Fix missing organization_siret in datapass login params payload

client/src/lib/repositories/auth.ts

@@ -41,18 +41,21 @@ type LoginWithDataPass = (opts: {
 }) => Promise<Maybe<AuthenticatedUser>>;
 
 export const loginWithDataPass: LoginWithDataPass = async ({ params }) => {
-  const email = params.get("email");
-  const role = params.get("role");
-  const api_token = params.get("api_token");
+  const userInfo = params.get("user_info");
 
-  if (!email || !role || !api_token) {
+  if (!userInfo) {
     return null;
   }
 
-  return {
-    account: toAccount({ email, role }),
-    apiToken: api_token,
-  };
+  try {
+    const data = JSON.parse(userInfo);
+    return {
+      account: toAccount(data),
+      apiToken: data.api_token,
+    };
+  } catch (e) {
+    return null;
+  }
 };
 
 type GetMe = (opts: {

client/src/tests/e2e/constants.ts

@@ -13,9 +13,10 @@ export const ADMIN_PASSWORD_SANTE = getToolsPassword(
 );
 
 export const TEST_ORGANIZATION: Organization = {
-  siret: "44229377500031",
+  siret: "11004601800013",
   name: "Ministère de la culture",
 };
+
 export const STATE_AUTHENTICATED = "./src/tests/e2e/storage/authenticated.json";
 export const STATE_AUTHENTICATED_SANTE =
   "./src/tests/e2e/storage/authenticated-sante.json";

client/src/tests/e2e/datapass.spec.ts

@@ -1,15 +1,8 @@
 import { test } from "./fixtures.js";
 import { expect } from "@playwright/test";
-import type { Organization } from "src/definitions/organizations";
+import { TEST_EMAIL, TEST_ORGANIZATION } from "./constants.js";
 
 test.describe("Datapass", () => {
-  const TEST_EMAIL = "[email protected]";
-
-  const TEST_ORGANIZATION: Organization = {
-    siret: "44229377500031",
-    name: "Ministère de la culture",
-  };
-
   test("A user tried to log in but no organization has been found", async ({
     page,
   }) => {
@@ -23,11 +16,23 @@ test.describe("Datapass", () => {
   });
 
   test("A user can log in with datapass", async ({ page, apiToken }) => {
+    const info = {
+      email: TEST_EMAIL,
+      organization_siret: TEST_ORGANIZATION.siret,
+      api_token: apiToken,
+      role: "USER",
+    };
     await page.goto(
-      `/auth/datapass/login?role=USER&api_token=${apiToken}&email=${TEST_EMAIL}`
+      `/auth/datapass/login?user_info=${encodeURIComponent(
+        JSON.stringify(info)
+      )}`
     );
 
     await page.locator("text='Recherchez un jeu de données'").waitFor();
+
+    // The user's organization was saved as the current organization.
+    await page.click("text='Contribuer'");
+    await page.locator("text=Ministère de la Culture").waitFor();
   });
 
   test("A user picks the organization they want to be linked with", async ({
@@ -49,7 +54,7 @@ test.describe("Datapass", () => {
       .waitFor();
     await page.locator("text=Ministère de la culture").check();
 
-    const button = await page.locator("text=Associer mon compte");
+    const button = page.locator("text=Associer mon compte");
 
     const [request, response] = await Promise.all([
       page.waitForRequest("**/auth/datapass/users/"),

server/api/auth/datapass/routes.py

@@ -81,10 +81,16 @@ async def login(request: Request) -> Response:
 
                 #### Redirected URL query parameters
 
-                * `organization_siret`: `string($siret)`
-                * `email`: `string($email)`
-                * `role`: `UserRole`
-                * `api_token`: `string`
+                * `user_info`: an URL-encoded JSON object with the following format:
+
+                  ```json
+                  {
+                    "organization_siret": "string($siret)",
+                    "email": "string($email)",
+                    "role`: "UserRole",
+                    "api_token": "string"
+                  }
+                  ```
 
                 ### 0 matching organization
 
@@ -193,16 +199,15 @@ async def callback(request: Request) -> Response:
 
         account = await bus.execute(LoginDataPassUser(email=email))
 
+    view = AuthenticatedAccountView(**account.dict())
+
     url = get_client_root_url()
     url = url.replace(path="/auth/datapass/login")
     url = url.include_query_params(
         # These will be grabbed by the frontend and stored in its localStorage as the
         # currently authenticated user.
         # Protected against MITM attacks as long as we serve over HTTPS.
-        organization_siret=account.organization_siret,
-        email=account.email,
-        role=account.role.value,
-        api_token=account.api_token,
+        user_info=view.json(exclude={"id"}),
     )
 
     return RedirectResponse(url, status_code=307)

tests/api/test_auth_datapass.py

@@ -208,10 +208,12 @@ async def test_if_only_one_org_exists_then_creates_user_and_redirects_with_detai
             assert location.scheme == "http"
             assert location.netloc == b"client.testserver"
             assert location.path == "/auth/datapass/login"
-            assert location.params["organization_siret"] == siret_1
-            assert location.params["email"] == "[email protected]"
-            assert location.params["role"] == "USER"
-            assert location.params["api_token"] == user.account.api_token
+            assert json.loads(location.params["user_info"]) == {
+                "organization_siret": siret_1,
+                "email": "[email protected]",
+                "role": "USER",
+                "api_token": user.account.api_token,
+            }
 
     async def test_existing_password_user_reuses_account(
         self, client: httpx.AsyncClient, monkeypatch: pytest.MonkeyPatch