PCF-400 Query https://firefox-ci-tc.services.mozilla.com/login/oauth/credentials to verify token and request credentials

[esanuandra]

This PR fetches the Taskcluster credentials (with an access token that has expiration date) using access token Bearer.

[netlify]

✅ Deploy Preview for mozilla-perfcompare ready!

Name	Link
🔨 Latest commit	f69924a
🔍 Latest deploy log	https://app.netlify.com/sites/mozilla-perfcompare/deploys/66632a93341a460008310976
😎 Deploy Preview	https://deploy-preview-648--mozilla-perfcompare.netlify.app
📱 Preview on mobile	Toggle QR Code... Use your smartphone camera to open QR code link.

---

To edit notification comments on pull requests, go to your Netlify site configuration.

[codecov]

Codecov Report

Attention: Patch coverage is 74.41860% with 11 lines in your changes missing coverage. Please review.

Project coverage is 91.41%. Comparing base (d13b29d) to head (f69924a).

Files	Patch %	Lines
src/logic/credentials-storage.ts	50.00%	9 Missing and 2 partials ⚠️

Additional details and impacted files

@@            Coverage Diff             @@
##             beta     #648      +/-   ##
==========================================
- Coverage   91.80%   91.41%   -0.39%     
==========================================
  Files          68       69       +1     
  Lines        1587     1620      +33     
  Branches      285      291       +6     
==========================================
+ Hits         1457     1481      +24     
- Misses        104      111       +7     
- Partials       26       28       +2     

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

[julienw]

hey andra, thanks for this work!
here are a few comments, I hope they make sense.

In addition to the comments on the code itself, there's another missing bit IMO.

Here is the current workflow:

1. The user is in tab A and clicks on the "login" button in the modal
2. open a new tab B to taskcluster
3. in tab B the user logs in on task cluster
4. in tab B taskcluster redirects on our callback
5. in tab B perfcompare requests and retrieves the access token to the taskcluster server
6. in tab B perfcompare requests and retrieves the user credentials to the taskcluster server
7. in tab B perfcompare stores the token to localStorage
8. ... the missing link

For step 8, we can add an event listener on the "storage" event in tab A so that we're notified with the user credentials change. We can add it in step 1.
(see MDN: https://developer.mozilla.org/en-US/docs/Web/API/Window/storage_event)

I'm thinking that if step 5 stores the access token to the localStorage, then step 6-7 could be done in tab A... it might be a better design actually, because (as I write below in another comment) in the future I'd like that we don't need to open a tab if we already have an unexpired access token.

So here is how the workflow could look like (bold for changes):

1. The user is in tab A and clicks on the "login" button in the modal.
2. adds an event listener for "storage", and opens a new tab B to taskcluster
3. in tab B the user logs in on task cluster
4. in tab B taskcluster redirects on our callback
5. in tab B perfcompare requests and retrieves the access token to the taskcluster server
6. in tab B perfcompare stores the access token to localStorage, then closes the tab with window.close
7. in tab A, perfcompare is notified from the "storage" event.
8. in tab A perfcompare requests and retrieves the user credentials to the taskcluster server
9. in tab A perfcompare stores the token to localStorage
10. in tab A perfcompare does the retrigger request

I don't request to do this workflow change in this PR, but it could be good to do it in a next PR, if you don't mind.

Tell me what you think (and if I'm missing anything)!

[julienw]

fetchData returns Promise but my understanding is that the object returned here is different, with different properties, so you need a different type than ResponseToken.

See above my suggestion about how to change fetchData, that should make it easier to control the return value.

The type for the user credentials will be necessary as well when we'll get the data from the localStorage (cf my other comment about creating a separate file).

[julienw]

this one should be in localStorage because we want to keep it for a longer time, not just for the duration of the browser session.

[julienw]

I'm thinking it could be good to encapsulate this logic in a separate file, so that we can type inputs and outputs.

This could be a file src/logic/credentials-storage.ts (for example) with functions such as:

function storeUserCredentials(UserCredentials credentials) {
  localStorage.setItem('userCredentials', JSON.stringify(credentials));
}
function retrieveUserCredentials(): UserCredentials {
  return JSON.parse(localStorage.getItem('userCredentials'));
}

// same for storeTaskclusterToken and retrieveTaskclusterToken

I'm thinking these functions could be in the existing file logic/taskcluster.ts too, as you wish.

[julienw]

Instead of having fetchData doing the request, my suggestion would be to have a function to check error cases:

function checkTaskclusterResponse(response: Response) {
  if (!response.ok) {
    if (response.status === 400) {
      throw new Error(
        `Error when requesting Taskcluster: ${await response.text()}`,
      );
    } else {
      throw new Error(
        `Error when requesting Taskcluster: (${response.status}) ${response.statusText}`,
      );
    }
  }}

Then you can move the rest of the function (fetch call + call to json()) back to retrieveTaskclusterToken and retrieveTaskclusterAccessToken, and you don't need to have this RequestOptions type anymore.

[julienw]

nit: please call this retrieveTaskclusterUserCredentials so that it's better distinguished with the other function.

[julienw]

The test problem is that we're not waiting enough in this test. Indeed the test is synchronous but the code is asynchronous, so the second fetch call hasn't happened yet!
The fix is to wait for the rendering.
For example you can add:

await screen.findByText(/Getting Taskcluster credentials/);

As you see the component will be displayed only after the loader is completely rendered. If you want it to render before and change the text, you could use this guide: https://reactrouter.com/en/main/guides/deferred
But I think this is for a later PR, let's make it work end to end first!

[julienw]

I think these 2 types are incorrect, they're not Record<string, XXX>, but directly XXX.

export type UserCredentials = { expires: string; credentials: { clientId: string; accessToken: string } };

export type TokenBearer = { access_token: string; token_type: 'Bearer' };

A Record is like a Map (but using an object), also called a dictionary. This isn't what it is here.

[esanuandra]

I just noticed that the Treeherder implementation stores the userCredentials in this way using the url.

userCredentials           "https://firefox-ci-tc.services.mozilla.com": {
                                       expires: ... 
                                       credentials: {
                                              clientId: ...
                                              accessToken: ...
                                       }
                           }

I believe that's why the Record for userCredentials. Should we still go with removing the Record for userCredentials?

[julienw]

Thanks!
here are a few more comments to fix before landing, thanks again for your work Andra

[julienw]

Looking at this with fresh eyes, here are some last minute changes, sorry about that.

Also have you seen my longer comment in #648 (review) ? Any comment about that? Thanks

[julienw]

This should look like this:

Suggested change

	storeToken({ [tokenResponse.token_type]: tokenResponse });
	storeToken({ [rootUrl]: tokenResponse });

but please look at my other comments as well, as I believe the signature will be changed and therefore this will look like this:

Suggested change

	storeToken({ [tokenResponse.token_type]: tokenResponse });
	storeToken(rootUrl, tokenResponse);

[julienw]

The goal for storing a Record is that we can add separate entries for different URLs. Therefore I believe the implementation should probably look lile this:

Suggested change

	export function storeUserCredentials(credentials: UserCredentials) {
	localStorage.setItem('userCredentials', JSON.stringify(credentials));
	}
	export function storeUserCredentials(rootUrl: string, credentials: UserCredentialsResponse) {
	const allCredentialsAsString = localStorage.userCredentials;
	const allCredentials = (allCredentialsAsString ? JSON.parse(allCredentialsAsString) : {}) as UserCredentials;
	allCredentials[rootUrl] = credentials;
	localStorage.userCredentials = JSON.stringify(allCredentials);
	}

Similar for for storeToken.

[julienw]

Likewise, the retrieve functions could look lile this:

Suggested change

	export function retrieveUserCredentials(): UserCredentials {
	return JSON.parse(
	localStorage.getItem('userCredentials') as string,
	) as UserCredentials;
	}
	export function retrieveUserCredentials(rootUrl: string): UserCredentialsResponse | null {
	const allCredentialsAsString = localStorage.userCredentials;
	if (!allCredentialsAsString) {
	return null;
	}
	const allCredentials = JSON.parse(allCredentialsAsString) as UserCredentials;
	return allCredentials[rootUrl] ?? null;
	}

and similarly for the other retrieve function.

[julienw]

Let's land this and move forward!

[julienw]

nit

Suggested change

	return allCredentials[rootUrl];
	return allCredentials[rootUrl] ?? null;

(same as above)

[julienw]

nit

Suggested change

	return allTokens[rootUrl];
	return allTokens[rootUrl] ?? null;

otherwise that can return undefined -- typescript doesn't check this by default.
Not a super big deal but let's not lie to typescript.

[julienw]

it looks like you have the same types twice:
TokenBearerResponse == TokenResponse
TokenBearer == UserToken

Please pick just one pair (I'd suggest TokenBearerResponse / TokenBearer)

Optional nit: it would be good to move the directionary types to credentials-storage.ts because they're used only there, they're not global.

Optional nit: Rename:

CredentialsResponse => UserCredentials
UserCredentials => UserCredentialsDictionary
TokenBearerResponse => TokenBearer
TokenBearer => TokenBearerDictionary

(with the Dictionary types in credentials-storage.ts as suggested above, and the other types kept here)

[esanuandra]

Thank you! I was confused about how to keep them.