Skip to content
This repository has been archived by the owner on Apr 12, 2022. It is now read-only.

oAuth user sign in #2667

Merged
merged 22 commits into from
Dec 21, 2021
Merged

oAuth user sign in #2667

merged 22 commits into from
Dec 21, 2021

Conversation

evantahler
Copy link
Member

@evantahler evantahler commented Dec 9, 2021
edited

Users can sign into Grouparoo instances with oAuth

oAuth.mov

Checklists

Development

  • Application changes have been tested appropriately

Impact

  • Code follows company security practices and guidelines
  • Security impact of change has been considered
  • Performance impact of change has been considered
  • Possible migration needs considered (model migrations, config migrations, etc.)

Please explain any security, performance, migration, or other impacts if relevant:

Code review

  • Pull request has a descriptive title and context useful to a reviewer. Screenshots or screencasts are attached where applicable.
  • Relevant tags have been added to the PR (bug, enhancement, internal, etc.)

@evantahler evantahler changed the title 180364935 oauth oAuth user sign in Dec 9, 2021
@evantahler evantahler added the enhancement New feature or request label Dec 9, 2021
evantahler
evantahler commented Dec 9, 2021
View reviewed changes
ui/ui-components/pages/oauth/callback.tsx
router.replace(
`/object/${response.oAuthRequest.appId}?requestId=${requestId}&appOption=${response.oAuthRequest.appOption}`
);
Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This is a bit WIP until we have an app to authenticate against, but it will be something like this

ui/ui-components/components/session/SignIn.tsx
</Col>
</Row>

<Modal show={showModal} onHide={() => setShowModal(false)}>
Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

In the case you have more than one identity, we show a modal so you can pick the right one

core/__tests__/actions/oAuth.ts
Comment on lines +68 to +80
// TODO: How can we test this without making real oAuth requests?
test.todo("an oAuth token and identities can be retrieved");
Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Just like in the telemetry app, we need to come up with a pattern to test a full oAuth flow...

@evantahler evantahler marked this pull request as ready for review December 11, 2021 01:03
edmundito
edmundito reviewed Dec 13, 2021
View reviewed changes
Copy link
Contributor

@edmundito edmundito left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Functionality is looking great so far. I left a few comments

core/src/modules/oAuth.ts Show resolved Hide resolved
core/src/modules/oAuth.ts Outdated Show resolved Hide resolved
ui/ui-components/components/session/SignIn.tsx Outdated Show resolved Hide resolved
ui/ui-components/components/session/SignIn.tsx Outdated Show resolved Hide resolved
ui/ui-components/components/session/SignIn.tsx Show resolved Hide resolved
pedroslopez
pedroslopez suggested changes Dec 14, 2021
View reviewed changes
Copy link
Member

@pedroslopez pedroslopez left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Nice! I think we should make sure that the requestIds can't be used multiple times to sign in, maybe this means doing something to the OAuthRequest on successful sign in

core/src/actions/session.ts Outdated
Comment on lines 50 to 52
const oauthRequest = await OAuthRequest.findOne({
where: { id: params.requestId },
});
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

If this matches we should also delete the OAuthRequest or set something on it so it can't be used again. At the moment the requestId can be reused (until it's swept)

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

👍 Love it. Thank you for reading all this code so carefully! Updated in e2ad6c6

core/src/actions/records.ts Show resolved Hide resolved
@evantahler evantahler force-pushed the 180364935-oauth branch 2 times, most recently from 320d204 to e21ede5 Compare December 18, 2021 00:40
@evantahler
Copy link
Member Author

evantahler commented Dec 18, 2021
edited

Ok @pedroslopez I've got login reuse fixed up, and telemetry deployed. I think this is ready to go!

@evantahler
Copy link
Member Author

Milestone! The production auth.grouparoo.com server is deployed. This branch should now work out of the box without needing to run the auth server locally.

edmundito
edmundito reviewed Dec 20, 2021
View reviewed changes
core/src/actions/oAuth.ts Outdated Show resolved Hide resolved
core/src/actions/oAuth.ts Outdated Show resolved Hide resolved
ui/ui-components/components/session/SignIn.tsx Outdated Show resolved Hide resolved
ui/ui-components/components/session/SignIn.tsx Outdated Show resolved Hide resolved
ui/ui-components/components/session/SignIn.tsx Outdated Show resolved Hide resolved
ui/ui-components/components/session/SignIn.tsx Show resolved Hide resolved
pedroslopez
pedroslopez approved these changes Dec 21, 2021
View reviewed changes
Copy link
Member

@pedroslopez pedroslopez left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Woo!

core/src/actions/session.ts
throw new Errors.AuthenticationError("password does not match");
} else {
const oauthRequest = await OAuthRequest.findOne({
where: { id: params.requestId, consumed: false },
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It feels a little odd that the identities are still returned to the user for a consumed oauth request (going to /session/sign-in?requestId=req_ABCDE), but it's probably ok

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

That's a good idea! 857d687 prevents showing identities for consumed oAuth requests

@evantahler evantahler merged commit 6183886 into main Dec 21, 2021
@evantahler evantahler deleted the 180364935-oauth branch December 21, 2021 20:48
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Reviewers

@pedroslopez pedroslopez pedroslopez approved these changes

@edmundito edmundito Awaiting requested review from edmundito

Assignees
No one assigned
Labels
enhancement New feature or request
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
3 participants
@evantahler @edmundito @pedroslopez