New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Gracefully handle Google OAuth failures from Maker App #38245
Conversation
… user is already logged in
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
we should verify with marina that the "logged out with no google authentication option" behavior is what we want here. i know this is the default route for this type of user/situation, but it feels a little roundabout to show them a message that says they can update their account with a google option, then immediately give them an error after they sign in
end | ||
|
||
# GET /maker/confirm_login | ||
# Renders a page to confirm uses want to login via Google OAuth | ||
# This route is need to convert the GET request from the Maker App into | ||
# a POST that can be used to login via Google OAuth | ||
def confirm_login | ||
session[:user_return_to] ||= params[:user_return_to] | ||
if current_user | ||
redirect_to maker_display_google_oauth_code_path |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
since we're making a change to the route in the maker app anyways, i think we should clean up the method names for the routes for this feature -- there are some incorrect/mismatched names and conventions that make it sound like these routes work for any login, when they only currently work for google.
in our routes file:
code-dot-org/dashboard/config/routes.rb
Lines 53 to 55 in 043945b
get 'maker/google_oauth_login_code', to: 'maker#login_code' | |
get 'maker/display_google_oauth_code', to: 'maker#display_code' | |
get 'maker/google_oauth_confirm_login', to: 'maker#confirm_login' |
the actual URLs are correct, but the method names (e.g., maker#login_code
) don't match, so we should change the method names to make it clear that these routes are currently meant for google only.
in the controller file:
code-dot-org/dashboard/app/controllers/maker_controller.rb
Lines 116 to 136 in 043945b
# GET /maker/login_code | |
# renders a page for users to enter a login key | |
def login_code | |
end | |
# GET /maker/display_code | |
# renders a page for users to copy and paste a login key | |
def display_code | |
# Generate encrypted code to display to user | |
user_auth = current_user.authentication_options.find_by_credential_type(AuthenticationOption::GOOGLE) | |
@secret_code = Encryption.encrypt_string_utf8( | |
Time.now.strftime('%Y%m%dT%H%M%S%z') + user_auth['authentication_id'] + user_auth['credential_type'] | |
) | |
end | |
# GET /maker/confirm_login | |
# Renders a page to confirm uses want to login via Google OAuth | |
# This route is need to convert the GET request from the Maker App into | |
# a POST that can be used to login via Google OAuth | |
def confirm_login | |
end |
the comment above each route here is incorrect. for the first one, maker#login_code
, we can see from the routes file that the URL is GET /maker/google_oauth_login_code
. these are definitely just mistakes we missed during code review.
i think any/all of these changes should be made in a follow-up PR, but i wanted to call them out here
I didn't think it was an option but I think I've found a way to go around it. I added it in this commit in omniauth_callbacks_controller and I'd love to know if there's a better way to be doing it. |
dashboard/test/controllers/omniauth_callbacks_controller_test.rb
Outdated
Show resolved
Hide resolved
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
wonderful work, jillian, and thank you for making this experience much more robust!
@@ -786,6 +786,49 @@ class OmniauthCallbacksControllerTest < ActionController::TestCase | |||
assert_equal auth[:credentials][:refresh_token], partial_user.oauth_refresh_token | |||
end | |||
|
|||
test 'google_oauth2: redirects to maker display code if present as user_return_to on successful google login' do |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Nit: I am having trouble parsing the title of this test. The comments in the tests are really helpful in understanding, but it would be great to see if we can make the title a little clearer.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I tried to clarify the title, let me know if that helped :)
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Yes - thank you!
# Renders a page to confirm uses want to login via Google OAuth | ||
# This route is need to convert the GET request from the Maker App into | ||
# a POST that can be used to login via Google OAuth | ||
def confirm_login | ||
session[:user_return_to] = params[:user_return_to] |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Now that we are handling the redirect here, I think we can remove this if statement (
if params[:maker] |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I don't think we can do that until after we publish the new maker app right? Since the current version of maker app still goes through there?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Yup! Thanks for catching that - I didn't think that through. Is there a way we can track that? It's a small change, but anytime we can minimize the number of branches of code we support, I'm excited.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
yeah, jillian and i were discussing this before break -- we could log to either Honeybadger (easily viewable but can cause alarm if it's triggered a lot) or Firehose (we aren't notified and have to remember to check Redshift) when this path is hit. then, if we don't log any usage for ~1 month (or whatever timeframe), we can safely remove that code
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM! Yay!
A few changes here:
Here's a video for when a user is not logged in and uses a valid google auth option: https://drive.google.com/file/d/1_fvrYv2oMNnOcluvxi2LFgRiSGbIGlJW/view?usp=sharing
Here's a video for when a user is not logged in and uses a non google auth option: https://drive.google.com/file/d/1SAux-C79c6dOOyJu_IxR2nL3v60vgZhQ/view?usp=sharing
If the user is already logged in, it will skip directly to that last page (with either the code or the error message depending on the existence of a google authentication option)
Links
Testing story
Reviewer Checklist: