Skip to content

RFC: User Authentication and Online MyOpenCRE Mapping#876

Merged
northdpole merged 6 commits into
OWASP:mainfrom
skypank-coder:rfc-user-auth-myopencre
Jul 8, 2026
Merged

RFC: User Authentication and Online MyOpenCRE Mapping#876
northdpole merged 6 commits into
OWASP:mainfrom
skypank-coder:rfc-user-auth-myopencre

Conversation

@skypank-coder

Copy link
Copy Markdown
Contributor

Summary

This RFC proposes the design for user authentication and
personal MyOpenCRE views (issue #586).

Reviewed and approved by @northdpole — opening for
community review as suggested.

What this RFC covers

  • OAuth login via Google (no password storage)
  • Persistent user identity using google_sub as anchor
  • User-owned standard and section storage with no
    data duplication against the shared CRE graph
  • Automated mapping execution pipeline (bi-encoder +
    cross-encoder) with 98% accuracy checkpoint
  • Upload endpoint wiring under /rest/v2/
  • Result retrieval with ownership enforcement

Implementation order

5 TODO steps with explicit code changes, tests,
pass/fail checkpoints, and rollback behaviour for each.

Related

Reviewers

@northdpole @parth-sohaney @robvanderveer

@coderabbitai

coderabbitai Bot commented Jun 30, 2026

Copy link
Copy Markdown
Contributor

Review Change Stack

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info
⚙️ Run configuration

Configuration used: Path: .coderabbit.yml

Review profile: CHILL

Plan: Pro

Run ID: 8020236d-d2e2-40c2-944c-e2ab71745568

📥 Commits

Reviewing files that changed from the base of the PR and between a4f5ada and 8e13eff.

📒 Files selected for processing (1)
  • docs/rfc/user-auth-myopencre.md
💤 Files with no reviewable changes (1)
  • docs/rfc/user-auth-myopencre.md

Summary by CodeRabbit

  • Documentation
    • Added an RFC describing a new authenticated MyOpenCRE web flow.
    • Outlines user sign-in, sign-out, and “next page” behavior for a smoother login experience.
    • Defines upload, status tracking, and result review actions for user-submitted content.
    • Describes per-user mapping states and review steps to support automatic and manual matching.

Walkthrough

This PR adds a new RFC document proposing an authenticated "MyOpenCRE" flow under /rest/v2/. It specifies user identity persistence, per-user standard/section storage, an automated mapping job, upload/status endpoints, result retrieval/confirmation endpoints, and related constraints and privacy notes.

Changes

User Auth & MyOpenCRE RFC

Layer / File(s) Summary
RFC context and plan
docs/rfc/user-auth-myopencre.md
Introduces overview, current limitations, goals for authenticated /rest/v2/ uploads, and ordered implementation plan.
User identity persistence
docs/rfc/user-auth-myopencre.md
Defines User model keyed by google_sub, auth routes, session handling, and redirect-based login_required behavior.
User-owned standard/section storage
docs/rfc/user-auth-myopencre.md
Defines user_standards/user_standard_sections models, soft cre_db_id references, and Node_collection accessor signatures.
Automated mapping job
docs/rfc/user-auth-myopencre.md
Defines run_mapping job flow, encoding/re-ranking, status updates, and remap rules preserving USER_CONFIRMED.
Upload and status endpoints
docs/rfc/user-auth-myopencre.md
Defines upload route, validation/duplicate handling, job enqueuing, and status endpoint contract.
Result retrieval and confirm/reject actions
docs/rfc/user-auth-myopencre.md
Defines list/fetch endpoints, confirm/reject actions, ownership checks, and failure semantics.
Future work, constraints, and privacy note
docs/rfc/user-auth-myopencre.md
Adds gap-analysis future-work note, constraints summary table, and privacy note on storing user email/display name.

Estimated code review effort: 1 (Trivial) | ~5 minutes

Related issues: None specified.

Suggested labels: documentation, rfc

Suggested reviewers: None specified.

🐰 A rabbit sketches routes on parchment scroll,
Google sub keys, sessions playing their role,
Mappings drawn with confidence and care,
Confirmed ones locked, never to repair,
A future RFC, waiting to enroll.

🚥 Pre-merge checks | ✅ 5
✅ Passed checks (5 passed)
Check name Status Explanation
Title check ✅ Passed The title clearly summarizes the main RFC: user authentication and online MyOpenCRE mapping.
Description check ✅ Passed The description matches the RFC and covers the authentication, mapping, and endpoint changes described in the PR.
Docstring Coverage ✅ Passed No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check ✅ Passed Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check ✅ Passed Check skipped because no linked issues were found for this pull request.
✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands.

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 4

🧹 Nitpick comments (1)
user-auth-myopencre.md (1)

48-48: 📐 Maintainability & Code Quality | 🔵 Trivial | 💤 Low value

Add language specifiers to fenced code blocks for readability.

The static analysis tool flagged four fenced code blocks without language specifiers. While this is an RFC document, adding specifiers improves rendering and copy-paste ergonomics:

  • Line 48 (users schema): sql
  • Line 96 (user_standards schema): sql
  • Line 196 (upload endpoint spec): http or text
  • Line 243 (result retrieval endpoints): http or text
📝 Proposed formatting fixes

Line 48:

-   ```
+   ```sql

Line 96:

-   ```
+   ```sql

Line 196:

-   ```
+   ```http

Line 243:

-   ```
+   ```http

Also applies to: 96-96, 196-196, 243-243

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@user-auth-myopencre.md` at line 48, Add language specifiers to the fenced
code blocks in the RFC so the rendered examples are easier to read and copy.
Update the four affected fences in the document sections for the users schema
and user_standards schema to use sql, and the upload endpoint spec plus result
retrieval endpoints to use http (or text if preferred); keep the surrounding
content unchanged and ensure the fenced blocks remain matched in each section.

Source: Linters/SAST tools

🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@user-auth-myopencre.md`:
- Around line 302-304: The privacy note is inconsistent with existing session
usage, so clarify the storage claim in the RFC. Update the note near the
“Privacy note” section to distinguish persistent storage from server-side
session data, and ensure it matches the behavior implied by login_required and
the session['name']/session['google_id'] fields in application/web/web_main.py.
If the intent is “nothing is persisted,” say that explicitly; otherwise, adjust
the documented behavior to reflect what is actually stored.
- Line 51: Clarify the identity field naming by explicitly mapping google_sub to
the existing google_id used in login_required and related session checks. Update
the RFC text around the google_sub column to state whether it is the same
immutable Google sub claim or a new identifier, and if it is the same, add a
brief note or alias reference so readers can cross-reference google_sub with
google_id consistently.
- Around line 177-179: Define the evaluation protocol for the checkpoint by
clarifying what the “known CRE links” ground truth is (for example, manually
verified mappings versus preexisting graph edges), who validates the mappings
and how tie-breaks/disagreements are resolved, and which metric the “≥ 98%
correct mappings” refers to. Update the checkpoint text near the pass criteria
to reference the relevant evaluation method in the fixture upload flow so the
requirement is operationalized and reproducible.
- Around line 59-66: The session contract is inconsistent between the RFC and
the existing login flow: login_required currently checks session['google_id']
and session['name'], while the new auth flow stores only user_id. Update
login_required to use session['user_id'] and fetch the user’s display name from
the User model (instead of relying on session name), and make sure the auth
callback writes the same key that login_required expects. Also clarify whether
google_sub replaces google_id everywhere or whether both are retained during
migration.

---

Nitpick comments:
In `@user-auth-myopencre.md`:
- Line 48: Add language specifiers to the fenced code blocks in the RFC so the
rendered examples are easier to read and copy. Update the four affected fences
in the document sections for the users schema and user_standards schema to use
sql, and the upload endpoint spec plus result retrieval endpoints to use http
(or text if preferred); keep the surrounding content unchanged and ensure the
fenced blocks remain matched in each section.
🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

  • Push a commit to this branch (recommended)
  • Create a new PR with the fixes

ℹ️ Review info
⚙️ Run configuration

Configuration used: Path: .coderabbit.yml

Review profile: CHILL

Plan: Pro

Run ID: f43ed216-e971-4602-acd5-d66366a1a273

📥 Commits

Reviewing files that changed from the base of the PR and between 0e16c2e and ffa1035.

📒 Files selected for processing (1)
  • user-auth-myopencre.md

Comment thread docs/rfc/user-auth-myopencre.md
Comment thread docs/rfc/user-auth-myopencre.md
Comment thread docs/rfc/user-auth-myopencre.md
Comment thread user-auth-myopencre.md Outdated
…arify google_sub, define mapping accuracy metric

Copy link
Copy Markdown
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Please remove these three lines , we dont keep it in os
Author: Saatwik Kumar Yadav
Status: Draft — submitted for community review
Related issues: #375, #585, #586

Copy link
Copy Markdown
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

File location should be under docs folder

- Reconcile session contract with existing login_required (google_id/name -> user_id)
- Clarify google_sub == existing session google_id (OIDC sub claim)
- Privacy note: clarify nothing is persisted to DB (session data already exists)
- Define TODO 3 accuracy checkpoint as exact-match vs human-verified CRE links
- Remove Author/Status/Related-issues metadata lines
- Move RFC under docs/rfc/
@skypank-coder skypank-coder requested a review from Pa04rth July 7, 2026 05:52

@northdpole northdpole left a comment

Copy link
Copy Markdown
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

RFC approved. Follow-up tracked in separate issues: auth route migration to /rest/v1/auth/*, capabilities.login rollout, Module C reuse for mapping, and auth-wrapping cre_csv_import.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

3 participants