OAuth consumer #324
OAuth consumer #324
Conversation
|
"marking it as global would allow every user to use the account in their agents" I think this should be on a per account basis, as I plan to let friends use my instance but obviously don't want to give them access to my accounts. |
|
@alias1 yeah, that is what i meant 😃 |
|
I kind of like the idea of changin the user account to profile and the other one to service. Makes it a bit more self explanatory IMO. |
|
I agree. Account generally means an 'account on the Huginn instance'. I'd suggest Service or ExternalAccount. |
|
How's this coming along? Is the idea with Oauthable that I can kick of the Oauth dialog from the create new agent page? (Can't quite remember the specifics, but thinking this will be a good place to start with implementing #344 or anything like that) |
|
@alias1 I think the code is now pretty much done. What is still missing is some documentation on how to set it up properly (creating twitter/37signals apps and putting the token/keys in .env) |
|
Awesome @dsander, I'll try to play with it this weekend! |
|
Awesome! Will definitely have a play when it's up/when I get time to pull it :)— On Sat, May 31, 2014 at 12:57 AM, Dominik Sander notifications@github.com
|
|
Been having a little play with this on dev instance and so far I am REALLY liking how it is hanging together! Doesn't have to be a part of this PR, but at some point I think a 'prettier' (eg. not plaintext) interface for the connect links at |
|
Yeah it certainly isn't pretty at the moment :) |
|
I clicked through it a second time and seemed to work automagically, so not too sure of the reasoning why it failed the first time. (link mentions CSRF: |
|
I got that one too once, but all information I found about it was that the callback url might be wrong which, obviously, is not the case. Maybe one of the twitter servers is not up to date with the current information. |
| end | ||
|
|
||
| def twitter_consumer_secret | ||
| options['consumer_secret'].presence || credential('twitter_consumer_secret') |
There was a problem hiding this comment.
I guess one thing I'm unsure about is whether Huginn users will ever want differed users to have different API applications. With a credential, each user needs a Twitter application, but they can also have multiple ones. With this new changes, the whole huginn installation has one application, right? Is there anything we lose by going this direction?
There was a problem hiding this comment.
You are right, I do not think omniauth has a way to support multiple applications for one provider. I think the only drawback this solution has is that you can not have one read-only twitter application and one write enabled. But if a user does not trust the huginn admin with write access he could always create a second fake twitter account.
The same probably works for every other service.
There was a problem hiding this comment.
Perhaps just update
errors.add(:base, "Twitter consumer_key, consumer_secret, oauth_token, and oauth_token_secret are required to authenticate with the Twitter API. You can provide these as options to this Agent, or as Credentials with the same names, but starting with 'twitter_'.")to also talk about the .env?
There was a problem hiding this comment.
I am not sure if the validation is even valid anymore. An twitter agent can not be created without a service present, and to create a service you need to set up the ENV variables. I think that validation can be removed once we are sure the migration works as expected.
There was a problem hiding this comment.
Do we need to remove the validation, or have it talk about the ENV?
|
What's the upgrade path for existing users? |
|
I covered the upgrade for twitter and basecamp agents (the only two oauth enabled agents we have at the moment, afaik). The twitter upgrade works almost automatically, the you just have to copy and paste the OAUTH_KEY and OAUTH_SECRET the migration prints to your .env file and you are good. |
Created a service model which stores external account information. Created a service controller which kicks off the oauth process and lets the user manage their external accounts. Oauthable concern connects a agent to a service and adds a drop down to the agents edit page. Added a migration which converts the existing twitter agents to use the new service model.
|
^^ Sorry, hoping we are merging this relatively soon I was too lazy to create a PR from master and dealing with the possible merge conflicts. |
| @@ -2,7 +2,7 @@ language: ruby | |||
| cache: bundler | |||
| bundler_args: --without development production | |||
| env: | |||
| - APP_SECRET_TOKEN=b2724973fd81c2f4ac0f92ac48eb3f0152c4a11824c122bcf783419a4c51d8b9bba81c8ba6a66c7de599677c7f486242cf819775c433908e77c739c5c8ae118d | |||
| - APP_SECRET_TOKEN=b2724973fd81c2f4ac0f92ac48eb3f0152c4a11824c122bcf783419a4c51d8b9bba81c8ba6a66c7de599677c7f486242cf819775c433908e77c739c5c8ae118d TWITTER_OAUTH_KEY=twitteroauthkey TWITTER_OAUTH_SECRET=twitteroauthsecret | |||
There was a problem hiding this comment.
Can we drop this now that we added env.test?
|
I think we're super close! My only remaining concern is with the migration. Could you detail what the experience will be when someone tries to upgrade to this version and deploy, if they have existing Basecamp agents? Twitter agents? |
|
So, I'm running this on my instance now! First of all: this is AWESOME! It's a really significant improvement to how Huginn will work. A few comments:
Would you consider adding an
|
| </p> | ||
| <p><%= link_to "Authenticate with Twitter", "/auth/twitter" %></p> | ||
| <p><%= link_to "Authenticate with 37Signals (Basecamp)", "/auth/37signals" %></p> | ||
| <p><%= link_to "Authenticate with Github", "/auth/github" %></p> |
There was a problem hiding this comment.
Maybe each of these links should be hidden or disabled if the corresponding OAuth key/secret are not set.
There was a problem hiding this comment.
Maybe each of these links should be hidden or disabled if the corresponding OAuth key/secret are not set.
Good idea, will try to add it tomorrow
Sorry, I was quite busy the last days, but also happy you were keen eager to try it out :) You already know about the experience with twitter agents. For Basecamp agents you will just get the message to go to the wiki for information on how to set up an OAuth application and update the
You are right, if someone has to run many migrations it is really hard to spot the information. However adding that check on every page request doesn't feel right. At one point we might need to do a few of those upgrade checks which might hurt the performance and add legacy code which we never really could remove. (the old In my opinion we should keep the upgrade information somewhere near the upgrade process, i.e. you are running your
I guess it would be possible to check which agents use the same keys/tokens, but since I did not know every possible use case and combination I went the lazy way by cloning the old methods and use their responses. Since we just can support one twitter application after all, how about to just use the first key/token combination for all twitter agents?
The service doesn't get exported with the scenario. Even if we would export the service, I am not sure of how much use it would be. If you use the export function as a backup for your agents we could use the services |
No worries! This is a big effort.
How about a compromise? For now, we do two things:
Hopefully we get this soon-- I'm very interested in ideas about how to do versioning.
They could have been using different authorized twitter users (access_tokens) though, so let's just leave it how you have it now.
Sorry, I meant that when you import an already-imported Scenario (or export and then re-import a Scenario), it shows you the Services menu, but doesn't pre-select the Service that you've already associated with the Agent that you're updating. I think the select box just isn't defaulting to that Agent's service_id, if one is set and the Agent already exists. |
Conflicts: Gemfile.lock
Dotenv is loaded after the exception about the missing token is thrown
Conflicts: db/schema.rb
|
Phew, this is so close. This is the last thing, I promise! I had to log into https://apps.twitter.com/ and set my correct callback URL, which wasn't needed before. Our current instructions say you don't need it, which was previously true. I think it'd be worth noting this in the migration / warning message. I know you do mention it on the new wiki page. Also, as well as being on the home page, could we show your upgrade warning on the Services page as well? And that's it! Do those, and go ahead and merge! 😄 |
|
So happy to have it merged. @cantino thanks for the countless reviews and feedback! |
now we wait for the explosions 😄
|
Awesome work on this effort! |
|
Yay! Excited! Well done :3— On Wed, Aug 27, 2014 at 9:09 AM, Andrew Cantino notifications@github.com
|
|
Great! |
| <table class='table table-striped events'> | ||
| <tr> | ||
| <th>Provider</th> | ||
| <th>Username</th> |
There was a problem hiding this comment.
@dsander Shouldn't this be "Name" instead of Username?
There was a problem hiding this comment.
I guess it would also be "Name", I was going with "Username" because in most cases we will not get a "realname" but a account/nickname.
There was a problem hiding this comment.
OK, I just felt "usernames" set by the migration looked weird as a username.
I made a "Refresh username" button to "fix" them, but I'm not sure if it's worth it: https://github.com/knu/huginn/commit/9f466599afea308030a82ee5fdf89c0780c544f0
There was a problem hiding this comment.
Ah, right totally forgot the migrated names. I think it would be nice get rid of those strange names, but also unsure if it is worth adding the code since the only "real" use case are the migrated twitter accounts. @cantino what do you think?
There was a problem hiding this comment.
Eh, I don't have a strong opinion on this one. I'd be okay leaving them, since they're one-time. OTOH, if the fix is easy, feel free.
Follow up of #316 /cc @cantino @alias1 @mfclarke
Like I said my approach was to keep it really simple and it worked pretty well for twitter (the code is more of a proof of concept and not polished). The problem however is, that not every provider uses the same authentication keys. Twitter uses a
tokenandsecret, GitHub just atokenlike 37signals does. 37signals also provides arefresh_tokenwhich is needed to refresh the oauth token every two weeks.So basically my "keep it simple and unintrusive" approach failed because we need at least a few different logics to store the authentication information.
Also the idea of @alias1 to have multiple account of the same provider really grew on me. Using a accounts page the user could add accounts to huginn to the services we added, marking it as global would allow every user to use the account in their agents.
I think I would not tie the registration of accounts to agents right now, for example a website agent could also use an OAuth account to access pages.
Todo list for this approach: