Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Implement /auth in REST API #33

Merged
merged 40 commits into from
Jun 8, 2018
Merged

Implement /auth in REST API #33

merged 40 commits into from
Jun 8, 2018

Conversation

indocomsoft
Copy link
Member

@indocomsoft indocomsoft commented May 19, 2018
edited
Loading

Based on #32, once that PR is merged, the no of files changed in this PR will be reduced significantly

@indocomsoft indocomsoft added this to the Sprint 1 milestone May 19, 2018
@coveralls
Copy link

coveralls commented May 19, 2018
edited
Loading

Pull Request Test Coverage Report for Build 236

  • 37 of 40 (92.5%) changed or added relevant lines in 4 files are covered.
  • 1 unchanged line in 1 file lost coverage.
  • Overall coverage increased (+7.9%) to 94.186%
Changes Missing Coverage Covered Lines Changed/Added Lines %
lib/cadet/auth/error_handler.ex 0 1 0.0%
lib/cadet/auth/guardian.ex 3 5 60.0%
Files with Coverage Reduction New Missed Lines %
lib/cadet_web/router.ex 1 75.0%
Totals Coverage Status
Change from base Build 216: 7.9%
Covered Lines: 162
Relevant Lines: 172
💛 - Coveralls

@indocomsoft indocomsoft changed the title [WIP] APIfy auth Implement /auth in REST API May 19, 2018
@indocomsoft indocomsoft requested a review from evansb May 19, 2018 15:04
@indocomsoft indocomsoft mentioned this pull request May 20, 2018
Merged
@indocomsoft
Copy link
Member Author

indocomsoft commented May 20, 2018
edited
Loading

@evansb I have just cleaned this PR up after #32 was merged. Currently the missing coverage is from the incomplete Assessment context (#26) and removal of authenticated pages (so the part of code that ensures authentication is not covered yet.)

evansb
evansb requested changes May 26, 2018
View reviewed changes
lib/cadet_web/controllers/auth_controller.ex Outdated
end
else
conn
|> send_resp(404, "Missing parameters")
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Why 404 should be Bad Request

lib/cadet_web/controllers/auth_controller.ex Outdated

def create(conn, _params) do
conn
|> send_resp(404, "Missing parameters")
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think for one function call we shouldn't use pipe syntax, what do you think?

Copy link
Member Author

@indocomsoft indocomsoft May 26, 2018
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Sure. Maybe we can base our code styling on this guideline: https://github.com/christopheradams/elixir_style_guide? @sreycodes

lib/cadet_web/controllers/auth_controller.ex Outdated
|> send_resp(404, "Missing parameter(s)")
end

def logout(conn, %{"refresh_token" => refresh_token}) do
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Hmm why does logout need to pass the refresh token? After authenticating user you should simply delete the user entry in GuardianDB

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Right, about that: we still haven't integrated guardiandb. Will integrate soon.

lib/cadet_web/controllers/auth_controller.ex Outdated

swagger_path :create do
post("/auth")
summary("Obtain access and refresh tokens to authenticate user")
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Since this is API documentation, this should be more descriptive so the frontend team knows what to do just by reading API docs. For instance, I think you should specify which HTTP header to put the token in, the token expiry time, etc

lib/cadet_web/router.ex Outdated
}
end

scope "/api/swagger" do
scope "/v1/swagger" do
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Typically we don't scope the swagger doc with API version because it's supposed to cover all versions.

@indocomsoft
Copy link
Member Author

indocomsoft commented May 26, 2018
edited
Loading

@evansb Re: logout needing to pass refresh_token
Because the hook is located on Guardian.revoke(token), so I need to know the token to be invalidated (and since it's JWT this info is not stored anywhere by me). Access token is valid for 1 hour only, so it makes sense to simply invalidate the refresh token. However, if you like, I can let the user pass the access token and invalidate that as well.

Alternatively, I can add a field to user to store his/her refresh_token but I feel this solution is not as elegant since the frontend already stores the refresh_token anyway.

@indocomsoft indocomsoft mentioned this pull request May 26, 2018
Closed
28 tasks
@indocomsoft
Copy link
Member Author

@evansb Fixed this according to your code review, should be ready for merging.

@evansb evansb merged commit f6aab65 into master Jun 8, 2018
@indocomsoft indocomsoft deleted the auth branch June 8, 2018 15:13
sreycodes pushed a commit that referenced this pull request Jun 11, 2018
@indocomsoft @sreycodes
Implement /auth in REST API (#33)
3a1b2d8 
* Remove frontend stuffs

* Remove frontend config

* Change router

* Remove failing tests

* Remove frontend stuffs

* Remove frontend config

* Change router

* Remove failing tests

* Remove unnecessary plugs in router

* Revert wrongfully removed conflict resolution

* Remove failing test

* Run mix format

* Implement auth get token

* Complete implementation of AuthController

* Remove more front-end junk

* Mix format

* Wrote some preliminary tests

* Write tests for AuthController#create

* Add tests for AuthController#refresh

* Complete testing and add slight change to handle error more gracefully

* Remove yet another frontend junk

* Mix format

* Add comment: to integrate with GuardianDb in the future

* Correct one missed conflict

* Add instruction in README on API documentation

* Change 404 error code to 400

* Change swagger route

* Modify auth controller test to conform to 400 bad request

* Remove single function call pipe syntax

* Change status code to its atom equivalent

* Add guardian_db and setup

* Add securityDefinitions in swagger

* Add more descriptive swagger summary

* Fix logout to accept access_token instead

* Mix format

* Clean-up swagger documentation
indocomsoft added a commit that referenced this pull request Aug 17, 2018
@indocomsoft
Implement /auth in REST API (#33)
bbfff2e 
* Remove frontend stuffs

* Remove frontend config

* Change router

* Remove failing tests

* Remove frontend stuffs

* Remove frontend config

* Change router

* Remove failing tests

* Remove unnecessary plugs in router

* Revert wrongfully removed conflict resolution

* Remove failing test

* Run mix format

* Implement auth get token

* Complete implementation of AuthController

* Remove more front-end junk

* Mix format

* Wrote some preliminary tests

* Write tests for AuthController#create

* Add tests for AuthController#refresh

* Complete testing and add slight change to handle error more gracefully

* Remove yet another frontend junk

* Mix format

* Add comment: to integrate with GuardianDb in the future

* Correct one missed conflict

* Add instruction in README on API documentation

* Change 404 error code to 400

* Change swagger route

* Modify auth controller test to conform to 400 bad request

* Remove single function call pipe syntax

* Change status code to its atom equivalent

* Add guardian_db and setup

* Add securityDefinitions in swagger

* Add more descriptive swagger summary

* Fix logout to accept access_token instead

* Mix format

* Clean-up swagger documentation
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@evansb evansb evansb approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
Sprint 1
Development

Successfully merging this pull request may close these issues.
3 participants
@indocomsoft @coveralls @evansb