Fix User Credential Issued Date

[zandre-eng]

Technical Summary

Link to ticket here

This is a release path 1 feature — Improvements to existing features & quick wins.

The credential issue date returned by ListCredentials previously came from Credential.created_at, which is shared across every holder and environment of a credential and therefore does not reflect when an individual user was issued it. This PR adds a per-user created_at to UserCredential and reworks the endpoint to serialize UserCredential rows directly (pulling credential metadata through the relation), so date now reflects the actual per-user issuance time.

Because created_at was added with auto_now_add, existing rows carry the migration run time rather than the true issuance date, so a management command will be added in a separate PR to backfill created_at from a JSON export of Connect prod's UserCredential.issued_on.

Logging and monitoring

No additional logging was added.

Safety Assurance

Safety story

The API change is read-only and additive — it adds a non-nullable field with a default and returns an additional, more accurate date value. A separate PR will be addressing the data change to the created_at field to sync it with the UserCredential.issued_on date from Connect.

• I am confident that this change will not break current and/or previous versions of CommCare apps

Automated test coverage

Tests cover the ListCredentials response now sourcing date from the per-user UserCredential record.

QA Plan

No QA planned for this change.

Labels & Review

• The set of people pinged as reviewers is appropriate for the level of risk of the change

[coderabbitai]

Walkthrough

Adds created_at to UserCredential, updates the credential-list endpoint to query and serialize UserCredential records with nested credential data, and adjusts the related test to expect the new date source.

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

🚥 Pre-merge checks | ✅ 4 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 0.00% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.

✅ Passed checks (4 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title clearly summarizes the main change: correcting the user credential issuance date.
Description check	✅ Passed	The description is directly related and accurately explains the per-user created_at change and endpoint update.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

✨ Finishing Touches

📝 Generate docstrings

• Create stacked PR
• Commit on current branch

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch ze/credential-issued-date

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands.}

[coderabbitai]

Actionable comments posted: 1

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (1)

users/tests/test_views.py (1)

605-623: 🩺 Stability & Availability | 🟠 Major | ⚡ Quick win

Add @skip_app_integrity_check to this endpoint test.

This test goes through auth_device.get(self.url), so it should bypass Play Integrity and fail only on the credential-list behavior under test.

As per coding guidelines, **/tests/*.py: Use @skip_app_integrity_check decorator in tests to bypass Google Play Integrity validation, and **/views.py: All app requests must validate Google Play Integrity tokens. Based on learnings, apply it only to individual HTTP tests, not the class.

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@users/tests/test_views.py` around lines 605 - 623, Add the
skip_app_integrity_check decorator to this endpoint test so
auth_device.get(self.url) bypasses Play Integrity and the assertion focuses only
on credential-list behavior. Update the test method test_success in the view
tests to use the decorator on this individual HTTP test, not the class, keeping
the rest of the setup and assertions unchanged.

Sources: Coding guidelines, Learnings

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@users/migrations/0032_usercredential_created_at.py`:
- Around line 17-21: The migration for adding created_at to UserCredential
currently assigns one execution-time timestamp to all existing rows, so update
the release to include the historical backfill migration that populates real
created_at values before exposing them in ListCredentials, or gate the API
serialization until that backfill is shipped. Use the UserCredential migration
that adds created_at and the ListCredentials endpoint serialization path as the
key places to coordinate this change.

---

Outside diff comments:
In `@users/tests/test_views.py`:
- Around line 605-623: Add the skip_app_integrity_check decorator to this
endpoint test so auth_device.get(self.url) bypasses Play Integrity and the
assertion focuses only on credential-list behavior. Update the test method
test_success in the view tests to use the decorator on this individual HTTP
test, not the class, keeping the rest of the setup and assertions unchanged.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro Plus

Run ID: aa7de27f-27b3-4d6f-b91c-a94a786ee415

📥 Commits

Reviewing files that changed from the base of the PR and between 773483d and 05ba30c.

📒 Files selected for processing (5)

• users/migrations/0032_usercredential_created_at.py
• users/models.py
• users/serializers.py
• users/tests/test_views.py
• users/views.py