UNLINKED_ACCOUNT_PROVISION_URL=''
 INFO_EMAIL=''
 # ***** Cookies *****
 USER_RETENTION_COOKIE_NAME=null
diff --git a/README.rst b/README.rst
index 52fc2faa29..89d0023923 100644
--- a/README.rst
+++ b/README.rst
@@ -112,6 +112,10 @@ The authentication micro-frontend also requires the following additional variabl
      - Name of MFE, this will be used by the API to get runtime configurations for the specific micro frontend. For a frontend repo `frontend-app-appName`, use `appName` as APP_ID.
      - ``authn`` | ``''``
 
+   * - ``TPA_UNLINKED_ACCOUNT_PROVISION_URL``
+     - URL to redirect to when the identity provided by third-party authentication is not yet linked to a platform account. This allows for redirecting to a custom sign-up flow handled by an external service to create the linked account. An empty string (the default) disables this feature.
+     - ``http://example.com/signup`` | ``''``
+
 
 edX-specific Environment Variables
 **********************************
@@ -187,4 +191,4 @@ Please see `LICENSE <https://github.com/openedx/frontend-app-authn/blob/master/L
    :target: https://github.com/openedx/edx-developer-docs/actions/workflows/ci.yml
    :alt: Continuous Integration
 .. |semantic-release| image:: https://img.shields.io/badge/%20%20%F0%9F%93%A6%F0%9F%9A%80-semantic--release-e10079.svg
-   :target: https://github.com/semantic-release/semantic-release
\ No newline at end of file
+   :target: https://github.com/semantic-release/semantic-release
diff --git a/src/config/index.js b/src/config/index.js
index 73560c5dcf..20992a6537 100644
--- a/src/config/index.js
+++ b/src/config/index.js
@@ -20,6 +20,7 @@ const configuration = {
   SEARCH_CATALOG_URL: process.env.SEARCH_CATALOG_URL || null,
   TOS_AND_HONOR_CODE: process.env.TOS_AND_HONOR_CODE || null,
   TOS_LINK: process.env.TOS_LINK || null,
+  TPA_UNLINKED_ACCOUNT_PROVISION_URL: process.env.TPA_UNLINKED_ACCOUNT_PROVISION_URL || null,
   // Base container images
   BANNER_IMAGE_LARGE: process.env.BANNER_IMAGE_LARGE || '',
   BANNER_IMAGE_MEDIUM: process.env.BANNER_IMAGE_MEDIUM || '',
diff --git a/src/login/LoginPage.jsx b/src/login/LoginPage.jsx
index 52ab010182..8fed63dfda 100644
--- a/src/login/LoginPage.jsx
+++ b/src/login/LoginPage.jsx
@@ -310,6 +310,18 @@ class LoginPage extends React.Component {
     } = this.props;
     const { currentProvider, providers, secondaryProviders } = this.props.thirdPartyAuthContext;
 
+    const unlinkedProvisionUrl = getConfig().TPA_UNLINKED_ACCOUNT_PROVISION_URL;
+
+    /**
+     * When currentProvider exists and we are in a login page, it is
+     * because the third-party authenticated account is not linked.
+     * See also ThirdPartyAuthAlert.jsx.
+     */
+    if (currentProvider && unlinkedProvisionUrl) {
+      window.location.href = unlinkedProvisionUrl;
+      return null;
+    }
+
     if (this.tpaHint) {
       if (thirdPartyAuthApiStatus === PENDING_STATE) {
         return <Skeleton height={36} />;
diff --git a/src/login/tests/LoginPage.test.jsx b/src/login/tests/LoginPage.test.jsx
index 11753df438..dd0b8285d4 100644
--- a/src/login/tests/LoginPage.test.jsx
+++ b/src/login/tests/LoginPage.test.jsx
@@ -766,4 +766,50 @@ describe('LoginPage', () => {
 
     expect(store.dispatch).toHaveBeenCalledWith(loginRemovePasswordResetBanner());
   });
+
+  it('should not redirect to provisioning URL when not configured', () => {
+    mergeConfig({
+      TPA_UNLINKED_ACCOUNT_PROVISION_URL: '',
+    });
+
+    store = mockStore({
+      ...initialState,
+      commonComponents: {
+        ...initialState.commonComponents,
+        thirdPartyAuthContext: {
+          ...initialState.commonComponents.thirdPartyAuthContext,
+          currentProvider: ssoProvider.name,
+        },
+      },
+    });
+
+    delete window.location;
+    window.location = { href: getConfig().BASE_URL.concat(LOGIN_PAGE) };
+
+    render(reduxWrapper(<IntlLoginPage {...props} />));
+    expect(window.location.href).toEqual(getConfig().BASE_URL.concat(LOGIN_PAGE));
+  });
+
+  it('should redirect to provisioning URL on unlinked third-party auth account', () => {
+    mergeConfig({
+      TPA_UNLINKED_ACCOUNT_PROVISION_URL: 'http://example.com/signup',
+    });
+
+    store = mockStore({
+      ...initialState,
+      commonComponents: {
+        ...initialState.commonComponents,
+        thirdPartyAuthContext: {
+          ...initialState.commonComponents.thirdPartyAuthContext,
+          currentProvider: ssoProvider.name,
+        },
+      },
+    });
+
+    delete window.location;
+    window.location = { href: getConfig().BASE_URL.concat(LOGIN_PAGE) };
+
+    render(reduxWrapper(<IntlLoginPage {...props} />));
+    expect(window.location.href).toEqual('http://example.com/signup');
+  });
 });