Integrate initial package claiming PRs

[chadwhitacre]

This is an integration branch/PR for the initial implementation of package claiming. Part of #4427.

Specs

See #4297 (comment).

Mocks

From #4297 (comment) (click for full-size):

PRs (in merge order)

Numbers are workflow steps.

• (1), (2) add sign in w/ copy to /on/npm/foo/ for anon: Add signin + copy to anon package view #4306 Add link to package on npm #4307 Add a test for anon hitting unclaimed package #4308 Fix regression in test #4323
• stub out Package to hold Python API: Stub out Package model #4155
• (3)—(6) add confirmation form to /on/npm/foo/ for auth when unclaimed: UI to send confirmation email for unclaimed packages #4309
• (7), (8) implement Package.send_confirmation_email: Send confirmation email #4335
• (9) add /on/npm/react/claim endpoint to receive email link: Receive package claim link-back #4397
• (10)—(11) implement /on/npm/foo/ as project page when claimed: Present claimed packages as projects #4398
• (12)—(16) implement /on/npm/foo/edit as project edit page when claimed: Edit claimed packages #4404

&c.

• minor refactor: Factor out a package.team mixin #4422
• some UX cleanups: Some UX cleanups for package claiming #4406
• style the claim form: Style the claim form #4410
• more UX cleanups: Clean up UX some more #4411
• verify that we can give to a package—the 💟 of the matter! ... Integration test: claim, approve, and give #4423
• on verify.html, show packages newly linked if germane: List packages on verification #4424
• work PayPal into the workflow somehow: Account for PayPal in claiming workflow #4428
• fix an egregious bug at low widths: Fix width bug #4435

Todo

• think through merging/takeover—anything special here? like, start verification workflow, then merge accounts, then finish verification.—looks like we already do something … 9b7d147
• what about linking an existing project to an existing npm package? … sounds like an admin thing; bump for now, handle through email support
• make sure finishing a verification terminates competing verifications (otherwise get_emails can include an email it shouldn't)
• think through PayPal requirement—are we accounting for that somewhere here that I'm not seeing?
• consider notifying other package maintainers when someone claims a package … bumped: Notify other maintainers on package claim #4425
• indicate to a participant when they have a claim open … bumped: Show open claims to participant #4426
• check it on a phone … bumped: Fix on a phone #4432
• account for deleted packages: Harmonize package deletion and claiming #4448

Landing

• change base back to master
• merge and deploy!

[nobodxbodon]

Could you share the plan of this project?

Besides, I guess you haven't started paying for gomockingbird? Shall we apply to balsamiq earlier than later?

[chadwhitacre]

Could you share the plan of this project?

Not sure what you mean. I updated the todo in the ticket description. Not enough?

Besides, I guess you haven't started paying for gomockingbird?

Nope.

Shall we apply to balsamiq earlier than later?

Not a priority for me. a) Balsamiq appears to be desktop-only, which is of limited utility for us since we can't share links, b) I think we have what we need from Mockingbird for now, and c) I think we can hack Mockingbird by deleting cookies/localstorage.

[nobodxbodon]

Not sure what you mean. I updated the todo in the ticket description. Not enough?

Maybe just me, but I don't find a easy way to tell which part a dev (me perhaps) can pick up without worrying about stepping on your toe.

a) Balsamiq appears to be desktop-only, which is of limited utility for us since we can't share links,

they offer choices in application including web version:

c) I think we can hack Mockingbird by deleting cookies/localstorage.

Seriously?

[chadwhitacre]

Maybe just me, but I don't find a easy way to tell which part a dev (me perhaps) can pick up without worrying about stepping on your toe.

I think we should get you unblocked and focusing on gratipay/finances#35. I'm happy to do the bulk of the work here but I will need you @mattbk @JessaWitzel etc. for review. Let's work with who we have.

they offer choices in application including web version:

Go for it!

Seriously?

😊

[chadwhitacre]

@nobodxbodon at #4297 (comment):

When there are multiple contact emails for one package, indicating there are more than one devs, do we send notification emails out to all of them in case the package is claimed by one of the email?

Good idea!

[chadwhitacre]

We'll also need to account for the case where an email is attached to a different Gratipay account. They won't be able to use it in that case.

[chadwhitacre]

Todo reordered to reflect merge order.

[chadwhitacre]

Picking up from #4297 (comment):

I was wondering the same thing. Which email/person do we allow to claim the package.

We pull email addresses from the maintainers and authors in package.json on npm.

[nobodxbodon]

In case you missed #4297 (comment), shall we notify all the contacts after step 8 of spec, and states so to the claimer in the email something like "we'll notify all the other coauthors of the package in this email list after you confirm claiming"?

[kaguillera]

1. Is any one of the Co-authors of a package allowed to claim the packages?
2. What if the co-author is a new-comer claims the package before the real starter of the package gets a chance to.

That was really what I was trying to ask earlier (#4297 (comment))

[chadwhitacre]

What's up with the failures here? I seem to recall expecting this ...

[chadwhitacre]

Still looking for the perfect process here. I keep switching the todo order. Currently working stepwise through the workflow.

I've got the confirmation flow (3-8) half roughed-in. I think at this point I'm going to go back over and clean up and merge #4155 so that we have a Package object from which to hang API, and then pick up again with #4309. At some point we also could/should rebase this on master to pick up recent changes there.

[chadwhitacre]

Is any one of the Co-authors of a package allowed to claim the packages?

No (under):

The thing that seems the most canonical representation from what I've seen around probably is whatever the owners are of the actual npm package vs. what's in the package.json.

Sent a follow-up in private email to clarify:

Looking at the registry, I see three options:

1. _npmUser—scoped to version
2. maintainers—scoped to package
3. author—scoped to package

My hunch based on our convo is that the _npmUser for the latest version is the best one to use for linking (though the _ suggests that this is a private API, and a spot check shows it is missing for some versions, maybe very old ones?). Does that sound right to you?

[chadwhitacre]

Alright, based on that and considerations at #4309 (comment) I've added another prereq:

update schema for a single (nullable) email & sync from the latest version's _npmUser

[chadwhitacre]

Okay! Shelving work on #4309. I had thought of two PRs right after that one (implementing .send_confirmation_email), and then confirmation link post-back). But now it seems I should dial back to working on npm syncing prereqs.

[chadwhitacre]

Scratch that! 💃

Taking a look at a few packages, it is definitely the maintainers field that I had in mind, as the corresponds to the users who have the rights to publish the package, which is the most likely to align to the folks who would manage any funds, imo

Aligns with doco:

Add a new user as a maintainer of a package. This user is enabled to modify metadata, publish new versions, and add other owners.

Note that there is only one level of access. Either you can modify a package, or you can't. Future versions may contain more fine-grained access levels, but that is not implemented at this time.

https://docs.npmjs.com/cli/owner

npm also sets a top-level "maintainers" field with your npm user info.

https://docs.npmjs.com/files/package.json#people-fields-author-contributors

[chadwhitacre]

But we do want to drop author.

[chadwhitacre]

/me adds that to prereqs ...

[chadwhitacre]

Back into #4309!

[chadwhitacre]

Squashed and rebased onto #4343, was 5bab99a.

[chadwhitacre]

Awesome. All PRs are in!

I guess we should spend some effort on syncing npm before we deploy this, though. :-/

[chadwhitacre]

The snapshot of npm we have in the Gratipay database is six months old. We need to update that and also build in a mechanism for constantly updating it.

[chadwhitacre]

Rebased and squashed, was 70b391e.

[chadwhitacre]

Okay, friends! I believe we are ready to land this sucker!

[chadwhitacre]

@clone1018 and I are going to merge and deploy this.

[chadwhitacre]

Rebased, was 8a2e258.

[chadwhitacre]

Travis is running super-slow.

[chadwhitacre]

Finally green! Ready!?