[RFC] feat(docs): dec milestone

[dhmlau]

Do not merge this PR

This PR is to propose the Dec milestone. Once we agree, a github issue will be created based on the content. This PR is not meant to be merged.

Currently we've committed in 37 points. It's lower than our team velocity, but it might be more than enough because of the holidays.

Checklist

👉 Read and sign the CLA (Contributor License Agreement) 👈

• npm test passes on your machine
• New tests added or existing tests modified to cover all changes
• Code conforms with the style guide
• API Documentation in code was updated
• Documentation in /docs/site was updated
• Affected artifact templates in packages/cli were updated
• Affected example projects in examples/* were updated

👉 Check out how to submit a PR 👈

[dhmlau]

@raymondfeng @bajtos , we might've talked about this before, I couldn't recall what's left for this task to do.

[bajtos]

This story was created about a year ago as a kind of a workaround allowing us to show authentication in practice, without any authorization layer (that was not available at that time). I think the proposal still makes sense from the point of DX offered by shopping example REST API, but then I don't know what's the current status of the example app and what changes were implemented since the issue was created & discussed for the last time.

To be honest, I no longer care about this particular story. If the rest of the team thinks the proposed changes are not worth the effort, then I am fine to close the story as being no longer relevant.

[dhmlau]

@jannyHou @emonddr, what's your thoughts?

[emonddr]

I agree with @bajtos . We can drop the authenticated orders item, and simply ensure whatever remaining authentication and authorization we want in the shopping example is completed. (right now only a few endpoints have authentication or authorization, and we should discuss if we want more...probably when we discuss what other bells and whistles we want to see in shopping cart example)

[jannyHou]

After Deepak landed his authorization PR, the user/{userId}/orders endpoints are secured with authorization, which means we now compare the userId from path and the one decoded from access token to ensure they match.
If we change the UX to user/orders(which retrieves the user id from token directly) then we need to create new examples for authorization scenarios...

I didn't consider the UX change in #1998 when create the authorization PoC(sorry for that...), but since the authorization is already added in the shopping example, I would rather we close #1998 since it doesn't fit the current design.

[dhmlau]

Thanks for your input. I'll close #1998 then. thanks.

[bajtos]

I'd also like use to complete spike on migrating auth & auth from LB3 to LB4, so that we can start planning work on the migration guide and/or tooling for 2020Q1

[bajtos]

Personally, I would choose the following order of tasks, but I guess the order does not really matter.

• [3] How to migrate datasources from LB3 to LB4 How to migrate datasources from LB3 to LB4 #3946
• [3] How to migrate boot scripts How to migrate boot scripts #3957
• [3] How to migrate user-defined model methods How to migrate user-defined model methods #3949
• [5] How to migrate remoting hooks How to migrate remoting hooks #3950

[bajtos]

This story was created about a year ago as a kind of a workaround allowing us to show authentication in practice, without any authorization layer (that was not available at that time). I think the proposal still makes sense from the point of DX offered by shopping example REST API, but then I don't know what's the current status of the example app and what changes were implemented since the issue was created & discussed for the last time.

To be honest, I no longer care about this particular story. If the rest of the team thinks the proposed changes are not worth the effort, then I am fine to close the story as being no longer relevant.

[jannyHou]

@dhmlau hopefully story #3439 will be completed in this month. It's a committed story and Agnes is actively working on it, I can take it over if we need one more week(still within Nov.).

[dhmlau]

Thanks. The milestone plan here is tentative, will depend on what's left from Nov.

[jannyHou]

I would say #3846 is not a high priority.
"support token based authentication in API Explorer in shopping example" from the epic story is much more important, I don't remember if we have a story for it(probably not), I remember Raymond wants to have a default auth dialog for token based authentication, and I agree with him.

[dhmlau]

I thought #3854 would allow that. no?

[jannyHou]

@dhmlau #3854 is "allow extension contributes spec", "support token based authentication in API Explorer in shopping example" means our framework provide built-in spec

[dhmlau]

yes

[jannyHou]

After Deepak landed his authorization PR, the user/{userId}/orders endpoints are secured with authorization, which means we now compare the userId from path and the one decoded from access token to ensure they match.
If we change the UX to user/orders(which retrieves the user id from token directly) then we need to create new examples for authorization scenarios...

I didn't consider the UX change in #1998 when create the authorization PoC(sorry for that...), but since the authorization is already added in the shopping example, I would rather we close #1998 since it doesn't fit the current design.

[dhmlau]

I've updated the milestone based on the review comments. We now target for 37 points because we need to account for the vacation time. Besides issues we might complete before Dec, if everyone agrees, we'll use this as the Dec milestone. Thanks!

[dhmlau]

If this task is done in Nov, please replace this with

Include related models with a custom scope #3453

[jannyHou]

this is already done :)

[dhmlau]

the blog post?

[dhmlau]

Thanks @agnes512 for creating the milestone issue. See #4236.