Address issue #323 and enable GHE Auth

[tortilaman]

So far this is a basic fix for issue #323. Unauthorized users will not be able to get into the backend, and an alert window will popup informing them they need to speak with their site administrator to get access.

Once I figure out how to feed the error to AuthenticationPage.js I’ll make it look better.

Also, api_root wasn’t being fed to API.js, which was causing issues authenticating Github Enterprise users, since it was using the regular github api endpoint. I fed api_root in, which should enable Github Enterprise for everyone, and potentially other git providers?

[erquhart]

@tortilaman fyi I rebased your branch so that only the new commits are included in this PR.

[erquhart]

Just one small change, otherwise LGTM! Thanks!

[erquhart]

Remove this for now, can be brought up in a separate PR.

[tortilaman]

Yeah, I was gonna ask about rebasing. Figured that would be a good idea. I've actually now modified to provide better feedback so it uses the existing toast UI and redux-notifications. I feel comfortable merging at this point.

[tortilaman]

Apologies for the double commit there, was using github desktop instead of cli and sometimes it doesn't make it clear what it's doing.

[erquhart]

Fixed history again - if you do a hard reset to origin from your local repo, that should prevent further extraneous commits.

[erquhart]

Last thing, just updates to the error messages.

[erquhart]

Replace with "GitHub is not responding, please try again."

[tortilaman]

That probably makes more sense, haha. Leftover from my initial testing

[erquhart]

Replace with "Your GitHub user account does not have access to this repo."

[tortilaman]

I was thinking that it might be beneficial in terms of users' mental model to abstract it a bit from GitHub since I'm sure there's a lot of end-users doing editing and writing that might not necessarily be so familiar with GitHub.

[Benaiah]

Looks like you inadvertently committed a diff here.

[tortilaman]

Everything should be cleaned up now for a PR and the diff should've been addressed.

[erquhart]

LGTM - thanks!

[Benaiah]

Great changes, thanks for this! I have a couple nitpicks and a slightly bigger suggestion for refactoring the API code.

[Benaiah]

This is an unrelated change, and goes against our current eslint config.

[Benaiah]

This method should be renamed and modified as per my refactoring suggestions below.

[Benaiah]

👍, this is a long-awaited change.

[Benaiah]

Don't know how I feel about these changes - on one hand, the .gitignore isn't super important; OTOH, I'd rather keep it small as it can cause confusion if it inadvertently ends up ignoring paths that we end up using, and if we add ignores for each contributor's individual tooling (rather than those that every contributor needs to ignore, such as build artifacts), I can see the .gitignore becoming too large pretty quickly. Additionally, these changes show up in history and diffs despite being unrelated to the actual purpose of the PR. @erquhart thoughts?

[erquhart]

I personally think it's fine. manifest.yml is a Bluemix artifact, and .imdone is from Atom. A lengthy .gitignore isn't a bad thing if it improves the developer experience for contributors.

@tortilaman what is config.local.yml from?

[tortilaman]

config.local.yml is storing my backend config so I don't have to go searching for it to test with GitHub.

[erquhart]

@tortilaman let's leave that value out since it's not a standard file, but the other two can stay.

[Benaiah]

@erquhart sounds like a solid policy to me, thanks for the clarification.

[Benaiah]

Today I learned you can't do full destructuring in an import call - I was going to suggest import { actions: { notifSend } } from 'redux-notifications';, but that syntax is only supported for assignment, not imports).

[Benaiah]

While I understand the motivation behind this code, this is bound to cause bugs in the future by special-casing a particular URL in what is otherwise a generic request function. This should really be done in collaborator. One issue I see with the response method as it stands is that JSON responses reject the promise when an error status is present, but text responses do not.

@erquhart if you agree that that should be fixed, I can include it in my GH API refactor branch I'm preparing to PR (the branch name is gh-api-refactors, there's a little there already).

@tortilaman for now, you should be able to expect a JSON response from the GH API. Thus, any non-200 statuses will cause the promise to reject with the APIError in the catch block just below these lines. In addition, My suggestions for refactoring this are as follows:

• Remove this logic from request.
• Rename the collaborator method to isCollaborator, and have that return a promise that either rejects or resolves to a boolean, representing whether the user is a collaborator or not.
• Catch the 404, 403, and 204 statuses in isCollaborator. If the status is one of those three, resolve the promise to the appropriate boolean. Otherwise, rethrow the error. (remember, JSON responses reject the error if the status is not 200-99, so you don't need any additional
• Remove the now-unnecessary status code checks from authenticate and change them to handle the boolean that isCollaborator is returning. Add a catch block to handle unexpected errors, and move the throw new Error('GitHub is not responding, please try again.'); to the catch block.

I'd be happy to elaborate on this further if necessary, and I can always refactor this myself if you'd rather move on, but either way I'd like this to be refactored before a merge.

[erquhart]

Great breakdown @Benaiah, I'm on board with this.

[tortilaman]

@Benaiah Would isCollaborator then need to follow promise syntax and utilize resolve() etc.? I'm of the understanding that without doing that .then((response)... will still work based on what I have now.

[Benaiah]

The preceding status-checking logic should move to collaborator/isCollaborator (whatever that ends up being named) instead of being handled here - the only part of this that's relevant to authentication is whether the user is a collaborator or not, not the specific status code. This is part of the more detailed refactor I suggested above.

[erquhart]

@Benaiah leaving this to you, merge once you're happy with the changes.

[erquhart]

@tortilaman merge conflict.

[erquhart]

@Benaiah also, we should squash-merge.

[tortilaman]

Apologies, I was definitely going to squash this on my last commit, but the interactive rebase got quite complicated with the merge and figured I would have to re-order commits and such, and I just figured it would be better left to you.

[erquhart]

No problem! Squash merging is a simple solution, no sweat.

[tortilaman]

Just pulled master into this and some issues seem to have popped up. I'll update when I think it should be ready to merge again.

[erquhart]

@tortilaman sounds good, reach out if you need help.

[tortilaman]

Alright @erquhart @Benaiah I think this is ready for a squash merge.

[Benaiah]

LGTM with one small change.

[Benaiah]

A generic request method like this should check the equivalent of response.ok, which is "status in the range 200-299" (response.ok on MDN, see also MDN's list of 2xx status codes). Changing it to this line would fix that:

      if ((responseStatus >= 200) && (responseStatus <= 299)) {

[tortilaman]

@Benaiah That's leftover from the collaborator check. I switched to a write permission check, so I'll just remove that actually.

[tortilaman]

Alright, everything resolved.

[Benaiah]

@tortilaman thanks so much!

[tortilaman]

Thanks for all the feedback!