[#2718] Migrate cookie consent from Klaro to Orejime

[AndreaBarbasso]

References

• Fixes Consider replacing Klaro cookie consent tool, as it seems unmaintained & less accessible #2718

Description

Migrated the cookie consent functionality from Klaro to Orejime, because of better accessibility and maintenance.

Instructions for Reviewers

All references to Klaro have been renamed to Orejime. Klaro has been removed from the package.json file and its config has been modified to be accepted by Orejime (which needs a similar, but not quite the same, config file).
Since Orejime needs a URL for the privacy policy, this is now mandatory.
Orejime does not allow raw HTML as text, so the i18n files have been changed accordingly.
Orejime has less strings than Klaro, so a lot of i18n strings are now obsolete and have been removed.

List of changes in this PR:

• Migrated Klaro instances to Orejime ones;
• Cleaned up unused i18n strings and config properties;
• Handled cookies grouping by purpose;
• Fixed unit tests.

To review this PR. try to use the Orejime's cookie banner as if it was the Klaro's one. Remember to add a cookie to the configuration in order to test the banner when there is a new cookie to accept/decline.

Checklist

This checklist provides a reminder of what we are going to look for when reviewing your PR. You do not need to complete this checklist prior creating your PR (draft PRs are always welcome).
However, reviewers may request that you complete any actions in this list if you have not done so. If you are unsure about an item in the checklist, don't hesitate to ask. We're here to help!

• My PR is created against the main branch of code (unless it is a backport or is fixing an issue specific to an older branch).
• My PR is small in size (e.g. less than 1,000 lines of code, not including comments & specs/tests), or I have provided reasons as to why that's not possible.
• My PR passes ESLint validation using yarn lint
• My PR doesn't introduce circular dependencies (verified via yarn check-circ-deps)
• My PR includes TypeDoc comments for all new (or modified) public methods and classes. It also includes TypeDoc for large or complex private methods.
• My PR passes all specs/tests and includes new/updated specs or tests based on the Code Testing Guide.
• My PR aligns with Accessibility guidelines if it makes changes to the user interface.
• My PR uses i18n (internationalization) keys instead of hardcoded English text, to allow for translations.
• My PR includes details on how to test it. I've provided clear instructions to reviewers on how to successfully test this fix or feature.
• If my PR includes new libraries/dependencies (in package.json), I've made sure their licenses align with the DSpace BSD License based on the Licensing of Contributions documentation.
• If my PR includes new features or configurations, I've provided basic technical documentation in the PR itself.
• If my PR fixes an issue ticket, I've linked them together.

[pilasou]

Hi @AndreaBarbasso, I tried to test the PR but was unsuccessfull. Maybe there is something I missed. I test through Docker. When I click on "Cookie settings" in the footer, the pop up is not display and the page "frozes" (cannot be scrolled anymore), and an error occurs:

[github-actions]

Hi @AndreaBarbasso,
Conflicts have been detected against the base branch.
Please resolve these conflicts as soon as you can. Thanks!

[tdonohue]

@AndreaBarbasso : We gave this a group code review in today's Developers Meeting. Overall, the changes here look reasonable. The PR needs a rebase though as it's still using yarn and we've recently switched to npm (see #3173 )...so the yarn.lock no longer exists.

I think this may need more testing though to see what happens if a site sets enablePrivacyStatement: false in their config.yml. It appears this code is now ignoring that setting...which seems like it could be a bug (as the privacy statement itself will return a 404 when that is set to false). We may need to determine if there's a way to still support enablePrivacyStatement: false with Orejime.

[tdonohue]

This seems to be removing the ability to disable the Privacy Statement in DSpace. See the docs at https://wiki.lyrasis.org/display/DSDOC7x/User+Interface+Configuration#UserInterfaceConfiguration-Toggleend-useragreementandprivacypolicy

What happens if someone tries to use this PR when enablePrivacyStatement: false is set in your config.prod.yml?

[tdonohue]

Just a note for other developers. Initially, the removal of all these keys from json5 files looked confusing to me. But, I see that you are removing keys that are no longer used in Orejime. So, I think this cleanup is correct.

[AndreaBarbasso]

@pilasou, I managed to solve the problem you encountered. It was happening if a cookie category referenced (by name) at least one app that had been removed from the app list. Thanks!

@tdonohue, I managed to keep the current behavior regarding the enablePrivacyStatement: false configuration. Now orejime starts regardless of that property, and will not show a link to /info/privacy if that property is set to false.

---

Right now, we have another situation going on. Quoting the Orejime docs:

If every app is either required or optOut, Orejime will not show at startup (but it will still be possible to open it programmatically).

So, in a case like the one we can see on the sandbox (where all cookies are mandatory), Orejime will not show any cookie notice on the bottom right corner of the page.
Since there are no exposed Orejime APIs that allow for a programmatic cookie notice opening (only the modal that lists all cookies can be opened programmatically) a workaround is needed, but it would require overrides to Orejime methods.

What I can see as possible options, right now, are:

• Be "ok" with the cookie consent not showing if all cookies are mandatory. I don't know if this behavior is compliant with GDPR, since the user might need to be informed of the presence of cookies anyway;
• Open the cookie consent modal as a default behavior if the user never managed its cookies. This would probably be a solution that adheres to all regulations and keeps some consistency across each use case scenario, but greeting a new visitor with a modal is not "nice";
• Show a notification with Info severity - via the NotificationsService - that informs the user of the presence of mandatory cookies. This, of course, needs to be done only if the user never managed its cookies and if all cookies are mandatory.

Any other idea on how to proceed on this issue?

[pilasou]

Hi @AndreaBarbasso, just want to mentionned that I retested the cookies consent and it works as described. The cookie setting window does not show by default as all default cookies are mandatory. I can display the window by clicking the Cookies setting link in the page footer as shown below:

All toogles are on by default and cannot be changed,

[tdonohue]

@AndreaBarbasso : We discussed this in today's Developer Meeting. Those in attendance believe that Orejime's default behavior should be GDPR compliant. In other words, users need to only be notified if there are non-mandatory cookies. So, this PR's current behavior sounds like it should be OK.

One final note. It appears this PR is currently failing some tests/specs