feat(fxa-admin-panel) allow admin to enable login for account from ad…

[millmason]

…min panel

fix(fxa-admin-panel): Add new feature to guards

feat(fxa-admin-panel) add new SecurityEventNames to db to log enable/disable times

feat(fxa-admin-panel): Add new gql mutation and securityeventnames type

Because

• Admin panel users (with sufficient permissions) are able to Disable login for an account, but cannot reverse this action and re-enable the account. The ability to re-enable the account was requested in this ticket.

This pull request

• Currently, an account is disabled if there it has a non-null value in the disabledAt column. When a user clicks theDisable button, the user sees a confirmation window warning them that the action is irreversible. If the user confirms that they want to disable the account, disabledAt is set to the current time.
• To enable an admin user to re-enable an account, I created an Enable button, which when clicked, will prompt the user with a confirmation window. If the user confirms that they want to enable the account, the account disabledAt value is set back to null.
• The Enable button is only visible when an account is disabled.
• Since the Disable action is now reversible, I changed the messaging in the Disable confirmation window to reflect this.
• Since setting disabledAt to null erases some of the history of the account, I opted to store account.disable actions and account.enable actions in the securityEvents table. To do so, I first created a db patch adding those two new names to the securityEventNames table, updated the necessary graphql types, updated the recordAdminSecurityEvent mutation to accept different event type names, and then called recordAdminSecurityEvent with both the disable handler and the enable handler.

Issue that this pull request solves

Closes: #12568

Checklist

Put an x in the boxes that apply

• My commit is GPG signed.
• If applicable, I have modified or added tests which pass locally.
• I have added necessary documentation (if appropriate).
• I have verified that my changes render correctly in RTL (if appropriate).

Screenshots (Optional)

Previously, once an account was disabled, you would see the time at which it was disabled, but you could not re-enable it.

Now, when an account is disabled, you can see the time at which it was disabled both under the "Disable Login" section of the "Danger Zone," and also in the "Account History". Also, you can see a button for re-enabling the account.

Other information (Optional)

To test this PR:

• Create and log into a Firefox account in your locally running instance of the app
• Create another account and make a note of the email address. One way to do this is to run yarn email-bounce from the root of the fxa/packages/fxa-admin-server directory. This will create a random email account with a bounce. One way to get the email address for this account (which you will need) is to open a separate tab in your terminal at the root of the fxa directory and run yarn mysql. Enter use fxa; to select your database. Then, enter select email from accounts;. You should see the email address of the account that you are logged in as, and the randomized email address created by the above command. Copy that email address.
• Log into the local instance of the admin panel at localhost:8091
• Search for the email address of the new account (the one that you are not logged into, which you created and then found above in the database)
• When it successfully displays the record, scroll to the bottom of the admin panel. You should see a section marked in red as the "Danger Zone."
• If your account is NOT disabled, you should see a button that says Disable. Click it.
• Click OK when shown the confirmation window.
• You should see an alert window telling you that the account was successfully disabled. Click OK.
• Now that the account is disabled, you should see the time when the account was disabled displayed under Disable Login. You should also see a new section of the "Danger Zone" labelled Enable Login, with a new button marked Enable. Finally, if you look above in the "Account History" section, you should see an event "account.disable" with the same timestamp as is displayed in the "Danger Zone" under "Disable Login"
• Click the Enable button. When prompted, click OK, both for the confirmation window and the alert window that states that you have successfully re-enabled login.
• If you look above the "Danger Zone" in "Account History", you should see an event "account.enable" that shows the time at which you re-enabled login.

[dschom]

Looking good. Add some simple tests for enableAccount, and it's good to go.

[dschom]

Missing ' after account.disable

[pdehaan]

WHERE name='account.enable` looks like it might have the wrong closing quote too (backtick vs single quote).

[millmason]

Great catches, thank you!

[dschom]

user doesn't seem to referenced. Maybe remove this arg?

[dschom]

Can we get this under test? I noticed that disableAccount also isn't under test. If possible adding cursory tests for both would good.

[millmason]

Definitely, great idea

[dschom]

LGTM! When testing manually, I noticed one weird UI defect where after clicking disable, none of the buttons work. But I have a feeling this has been there all along, and might be true for any action on the page. I will file a bug ticket for this separately.