[SDP-701]: Inject organization privacy policy link into the SEP-24 we…

…bpages (#252) What The organization will provide the privacy policy link. Why The privacy policy file doesn’t need to be stored in the database or s3.
stellar · Apr 12, 2024 · 977e0c3 · 977e0c3
1 parent 9b65c15
commit 977e0c3
Show file tree

Hide file tree

Showing 6 changed files with 83 additions and 11 deletions.
diff --git a/internal/htmltemplate/tmpl/receiver_register.tmpl b/internal/htmltemplate/tmpl/receiver_register.tmpl
@@ -89,6 +89,15 @@
             <div data-section-error-message class="Notification__content"></div>
           </div>
         </div>
+        <!--  PrivacyPolicyLink footer -->
+        <div 
+          id="WalletRegistration__PrivacyPolicy"
+          class="WalletRegistration__Footer"
+        >
+          <p>Your data is processed by {{.OrganizationName}} in accordance with their <a href="{{.PrivacyPolicyLink}}"><b>Privacy Policy</b></a></p>
+          <p data-privacy-policy-link style="display: none">{{.PrivacyPolicyLink}}</p>
+        </div>
+
       </section>
 
       <!-- Enter passcode and verification field page -->
@@ -213,6 +222,15 @@
             ></div>
           </div>
         </div>
+
+        <!--  PrivacyPolicyLink footer -->
+        <div 
+          id="WalletRegistration__PrivacyPolicy"
+          class="WalletRegistration__Footer"
+        >
+          <p>Your data is processed by {{.OrganizationName}} in accordance with their <a href="{{.PrivacyPolicyLink}}"><b>Privacy Policy</b></a></p>
+          <p data-privacy-policy-link style="display: none">{{.PrivacyPolicyLink}}</p>
+        </div>
       </section>
 
       <!-- 👋 Injecting info for the JS here: -->

diff --git a/internal/htmltemplate/tmpl/receiver_registered_successfully.tmpl b/internal/htmltemplate/tmpl/receiver_registered_successfully.tmpl
@@ -37,6 +37,15 @@
             </button>
           </div>
         </div>
+
+        <!--  PrivacyPolicyLink footer -->
+        <div 
+          id="WalletRegistration__PrivacyPolicy"
+          class="WalletRegistration__Footer"
+        >
+          <p>Your data is processed by {{.OrganizationName}} in accordance with their <a href="{{.PrivacyPolicyLink}}"><b>Privacy Policy</b></a></p>
+          <p data-privacy-policy-link style="display: none">{{.PrivacyPolicyLink}}</p>
+        </div>
       </section>
 
       <!-- 👋 Injecting info for the JS here: -->

diff --git a/internal/serve/httphandler/receiver_registration.go b/internal/serve/httphandler/receiver_registration.go
@@ -13,16 +13,19 @@ import (
 )
 
 type ReceiverRegistrationHandler struct {
+	Models              *data.Models
 	ReceiverWalletModel *data.ReceiverWalletModel
 	ReCAPTCHASiteKey    string
 }
 
 type ReceiverRegistrationData struct {
-	StellarAccount   string
-	JWTToken         string
-	Title            string
-	Message          string
-	ReCAPTCHASiteKey string
+	StellarAccount    string
+	JWTToken          string
+	Title             string
+	Message           string
+	ReCAPTCHASiteKey  string
+	PrivacyPolicyLink string
+	OrganizationName  string
 }
 
 // ServeHTTP will serve the SEP-24 deposit page needed to register users.
@@ -58,10 +61,22 @@ func (h ReceiverRegistrationHandler) ServeHTTP(w http.ResponseWriter, r *http.Re
 		return
 	}
 
+	organization, err := h.Models.Organizations.Get(ctx)
+	if err != nil {
+		httperror.InternalError(ctx, "Cannot get organization", err, nil).Render(w)
+		return
+	}
+
+	privacyPolicyLink := ""
+	if organization.PrivacyPolicyLink != nil {
+		privacyPolicyLink = *organization.PrivacyPolicyLink
+	}
 	tmplData := ReceiverRegistrationData{
-		StellarAccount:   sep24Claims.SEP10StellarAccount(),
-		JWTToken:         token,
-		ReCAPTCHASiteKey: h.ReCAPTCHASiteKey,
+		StellarAccount:    sep24Claims.SEP10StellarAccount(),
+		JWTToken:          token,
+		ReCAPTCHASiteKey:  h.ReCAPTCHASiteKey,
+		PrivacyPolicyLink: privacyPolicyLink,
+		OrganizationName:  organization.Name,
 	}
 
 	htmlTemplateName := "receiver_register.tmpl"

diff --git a/internal/serve/httphandler/receiver_registration_test.go b/internal/serve/httphandler/receiver_registration_test.go
@@ -31,7 +31,7 @@ func Test_ReceiverRegistrationHandler_ServeHTTP(t *testing.T) {
 	reCAPTCHASiteKey := "reCAPTCHASiteKey"
 
 	r := chi.NewRouter()
-	r.Get("/receiver-registration/start", ReceiverRegistrationHandler{ReceiverWalletModel: receiverWalletModel, ReCAPTCHASiteKey: reCAPTCHASiteKey}.ServeHTTP)
+	r.Get("/receiver-registration/start", ReceiverRegistrationHandler{Models: models, ReceiverWalletModel: receiverWalletModel, ReCAPTCHASiteKey: reCAPTCHASiteKey}.ServeHTTP)
 
 	t.Run("returns 401 - Unauthorized if the token is not in the request context", func(t *testing.T) {
 		req, reqErr := http.NewRequest("GET", "/receiver-registration/start", nil)
@@ -64,6 +64,16 @@ func Test_ReceiverRegistrationHandler_ServeHTTP(t *testing.T) {
 		assert.JSONEq(t, `{"error":"Not authorized."}`, string(respBody))
 	})
 
+	ctx := context.Background()
+	link := "http://www.test.com/privacy-policy"
+	err = models.Organizations.Update(ctx, &data.OrganizationUpdate{
+		PrivacyPolicyLink: &link,
+	})
+	require.NoError(t, err)
+
+	_, err = models.Organizations.Get(ctx)
+	require.NoError(t, err)
+
 	t.Run("returns 200 - Ok (And show the Wallet Registration page) if the token is in the request context and it's valid 🎉", func(t *testing.T) {
 		req, reqErr := http.NewRequest("GET", "/receiver-registration/start?token=test-token", nil)
 		require.NoError(t, reqErr)
@@ -90,10 +100,9 @@ func Test_ReceiverRegistrationHandler_ServeHTTP(t *testing.T) {
 		assert.Contains(t, string(respBody), "<title>Wallet Registration</title>")
 		assert.Contains(t, string(respBody), `<div class="g-recaptcha" data-sitekey="reCAPTCHASiteKey">`)
 		assert.Contains(t, string(respBody), `<link rel="preload" href="https://www.google.com/recaptcha/api.js" as="script" />`)
+		assert.Contains(t, string(respBody), `<p>Your data is processed by MyCustomAid in accordance with their <a href="http://www.test.com/privacy-policy"><b>Privacy Policy</b></a></p>`)
 	})
 
-	ctx := context.Background()
-
 	// Create a receiver wallet
 	wallet := data.CreateWalletFixture(t, ctx, dbConnectionPool,
 		"My Wallet",
@@ -131,6 +140,7 @@ func Test_ReceiverRegistrationHandler_ServeHTTP(t *testing.T) {
 		assert.Equal(t, http.StatusOK, resp.StatusCode)
 		assert.Equal(t, "text/html; charset=utf-8", resp.Header.Get("Content-Type"))
 		assert.Contains(t, string(respBody), "<title>Wallet Registration Confirmation</title>")
+		assert.Contains(t, string(respBody), `<p>Your data is processed by MyCustomAid in accordance with their <a href="http://www.test.com/privacy-policy"><b>Privacy Policy</b></a></p>`)
 	})
 
 	t.Run("returns 200 - Ok (And show the Wallet Registration page) if the token is in the request context and wants to register second wallet in the same address", func(t *testing.T) {
@@ -159,5 +169,6 @@ func Test_ReceiverRegistrationHandler_ServeHTTP(t *testing.T) {
 		assert.Contains(t, string(respBody), "<title>Wallet Registration</title>")
 		assert.Contains(t, string(respBody), `<div class="g-recaptcha" data-sitekey="reCAPTCHASiteKey">`)
 		assert.Contains(t, string(respBody), `<link rel="preload" href="https://www.google.com/recaptcha/api.js" as="script" />`)
+		assert.Contains(t, string(respBody), `<p>Your data is processed by MyCustomAid in accordance with their <a href="http://www.test.com/privacy-policy"><b>Privacy Policy</b></a></p>`)
 	})
 }
diff --git a/internal/serve/publicfiles/js/receiver_registration.js b/internal/serve/publicfiles/js/receiver_registration.js
@@ -2,6 +2,7 @@ const WalletRegistration = {
   jwtToken: "",
   intlTelInput: null,
   phoneNumberErrorEl: null,
+  privacyPolicyLink: "",
 };
 
 function getJwtToken() {
@@ -12,6 +13,22 @@ function getJwtToken() {
   }
 }
 
+function getPrivacyPolicyLink() {
+  const linkEl = document.querySelector("[data-privacy-policy-link]");
+
+  if (linkEl) {
+    return linkEl.innerHTML;
+  }
+}
+
+document.addEventListener("DOMContentLoaded", function () {
+  const footer = document.getElementById("WalletRegistration__PrivacyPolicy");
+
+  if (WalletRegistration.privacyPolicyLink == "") {
+    footer.style = "display: none"
+  }
+});
+
 function toggleNotification(type, { parentEl, title, message, isVisible }) {
   const titleEl = parentEl.querySelector(`[data-section-${type}-title]`);
   const messageEl = parentEl.querySelector(`[data-section-${type}-message`);
@@ -385,4 +402,5 @@ window.onload = async () => {
   WalletRegistration.phoneNumberErrorEl = document.querySelector(
     "[data-section-error='phoneNumber']"
   );
+  WalletRegistration.privacyPolicyLink = getPrivacyPolicyLink();
 };
diff --git a/internal/serve/serve.go b/internal/serve/serve.go
@@ -425,6 +425,7 @@ func handleHTTP(o ServeOptions) *chi.Mux {
 		r.Route("/wallet-registration", func(r chi.Router) {
 			sep24QueryTokenAuthenticationMiddleware := anchorplatform.SEP24QueryTokenAuthenticateMiddleware(o.sep24JWTManager, o.NetworkPassphrase, o.tenantManager, o.SingleTenantMode)
 			r.With(sep24QueryTokenAuthenticationMiddleware).Get("/start", httphandler.ReceiverRegistrationHandler{
+				Models:              o.Models,
 				ReceiverWalletModel: o.Models.ReceiverWallet,
 				ReCAPTCHASiteKey:    o.ReCAPTCHASiteKey,
 			}.ServeHTTP) // This loads the SEP-24 PII registration webpage.