Replace Auth #37
Replace Auth #37
Conversation
|
Amazing. Thanks for the first pass on this, @tmyracle! |
apps/server/src/app/app.ts
Outdated
| @@ -148,6 +149,7 @@ app.use('/tools', devOnly, toolsRouter) | |||
| app.use('/v1', webhooksRouter) | |||
|
|
|||
| app.use('/v1', publicRouter) | |||
| app.use('/v1/auth-users', authUserRouter) | |||
There was a problem hiding this comment.
Need to figure out a better authorization pattern for this route / refactor checking for existing user by email and creating new users so those routes aren't open to the wild.
|
Nice work @tmyracle ! credentials provider is discouraged, see https://authjs.dev/getting-started/providers/credentials-tutorial @Shpigford do you specifically want user/pass logins or would you consider some oAuth options as well? |
User/email + pass should be the entry point and then in the future we can add other providers if there's demand. No reason to google/apple/facebook/etc at this stage. |
|
Made a little more progress I think? I can at least access some of the app. Had to rework things to place nice with Express since NextAuth expects just a Next.js environment, hence the cookie parsing in the middleware check. Now when registering it is creating the User object in the database automatically and associating it with the AuthUser object that is owned by NextAuth.
|
|
Onboarding is back, also fixed a few react warnings/bugs. Looks like Auth0 took care of sending email verification so I'll need to go in and create an email and related services to handle sending the email verification and handling updating when user clicks the link in the email. For now I just added a flag to skip adding the email verification step to onboarding. Next going to remove all use of the Auth0 libraries, server endpoints, and anything else that might be calling Auth0. |
@tmyracle I agree with this move. Let's keep the flag to skip email verification and then we'll address email sending and email verification in a future issue. |
| @@ -276,6 +286,7 @@ router.get( | |||
| }) | |||
| ) | |||
|
|
|||
| // TODO: Remove this endpoint or refactor to work with new Auth | |||
There was a problem hiding this comment.
Are these comments relevant? I don't understand their purpose.
There was a problem hiding this comment.
It's purely for me to track things down as I continue working on this. I wanted to share a draft to get feedback on overall direction. They'll be removed as the changes are made.
| const { useDelete } = useUserApi() | ||
|
|
||
| const deleteUser = useDelete({ | ||
| onSuccess() { | ||
| toast.success(`Account deleted`) | ||
| setTimeout(() => logout({ logoutParams: { returnTo: window.location.origin } }), 500) | ||
| setTimeout(() => signOut(), 500) |
There was a problem hiding this comment.
Why is there a delay to log out here?
There was a problem hiding this comment.
good question, will dig deeper
There was a problem hiding this comment.
I'm guessing its to give time for the Toast to be displayed so the user has verification that the account was deleted prior to logging them out.
| import { useEffect } from 'react' | ||
| import * as Sentry from '@sentry/react' | ||
| import { useSession } from 'next-auth/react' | ||
|
|
||
| export default function APM() { |
There was a problem hiding this comment.
I believe its Application Performance Monitoring
Part of me would suggest to at least enable google and Microsoft (personal + 365) login support as a lot of home lab users use these services to secure their self-hosted stuff, myself included. Enabling support for OpenID connect workflows would be enough to make this flexible for everyone and I think this is a must have for a self-hosted app. |
|
@coman3 i 100% planning on supporting it, but it's just outside the scope/purpose of this issue/PR. |
|
AuthJS is very flexible, once in place it can support any provider with a few lines in. Let the man do the ground work and later come and introduce google sign in if you want |
|
This looks awesome! Thanks for all the work on this, y'all. When I try to run this locally, I get the following error, which makes me think my API service isn't running somehow? Anyone seen this/have an idea how to resolve? |
Hmm yeah looks like server might not be running. See anything in the console logs? Can also hit localhost:3333/health and check if you get an ok message back to make sure it's running. |
|
Looks like it's just refusing to connect all together (see screenshot).
When I boot it up, I get So I'm thinking maybe that's it? But that would make it seem like it's still looking at Auth0 for that secret... |
|
I was able to get this working. I just needed
🎉 |
|
Ok did a bunch of cleanup, should be pretty close to move to ready for review. I decided to remove the admin router for now, I'll leave it up to @Shpigford if he wants to remove the admin functionality or re-write it to work without Auth0 which would involve re-working the roles framework and refactoring how roles are assigned since those are currently owned by the Auth0 pages and sign up flow. Things out of scope for now, but should be addressed in next PR since this is already massive:
Depending on decisions here we can spin up some new issues for folks to tackle some of these items. |
There was a problem hiding this comment.
Testing will be addressed in future PR, focusing on unblocking dev and getting app functional.
There was a problem hiding this comment.
Testing will be addressed in future PR, focusing on unblocking dev and getting app functional.
| @@ -59,6 +59,8 @@ export function AddFirstAccount({ title, onNext }: StepProps) { | |||
| loader={BrowserUtil.enhancerizerLoader} | |||
| src={`financial-institutions/white/${src}.svg`} | |||
There was a problem hiding this comment.
These assets are missing so they won't load during onboarding. @Shpigford do you have these or should we plan to replace them?
|
Gonna go ahead and make this ready for review @Shpigford. The focus is getting an initial auth replacement implemented and pull out Auth0 and things that depend on it so that we can unblock development for other folks that want to contribute. This effort isn't complete, but I feel like its a good stopping point that achieves the goal stated above and can be built upon with future changes. Future PRs will address:
Issues for those changes will be added once this is reviewed and merged 🚀 |
|
@tmyracle really great work! after registration, I'm getting an "Unable to load onboarding" error and this in the console: |
Hmm, I'm assuming you have NEXTAUTH_SECRET populated in your .env? |
@tmyracle Doh. Totally missed needing to do that! I'm set. Works great. 🎉 |
Maybe we could include a basic secret as part of the example instead of leaving it empty? |
Updated the README to add instructions for populating prior to install and run. I don't like leaving placeholder secrets because it's easy for people to not change them and introduce vulnerabilities. |
|
Was able to run locally fine! :D LGTM 🎉 |
|
Alrighty, so 3 folks confirmed running it with the new auth. I'm gonna call it. YOLO, etc etc. AMAZING job on this @tmyracle! |
I wanted to provide a draft PR on this to make sure everyone is aligned with the path I'm going down here. Comments, feedback, recommendations all greatly appreciated. This is a big change!
but first, here's a demo showing registration, sign out, and signing back in:
CleanShot.2024-01-12.at.12.02.23.mp4
A lot going on here, here's a quick breakdown:
TO-DO:
Update middleware and JWT checksCreate User and associate with AuthUserFigure out how to kick off onboarding for new usersHopefully this is some decent progress on #16
/claim #16