IDP: Offload teamspace management to Frontegg

[carmenfan]

Description

Product issue: https://github.com/3drepo/3D-Repo-Product-Team/issues/649
This depends on #5373

We want frontegg to be teamspace aware, so we can allow the clients to take advantage of configurations that are supported by frontegg (e.g. saml2 hookup, custom login policies, custom login page etc)

The application would also need to start being aware which teamspace the user is authorised against and require users to re-authenticate against a specific teamspace if they have not been authetnicated against it.

Goals

• As an IT admin of a client I want to invite external users via federation of federation
• As an IT admin of a client I want to impose specific password policy
• As a customer I want customise the look and feel, and functionality of the login page to my teamspace
• As an IT admin of a client I want to ensure that whoever has access to the teamspace has been authenticated in such a way that satisfy the security policy I have imposed.

Tasks

• Endpoint to specify which teamspace to authenticate against

• Logic to store authenticated teamspace and to reject request if the user has not yet been authenticated against the teamspace

• Give info about authenticated teamspace on https://www.3drepo.io/docs/#/User/getProfile

• Create Account on frontegg when a teamspace is created

• Map account ID to teamspace settings

• Assign user to account when a user is added to a teamspace

• remove user from account when a user is removed from teamspace

• Delete teamspace needs to delete the account

  • Check utility script to see if the logic makes sense

• Migration

  • Create an account per teamspace
  • assign members of teamspaces to the account

• Clean up

  • Ensure teamspace Id is not being returned unintentionally on teamspace settings queries
  • Split frontegg services base on functionality?
  • Remove association between users and teamspaces
  • Ensure v4 code does not have assumption on owners
  • Ensure v4 check teamsapce access is using the v5 middleware
  • rename teamspaces/teamspaces to teamspaces/index
  • middleware/permissions/permissions as well
  • Assign user to job not working when creating a new teamspace
  • Configurable default role
  • test service - createTeamspace no longer need to createUser
    • Why createTeamspace doesn't just call the function in processor?
    • Check where teamspace roles are used, abstract them to processor
    • Ensure nothing is calling grantTeamspaceRoleToUser directly

• Future work (release after)

  • Adjust utility scripts to get info from frontegg
    • no longer makes sense for removeTeamsapce script to remove the owner
    • Allow useremail on create teamspace?
    • We're no longer generating inactive users or expired password tokens
  • potential issues when other apps are using frontegg:
    • May have to cater for if account is already generated?
    • Webhook to remove users when theyr'e removed from account
    • Account remove webhook to clean up teamspace ?
  • refreshing a token
  • move teamspace settings to internal
  • index teamspace Id reference
  • move user mapping to internal
  • Profile picture to pull/store in frontegg
    • profile info shoudl be stored as metadata in frontegg
  • UI to select default teamspace
  • Teamspace avatar to be pulled from frontegg
  • getMembers of teamspace should come from frontegg (5.18, or migration script won't work)
    • add workaround for unrecognised users
    • distinguish invited users and activated users, and invited users who aren't actually users on 3DR
    • v4:
      • models/users
        • Get teamspace member
        • FindUsersWithoutMembership