[Spike] Activate user

[mahalakshme]

User flow:

Users uploaded on Avni should receive their credentials only after they complete their training on Glific. So the flow for this keeping in mind to minimise the errors is:

• The data entry person will upload the user and catchment details as usual on Avni
• But the above users will be in deactivated form and should not receive credentials
• Once the users finish their training on Glific, Glific via web hook will call /activate on Avni during which users should receive the credentials
• The data entry person will monitor the webhook logs on a daily basis and for the failed calls will activate the users manually in Avni.

As is:

Currently activating or deactivating a user from webapp User page, activates/deactivates in Cognito as well, enabling the user to login. The user doesn't receive any credentials on activation.

Suggestion of Avni flow:

Step 1: Creating users in deactivated mode:

• Have a column in CSV file of 'Users and Catchments' called Active. Default value will be the configured one for the org. Can override by setting it to false or true.

Technical suggestion to achieve the above:

Set DesiredDeliveryMediums to empty list on user creation API to avoid sending SMS to the user

Step 2: Sending user credentials via SMS when activated:

• Need to send only when the 'Confirmation status' of the user in Cognito is 'Force change password'. No need to send if it is 'Confirmed'.

Tech suggestion:

1. Setup a Lambda trigger in RWB env alone to achieve this. The lambda should get activated when manually activated via Avni webapp UI or when a user is created in an activated state initially itself.
   Sample python code:

import boto3

# Initialize SNS client
sns_client = boto3.client('sns')

def lambda_handler(event, context):
    # Extract user details from the event
    user_pool_id = event['userPoolId']
    username = event['userName']
    user_attributes = event['request']['userAttributes']
    phone_number = user_attributes.get('phone_number')
    temporary_password = user_attributes.get('custom:temporary_password')  # Assuming stored as a custom attribute
    
    if not phone_number or not temporary_password:
        print(f"Missing phone number or temporary password for user {username}.")
        return

    # Compose the SMS message with credentials
    message = (
        f"Hello {username},\n"
        f"Your account has been activated.\n"
        f"Username: {username}\n"
...

2. In the 'Authentication methods' under 'Password Policy' update 'Temporary passwords set by administrators expire in
   ' to 365 days from 90 days.

AC:

• Make sure the above technical suggestion will work and suggest alternatives if any better available.
• The idea is to achieve the intended user flow without adding any features that are too specific for an organisation.
• Also suggest estimate for the above to identify if the above process has derailed from the previous estimates.

Inputs:

• from Avni trigger flow - training on Glific to avoid manual work