Remove the user/admin-create endpoint

In theory, this allowed admins to create user profiles,
primed and ready for the person to log in.

Cloudwatch shows this was actually done only a handful of times in 2021.

Additionally, imperfect sanitization of the username field could
lead to CSV injection attacks, via the export on Users.jsx.

services/app-api/handlers/users/post/createUser.js

@@ -10,14 +10,6 @@ export const main = handler(async (event, context) => {
   return await createUser(userData);
 });
 
-export const adminCreateUser = handler(async (event, context) => {
-  await authorizeAdmin(event);
-
-  const userData = JSON.parse(event.body);
-
-  return await createUser(userData);
-});
-
 const createUser = async (userData) => {
   if (!userData.username) {
     return `Please enter a username`;

services/app-api/serverless.yml

@@ -336,15 +336,6 @@ functions:
           method: post
           cors: true
           authorizer: aws_iam
-  adminCreateUser:
-    handler: handlers/users/post/createUser.adminCreateUser
-    role: LambdaApiRole
-    events:
-      - http:
-          path: users/admin-add
-          method: post
-          cors: true
-          authorizer: aws_iam
   deleteUser:
     handler: handlers/users/post/deleteUser.main
     role: LambdaApiRole

services/ui-src/src/components/Routes/Routes.jsx

@@ -12,7 +12,6 @@ import Users from "../Users/Users";
 import EditUser from "../EditUser/EditUser";
 import Example from "../Example/Example";
 import Quarterly from "../Quarterly/Quarterly";
-import UserAdd from "../AddUser/AddUser";
 import Unauthorized from "../Unauthorized/Unauthorized";
 import FormPage from "../FormPage/FormPage";
 import StateSelector from "../StateSelector/StateSelector";
@@ -85,9 +84,6 @@ export default function Routes({ user, isAuthorized }) {
           <AuthenticatedRoute exact path="/form-templates">
             <FormTemplates />
           </AuthenticatedRoute>
-          <AuthenticatedRoute exact path="/users/add">
-            <UserAdd />
-          </AuthenticatedRoute>
           <AuthenticatedRoute exact path="/users/:id/edit">
             <EditUser />
           </AuthenticatedRoute>

services/ui-src/src/libs/api.js

@@ -49,14 +49,6 @@ export const createUser = async data => {
   return API.post("mdct-seds", `/users/add`, opts);
 };
 
-// *** create user - admin only
-export const adminCreateUser = async data => {
-  const opts = await requestOptions();
-  opts.body = data;
-
-  return API.post("mdct-seds", `/users/admin-add`, opts);
-};
-
 /*************************** FORMS API ***************************/
 // *** get forms associated with a specified state for specified year and quarter
 export const getStateForms = async data => {