Add API support for picture login: facility settings, passcode assignment, and authentication

[LianaHarris360]

❌ This issue is not open for contribution. Visit Contributing guidelines to learn about the contributing process and how to find suitable issues.

Overview

Add API support for enabling and disabling the picture login facility setting, implementing a bulk update endpoint for assigning picture passcodes to learners, and assigning passcodes to new learners created while the setting is active.

Complexity: Medium
Target branch: develop

Context

Once picture_password field added to FacilityUser, the API layer needs to be wired up. The learner_can_login_with_picture_password boolean on FacilityDataset is the source of truth for whether picture login is enabled for a facility.

The Change

1. API: Bulk Assignment/Un-assignment on Setting Change (kolibri/core/auth/api.py)

• Update FacilityDatasetViewSet with a new bulk update endpoint that sets learner_can_login_with_picture_password to True for a facility and:
  • Calls assign_picture_password() for all existing learners in the facility where picture_password=None.
  • Sets learner_can_edit_password to False.
  • Sets the password for all existing learners in the facility as NOT_SPECIFIED to allow username only sign-in.
  • If a facility has more than 1300 learners, reject attempts to enable learner_can_login_with_picture_password with a clear error response.
• Add a method to kolibri/plugins/facility/frontend/modules/facilityConfig/actions.js that will call the FacilityDatasetViewSet action from above. This new action will need to be exported in kolibri/plugins/facility/frontend/modules/facilityConfig/index.js as well, so that they can be called in the frontend.

2. Assignment on New Learner Creation (kolibri/core/auth/models.py)

• When a new learner is created in a facility where learner_can_login_with_picture_password is True and the learner count is still at or below 1300, automatically call assign_picture_password() on user creation. If the learner count is >= 1300, the picture_passcode should not be assigned. The appropriate hook for this is in BaseFacilityUserModelManager.create_user.

Out of Scope

• Picture passcode sequence availability check and creation

Acceptance Criteria

General

• Facility Settings API endpoint reads and writes to learner_can_login_with_picture_password
  on FacilityDataset as the source of truth for whether picture login is enabled
• Enabling picture login for a facility triggers bulk assignment for all
  learners with picture_password=None and does not overwrite sequences already assigned to learners
• Attempting to enable picture login for a facility with >1300 learners returns an
  appropriate error response
• New learner creation in a facility with picture login enabled results in
  picture_password and password being automatically assigned
• Coach and admin users are never assigned a picture_password

Testing

• Unit test: enabling picture login is rejected for facilities with >=1300 learners
• Unit test: bulk assignment skips learners who already have a picture_password set
• Unit test: new learner creation in a picture-login-enabled facility results in a passcode being assigned
• Unit test: coach and admin users are never assigned a picture_password

References

• Existing pattern: learner_can_login_with_no_password on FacilityDataset
• kolibri/core/auth/api.py
• • kolibri/core/auth/serializers.py
• BaseFacilityUserModelManager.create_user

AI usage

🤖 This issue was written with AI assistance, under supervision, review and final edits by [@LianaHarris360 ] 🤖