oauth->auth phase 1 #2497
oauth->auth phase 1 #2497
Conversation
dannycoates
force-pushed
the
auth-oauth
branch
10 times, most recently
from
d1aa649
to
da5bf7b
Compare
There was a problem hiding this comment.
Looking for r?
What this does...
It starts using the code from oauth-server directly in the auth-server instead of making a http request. One goal here was minimal changes, I think I almost got that. Cleaning up orphaned code will be in a later phase.
I removed the local/oauthdb tests since they looked pretty specific to the http api calls and functionality seemed pretty well covered by the remote tests. lmk if that isn't correct.
In prod, or any other non-local-dev setup we'll need to start passing some oauth-server config into auth-server, mainly DB and a few others. I'll be making config PRs to fxa-dev and clouds-deployment. In local dev and ci this is handled in mysql_servers.json. Unfortunately servers.json won't work during the transition since multiple processes now need access to the data.
| @@ -30,6 +30,7 @@ module.exports = config => { | |||
| }), | |||
| response: Joi.object({ | |||
| access_token: validators.accessToken.required(), | |||
| id_token: validators.assertion.optional(), | |||
There was a problem hiding this comment.
I had to add this for this line in the test to work https://github.com/mozilla/fxa/blob/master/packages/fxa-auth-server/test/remote/oauth_tests.js#L188
I don't know if it's ok for this to be returning an id_token or not, and I don't know why it would be different from before.
There was a problem hiding this comment.
Yeah, this is right. If you look at the test, the original scope requested for the grant contained openid. With @rfk's PR to make refresh token grants default to the original grant scopes, openid would have been propagated when using the refresh token to request the new access token. Now, for why this test wouldn't have failed before your change here is a mystery though it does look like the test on line 196 can be re-instated because @rfk's PR fixed #1867.
There was a problem hiding this comment.
res2 still has an empty scope in this test 🤷♂️
There was a problem hiding this comment.
Oh... Strange. And unexpected. @rfk - with your fix we should expect scope to be populated there, wouldn't we?
@dannycoates - I don't think this is related to your PR, so carry on.
There was a problem hiding this comment.
Hmm, actually I think it's super weird to return an id_token in a refresh grant and we should instead update #2410 to skip the "openid" scope. I filed #2548 to follow up.
I agree that @dannycoates shouldn't worry about this for his PR though.
| @@ -23,6 +15,9 @@ const CODE = 'df6dcfe7bf6b54a65db5742cbcdce5c0a84a5da81a0bb6bdf5fc793eef041fc6'; | |||
| const PKCE_CODE_VERIFIER = 'au3dqDz2dOB0_vSikXCUf4S8Gc-37dL-F7sGxtxpR3R'; | |||
| const DISABLED_CLIENT_ID = 'd15ab1edd15ab1ed'; | |||
|
|
|||
| realConfig.set('disabledClients', [DISABLED_CLIENT_ID]); | |||
| delete require.cache[require.resolve(routeModulePath)]; | |||
There was a problem hiding this comment.
Moving config.js into config/index.js broke the sandbox/proxyquire thing and I was too lazy to figure out how to fix it, so I just did this instead.
There was a problem hiding this comment.
I think this is fine for now. Since there will be more changes for the config, we can probably revisit it later.
| @@ -0,0 +1,100 @@ | |||
| /* This Source Code Form is subject to the terms of the Mozilla Public | |||
| * License, v. 2.0. If a copy of the MPL was not distributed with this | |||
| * file, You can obtain one at http://mozilla.org/MPL/2.0/. */ | |||
There was a problem hiding this comment.
I moved config.js here because I thought I was going to have 2 config sets based on whether oauth or the key server was loading it and using separate files for each, but they ended up both being pretty much the same. I moved the schema out for the same reason but idk if leaving it there is better or not.
| ); | ||
|
|
||
| // This is sneaky and gross, but temporary. | ||
| if (process.mainModule.filename.includes('key_server')) { |
There was a problem hiding this comment.
these are the differences when loading from auth-server, luckily I don't think any of the necessary ENVs in the schema overlap auth-server's
There was a problem hiding this comment.
Is there an easy way to check this to make sure?
There was a problem hiding this comment.
im doing this now as i make the config PRs to cloudops and fxa-dev
| @@ -53,7 +53,7 @@ if grep -e "$MODULE" -e 'all' $DIR/../packages/test.list; then | |||
| fi | |||
|
|
|||
| cd ../../ | |||
| npx pm2 delete servers.json && npx pm2 start servers.json | |||
| npx pm2 delete mysql_servers.json && npx pm2 start mysql_servers.json | |||
There was a problem hiding this comment.
tests require mysql for now since two processes access the oauth data
|
|
||
| const routes = new Map( | ||
| oauthRoutes.map(route => [route.path, route.config.handler]) | ||
| ); | ||
|
|
||
| module.exports = (log, config) => { | ||
| const OAuthAPI = createBackendServiceAPI(log, config, 'oauth', { |
There was a problem hiding this comment.
I left this for the validators
There was a problem hiding this comment.
Oh, I see. Should those validators just be moved to the routes in oauth.js? If not, can you leave a note about accessing the validators via the exported api property? If we keep the validators where they are, should we consider removing path and method from the oauthdb files since the route handlers are called directly?
There was a problem hiding this comment.
This will all change in phase 2. I left most things in place to keep the diff smaller
| @@ -28,7 +28,9 @@ const { | |||
| registerSuite('support form without valid session', { | |||
| tests: { | |||
| 'go to support form, redirects to signin': function() { | |||
| return this.remote.then(openPage(SUPPORT_URL, selectors.SIGNIN.HEADER)); | |||
| return this.remote | |||
| .then(clearBrowserState()) | |||
There was a problem hiding this comment.
This test started failing without clearing the state first. The screenshot looked like it was already logged in. idk why this changed?
There was a problem hiding this comment.
Probably a timing issue. I imagine things are ever so slightly faster now with fewer HTTP requests to make. You might want to add a {force: true} parameter, the default way of clearing state is also somewhat brittle to timing issues.
There was a problem hiding this comment.
This is very exiting @dannycoates and the overall direction looks good. When locally testing using the memory database, it seems the auth and oauth servers create two separate memory instances. If a token is created in the Auth server's memory instance, that same token cannot be verified if the OAuth server's /verify endpoint is used.
You can see this in action by applying this diff: https://paste.mozilla.org/GfiGcdUv
Then sign up & verify an account and try to go to the /settings page. The token keeps coming back as invalid. I'm not sure what the best way forward is because IIUC at some point soon, all the routes for both services will be served by one process. We could say in the meantime MySQL is the only way forward, or we could start a small shared memory DB service?
| `${conf.get('env')}.json` | ||
| ); | ||
|
|
||
| // This is sneaky and gross, but temporary. |
There was a problem hiding this comment.
What is the plan to get rid of the sneaky/grossness?
There was a problem hiding this comment.
Phase 2 will copy oauth config into auth-server's main config.
| // This is sneaky and gross, but temporary. | ||
| if (process.mainModule.filename.includes('key_server')) { | ||
| if (fs.existsSync(envConfig)) { | ||
| conf.loadFile(envConfig); |
There was a problem hiding this comment.
Should we yell loudly if the environment config file does not exist?
There was a problem hiding this comment.
This file doesn't exist in prod, it's all environment variables.
| ); | ||
|
|
||
| // This is sneaky and gross, but temporary. | ||
| if (process.mainModule.filename.includes('key_server')) { |
There was a problem hiding this comment.
Is there an easy way to check this to make sure?
| conf.loadFile(envConfig); | ||
| } | ||
| conf.set('mysql.createSchema', false); | ||
| conf.validate(); |
There was a problem hiding this comment.
How come the key server doesn't enforce strict mode but the oauth server does?
There was a problem hiding this comment.
auth-server only requires a subset of the oauth config in this phase. Strict makes us set more variables than we need in this case.
| @@ -27,6 +19,9 @@ const PKCE_CODE_CHALLENGE = 'iyW5ScKr22v_QL-rcW_EGlJrDSOymJvrlXlw4j7JBiQ'; | |||
| const PKCE_CODE_CHALLENGE_METHOD = 'S256'; | |||
| const DISABLED_CLIENT_ID = 'd15ab1edd15ab1ed'; | |||
|
|
|||
| realConfig.set('disabledClients', [DISABLED_CLIENT_ID]); | |||
| delete require.cache[require.resolve(routeModulePath)]; | |||
There was a problem hiding this comment.
TIL. This looks much easier than using proxyquire and the mocks module.
There was a problem hiding this comment.
Yea, however I vaguely remember running into subtle problems when using this. It puts the puts the pressure on the developer to know which version of the module has been loaded where.
There was a problem hiding this comment.
noted. imho we ought to be injecting the config instead of requireing it, but that's a debate for another time
|
|
||
| const routes = new Map( | ||
| oauthRoutes.map(route => [route.path, route.config.handler]) | ||
| ); | ||
|
|
||
| module.exports = (log, config) => { | ||
| const OAuthAPI = createBackendServiceAPI(log, config, 'oauth', { |
There was a problem hiding this comment.
Oh, I see. Should those validators just be moved to the routes in oauth.js? If not, can you leave a note about accessing the validators via the exported api property? If we keep the validators where they are, should we consider removing path and method from the oauthdb files since the route handlers are called directly?
|
|
||
| 'use strict'; | ||
|
|
||
| const { assert } = require('chai'); |
There was a problem hiding this comment.
Do we need any portion of these tests or is the code exercised elsewhere?
There was a problem hiding this comment.
This gets covered by remote/oauth_tests.js and the content-server functional tests. I didn't do an exhaustive comparison because the new callRoute and backendService.sendRequest are so similar
| let password; | ||
| let server; | ||
|
|
||
| before(async () => { | ||
| testUtils.disableLogs(); | ||
| oauthServer = await oauthServerModule.create(); |
| @@ -28,7 +28,9 @@ const { | |||
| registerSuite('support form without valid session', { | |||
| tests: { | |||
| 'go to support form, redirects to signin': function() { | |||
| return this.remote.then(openPage(SUPPORT_URL, selectors.SIGNIN.HEADER)); | |||
| return this.remote | |||
| .then(clearBrowserState()) | |||
There was a problem hiding this comment.
Probably a timing issue. I imagine things are ever so slightly faster now with fewer HTTP requests to make. You might want to add a {force: true} parameter, the default way of clearing state is also somewhat brittle to timing issues.
| @@ -0,0 +1,300 @@ | |||
| { | |||
There was a problem hiding this comment.
Is the intent of using a separate schema here so that one config module can be used to load configs for both services?
There was a problem hiding this comment.
@dannycoates Nice work! I don't really have any issues with approach here. Although, it is a little unclear what the next steps, maybe create a checklist of items?
We could say in the meantime MySQL is the only way forward
I think this is fair, I really don't know who uses the memory database (except for local dev) and we have talked about nuking it for a while.
| @@ -23,6 +15,9 @@ const CODE = 'df6dcfe7bf6b54a65db5742cbcdce5c0a84a5da81a0bb6bdf5fc793eef041fc6'; | |||
| const PKCE_CODE_VERIFIER = 'au3dqDz2dOB0_vSikXCUf4S8Gc-37dL-F7sGxtxpR3R'; | |||
| const DISABLED_CLIENT_ID = 'd15ab1edd15ab1ed'; | |||
|
|
|||
| realConfig.set('disabledClients', [DISABLED_CLIENT_ID]); | |||
| delete require.cache[require.resolve(routeModulePath)]; | |||
There was a problem hiding this comment.
I think this is fine for now. Since there will be more changes for the config, we can probably revisit it later.
| @@ -27,6 +19,9 @@ const PKCE_CODE_CHALLENGE = 'iyW5ScKr22v_QL-rcW_EGlJrDSOymJvrlXlw4j7JBiQ'; | |||
| const PKCE_CODE_CHALLENGE_METHOD = 'S256'; | |||
| const DISABLED_CLIENT_ID = 'd15ab1edd15ab1ed'; | |||
|
|
|||
| realConfig.set('disabledClients', [DISABLED_CLIENT_ID]); | |||
| delete require.cache[require.resolve(routeModulePath)]; | |||
There was a problem hiding this comment.
Yea, however I vaguely remember running into subtle problems when using this. It puts the puts the pressure on the developer to know which version of the module has been loaded where.
dannycoates
force-pushed
the
auth-oauth
branch
from
daf1602
to
928e5d7
Compare
|
@shane-tomlinson I removed |
dannycoates
force-pushed
the
auth-oauth
branch
from
928e5d7
to
56a56fb
Compare
|
Once config PRs are good I'll merge this |
|
@dannycoates looks like some merge conflicts were introduced. Mind rebasing? Other than a rebase, is there more you want to do here? |
| @@ -1,236 +0,0 @@ | |||
| { | |||
| "apps": [ | |||
There was a problem hiding this comment.
do we need to update the docs that servers.json is not a thing anymore? or should we take mysql_servers and call it servers now?
dannycoates
force-pushed
the
auth-oauth
branch
from
56a56fb
to
5a9f3e8
Compare
rebased. I'd like to get the config PRs reviewed before I merge. |
dannycoates
force-pushed
the
auth-oauth
branch
from
5a9f3e8
to
a078265
Compare
dannycoates
force-pushed
the
auth-oauth
branch
from
a078265
to
4338e97
Compare
dannycoates
force-pushed
the
auth-oauth
branch
3 times, most recently
from
a320d7d
to
e1df82d
Compare
dannycoates
force-pushed
the
auth-oauth
branch
from
e1df82d
to
f7431df
Compare
clouserw
added
needs:qa
|
Deployment risks: code: LOW (no logic changes, only glue code. running by devs and on latest for 2 weeks, all tests passing) |
TestingThese areas are most affected by this change:
|
|
Verified as fixed in stage, using Fx78.0.2 and Windows 10 (64-bit). |
No description provided.