Implementation Ebay OAuth2 Strategy for OmniAuth

[paderinandrey]

Hi, please review this implementation and let me know if there is some bugs

[Envek]

Thank you for your contribution!

Some things that should be fixed for use in real apps:

1. info hash layout. While it's backward compatible with omniauth-ebay gem (which is a good thing, it is somewhat uncommon for omniauth strategies in general).

2. In real apps, it is important to know when refresh_token will expire to send a reminder to the user, asking to log in again (before token really expires and our app will stop to work). Also, it allows distinguishing between token expiration and token revocation by the user.

   Please add refresh_token_expires_at field into credentials hash.

3. OAuth scopes. Public scope provided by default is awesome! But it should be documented better IMHO in README.

   Also, an example should be added (should user concatenate the list of scopes with space or can we do it for them?)

I like that you've used omniauth-oauth2 gem, as it solves some problems for free. Your implementation works.

However, code is a bit messy. Try to clean and refactor it with rubocop, for example.

[Envek]

We don't need this as it is open source.

[Envek]

Do we need explicit requirement on oauth2 for some reason? omniauth-oauth2 already depends on ~> 1.0 of it.

[Envek]

It is probably better to move them it into the gemspec's add_development_dependency.

[Envek]

It is better to keep it in nickname field of info hash as per https://github.com/omniauth/omniauth/wiki/Auth-Hash-Schema#schema-10-and-later

[Envek]

It is better to be moved to constant and freezed. Or even to a file.

[Envek]

Also, you should add DetailLevel tag to get user's full name, phone, etc.

<DetailLevel>ReturnAll</DetailLevel>

[Envek]

It's better to extract http client configuration out. Rubocop already complaints about this method.

[Envek]

This line is useless ✂️

[Envek]

Naming is weird. Both for instance variable (it is astonishing that it doesn't match method name) and for get_user_info method.

[Envek]

EbayAPI module is confusing me. It is a module but it can only be included in the classes that are inherited from OmniAuth::Strategies::OAuth2 class. This is makes tests somewhat easier to write, but blows mind away when someone tries to understand what is what in code. Many people have said “prefer composition over inheritance” mantra many times and it's probably worth to make EbayAPI standalone class with clear dependencies that we must to have to instantiate it and with clear API. So we can explicitly use it. I believe this will make things better.

But anyway these are just complaints about style, mostly. Your PR is working well.

[Envek]

oauth2 gem actually converts access token lifetime duration from expires_in field to unix timestamp and exposes it in expires_at field (see OAuth2::AccessToken#initialize) and omniauth-oauth2 uses only this field. I think it is better to do the same with refresh token for the sake of consistency.

Please change it to refresh_token_expires_at (returning Unix timestamp of token expiration).

[Envek]

Why not just allow to specify an array of scopes?

[Envek]

Why do you have changed to old hash syntax?

[paderinandrey]

I fixed notes. My first gem turned out really cool. Thanks)

[Envek]

OmniAuth::Strategies is not appropriate namespace, actually. Because this is not strategy itself and OmniAuth should not try to load it. It is better to keep it somewhere in gem namespace. Something like OmniAuth::Ebay::EbayAPI (scary, I know!)

[Envek]

Gem namespace is weird. All stuff (except OmniAuth strategy) should be placed somewhere inside OmniAuth::Ebay::OAuth module or something like it. To avoid screwing up with constants from omniauth-ebay gem (not sure if anyone will need to use them simultaneously), or from ebay_api gem (and we are absolutely sure that we will use them together) in one app.

Except that everything is fine. Thank you for patience — resolving reviews is hard.

[Envek]

I'm closing this PR in favor of #2. I'm very grateful for your work and patience in resolving issues.

This wasn't an easy decision as all three submitted pull requests were fully functional solutions, differing in some subjective things.

This project is now alive and if you notice that it lacks some useful features, have bugs or needs polishing — pull requests are always welcome!

I learned something about OAuth while reviewing this PR (even after working with this protocol before) and hope that you have learned a lot too.