-
Notifications
You must be signed in to change notification settings - Fork 340
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
feat(providers): Support interactive oauth setup for gdrive. #3288
base: master
Are you sure you want to change the base?
Conversation
Codecov ReportAttention: Patch coverage is
Additional details and impacted files@@ Coverage Diff @@
## master #3288 +/- ##
==========================================
+ Coverage 75.86% 76.89% +1.02%
==========================================
Files 470 477 +7
Lines 37301 28832 -8469
==========================================
- Hits 28299 22169 -6130
+ Misses 7071 4740 -2331
+ Partials 1931 1923 -8 ☔ View full report in Codecov by Sentry. |
@jkowalski Friendly ping on this. |
Could I get a preliminary review on this PR? |
@jkowalski Can we prioritize it, please? service-account quotas are confusing for everyone. There are multiple topics/slack questions about it |
Sorry I've been sitting on this for too long, I don't really use google drive myself so am not very familiar with it and this wasn't most straightforward to test. Overall UI and the approach looks reasonable. I have some questions:
|
Hi @jkowalski, Thanks for taking a look at this PR.
Sure, I'll work on that. I want to get the initial design out before working on the peripherals.
Ditto
The Oauth2 client takes care of exchanging refresh tokens for access tokens and repeats it as necessary (every hour or so).
Refresh tokens are forever until the user manually revokes it. If we encounter an invalid refresh token, we should ask the user to re-auth if it's an interactive session, or else fail.
It's technically feasible. DriveFile scope is not sensitive, so we don't have to pay for an expensive security audit. However, we'd still reveal the api key & client secret in an open source repository or at the very least embed them into a binary, which isn't much better security-wise. People can do very nefarious things with it. The OAuth security model isn't designed for this.
That's what I want to discuss with you! Is there a way to embed the auth server and client code into the existing React app? That would make the Google Drive onboarding seamless for GUI users. |
Fixes #3047, #2656
Hi @jkowalski,
Would you take an early look at this PR:
I would like your opinion on how the ephemeral http server is structured. You mentioned that you may want to add more use cases in the future, so maybe a consistent architecture would help? I also don't work with go serving on my day job, so feedback is much appreciated here.
I also marked the existing service account-based auth as deprecated in the CLI, although it should work. It's my opinion that we should mark it obsolete and remove it soon, since the gotchas with the quota is great and confusing.
The overall flow of the code:
repository create
, we launch a http server that serves 2 ajax endpoints and a html file.Edge cases:
Thanks,
xkxx