Implement /auth with IVLE token

[ning-y]

Features

• Remove email/password authentication
• Implement authentication with IVLE token
  1. Frontend sends an IVLE authentication token to /auth
  2. Backend receives the IVLE authentication token as Cadet.Accounts.Form.Login
  3. Backend uses IVLE authentication token to retrieve said token's corresponding NUSNET ID. This is also our outsourced 'authentication step'. IVLE api will return 200 if token is legitimate, otherwise 500.
  4. Every NUSNET ID is associated with a user (Cadet.Accounts.User). Backend then responds with signed Tokens.
  5. /auth will implicitly register the NUSNET ID into the database if not already registered.

Todos

I'm used to developing incrementally, especially for languages and frameworks that are quite new to me; so I'd prefer to open separate issues/PRs for these.

• Check that the user reads CS1101S. The current implementation only checks that the user has an IVLE account.
• Retrieve the user's role in CS1101S and assign the role field accordingly. The register method currently hardcodes each new user as a :student.
• Implement API call to retrieve name. This is an API call we will be using from frontend to backend immediately after login (there is a profile button we need to return upon login success that is labelled with the user's name).

Dev notes

• The ivle api key is saved as an environment variable and retrieved as a module attribute. Meaning, you must set the appropriate IVLE_KEY value on compile time. This is reflected in the READMEs.
• You may come across an error such as (Postgrex.Error) ERROR 42703 (undefined_column): column "token" of relation "authorizations" does not exist on testing. This is because an early migration makes use of ecto_enum at Cadet.Accounts.Provider. Since this PR changes that Enum, and apparently modifying enums is tricky (?), you will need to manually reset your test databases (mix test only migrates, not resets by default). Run the following:

$ export MIX_ENV=test
$ mix ecto.drop
$ mix ecto.create
$ mix ecto.migrate
$ mix run priv/repo/seeds.exs  # if you are at git root
$ unset MIX_ENV

If you do not unset MIX_ENV, you're gonna have a bad time (for that shell session at least).

[ning-y]

I need some guidance on how to test functions that depend on external API calls (and functions that in turn depend on those). Referring to the module Cadet.Accounts.Ivle at `lib/cadet/accounts/ivle.ex'.

---

Update: Taking a look at ExVCR now.

[coveralls]

Pull Request Test Coverage Report for Build 432

• 33 of 34 (97.06%) changed or added relevant lines in 6 files are covered.
• 1 unchanged line in 1 file lost coverage.
• Overall coverage decreased (-0.4%) to 94.416%

---

Changes Missing Coverage	Covered Lines	Changed/Added Lines	%
lib/cadet/auth/guardian.ex	3	4	75.0%

Files with Coverage Reduction	New Missed Lines	%
lib/cadet_web/router.ex	1	75.0%

Totals
Change from base Build 411:	-0.4%
Covered Lines:	186
Relevant Lines:	197

---

💛 - Coveralls

[remo5000]

If there are other " characters in the response (apart from the start and end), I'm thinking it would be represented as \" as well. If this line replaces all the quotes, the \ might remain. Is this the case? Not sure about the ~s(") syntax here.

[ning-y]

Nope, \ is not a literal character. When printed out to console, \" together represents a literal double quote within a string. ~s(") is a sigil denoting a string, it is equivalent to writing "\"".

iex(1)> ~s(") == "\""
true

[indocomsoft]

String.replace looks a bit iffy -- how about Poison.decode!(response.body) == "" instead?

[ning-y]

Refactor String.replace with Poison.decode! in 6120a44.

[ning-y]

@indocomsoft The new style guide in #50 says that zero-arity calls should end with parenthesis, but I think predicate functions should be excluded, because their trailing ? obviously indicates that they are predicate functions, not variables. Which do we go with? Your call.

[indocomsoft]

Well, in the first place, changeset is a map (https://hexdocs.pm/ecto/Ecto.Changeset.html#t:t/0), so valid? is just a key in the map, so there should definitely be no paranthesis here.

[indocomsoft]

Wow! Thank you so much for taking the time to make this pull request -- overall the code is well-done, just a few changes like with construct, pattern-matching in tests, etc.

[indocomsoft]

This is not a real key right? Haha maybe you should put some directions like change this or sth. Also this should be in .env file instead, maybe create a .env.example

[ning-y]

No worries, not a real key. Moved this to the .env file with 5ab080e and 3383e51.

[indocomsoft]

Is it possible to move the fixture directory to text/fixture instead?

[ning-y]

Done with 518307c.

[indocomsoft]

You should reverse the conditional

if auth do # equivalent to if auth != nil

else

end

[ning-y]

Done with 2b892a6.

[indocomsoft]

Use with construct instead to prevent nested case https://hexdocs.pm/elixir/Kernel.SpecialForms.html#with/1

[ning-y]

Done with c8ae66d.

[indocomsoft]

String.replace looks a bit iffy -- how about Poison.decode!(response.body) == "" instead?

[indocomsoft]

with construct is better here to prevent pyramid of doom https://hexdocs.pm/elixir/Kernel.SpecialForms.html#with/1

[ning-y]

Done with b2834fc.

[indocomsoft]

Eh, this happens?

[ning-y]

Yep, IVLE responds with internal server error we send a wrong API key, and I think setting an invalid API key on our end is internal-server-error-esque.

[indocomsoft]

Fair enough

[indocomsoft]

Use pattern matching instead, e.g. assert %{name: "happy user", role: :student} = user. Similarly for the rest

[ning-y]

Done with 735169f.

[indocomsoft]

I think it's a good idea to validate against this, but probably can be done in a separate PR. This PR is very big already haha

[ning-y]

Yep. Didn't know that this TODO would get pass credo though. Guess it ignores the test files.

[indocomsoft]

Not sure what this does, why not a simple System.get_env("TOKEN")? Also what is this TOKEN environment variable?

[ning-y]

The token is the authentication token from ivle for the user. Added a brief description in the module docs of tests using @token, and improved the readability with 7075f93.

[ning-y]

@indocomsoft Made the changes, rebased to master, let me know what you think. Thanks!

[indocomsoft]

Looking very good, just some small changes

[indocomsoft]

The format for .env file is just

KEY1=value1
KEY2=value2

The comments are fine tho

[ning-y]

Done with 8d017f9.

[indocomsoft]

I think it's better to rename this to .env.example and add instruction in README to rename this to .env and modify the content accordingly.

[ning-y]

Done with 8d017f9, and README updated accordingly.

[indocomsoft]

This clause is superfluous since {:error, _} -> will match this too. In elixir, case-style matching is done sequentially.

[ning-y]

Fixed with 2fbf69e. Meant to be explicit, but I'll use comments.

[indocomsoft]

If your intention is just to obtain value from .env file, you should use Dotenv.load. This is because Dotenv.load! will export the value into system environment (this effect might or might not be desirable) which adds unnecessary overhead

[ning-y]

Fixed with 706363b.

[indocomsoft]

Maybe move test/fixture to test/fixtures? Haha a bit confusing to have both directories

[ning-y]

My bad, typo in the config file. Done with 04d2a1a.

[indocomsoft]

I think you should handle the case {:error, _}?

Or else the server thread would crash for no case clause error (or maybe this is the desired behaviour?)

[ning-y]

It's the desired behavior. The rationale is to prevent 'silent' failures. Frankly, I'm not sure what the best practice is with elixir phoenix, or api-building, so I'll go with your judgement on this one. Let me know

[indocomsoft]

(Sorry I missed this during the first review) I think the module name should be Cadet.Accounts.IVLE https://github.com/lexmag/elixir-style-guide#camelcase-modules

[ning-y]

Done with 429ca34. Do you prefer IVLETest or IVLE_Test?

[indocomsoft]

Fair enough

[ning-y]

@indocomsoft Second round of fixes done, do take a look, thanks!

Looking at test coverage

[indocomsoft]

Just need to add one test case

[indocomsoft]

This clause is missing test coverage hmm

[ning-y]

Done with eaa77fc.

[indocomsoft]

Still not covered :/

I've analysed the cause -- let me know what you think

[indocomsoft]

I think you should handle the case {:error, _}

[ning-y]

Gotcha, done with 0a9c589.

[indocomsoft]

Note that in elixir 'charlist' and "binary" are 2 different ways of storing strings https://elixir-lang.org/getting-started/binaries-strings-and-char-lists.html

it should be "token" instead.

More to the point, it still doesn't cover: reading the report generated from running mix coveralls.html test/cadet_web/controllers/auth_controller_test.exs:77, the error is "caught" at {:fetch, {:ok, nusnet_id}} <- {:fetch, IVLE.fetch_nusnet_id(login.ivle_token)} since api_fetch/2 returns {:error, :bad_request} on %{body: ~s(""), status_code: 200}.

One way to solve this might be to handle {:error, _} in api_fetch/2, then purposely fail the request IVLE.fetch_name/1 if that makes sense.

[ning-y]

My bad, I should've checked the coveralls link. Fixed with 59a315f using custom cassettes. The fix didn't need the catch "don't care" clause, but I'll leave that change in.

[indocomsoft]

Haha what I meant was adding another clause here {:error, _} -> {:error, :internal_server_error} or something like that, unless the intention is to let the server thread just crash on connection failure (which I think would also return HTTP 500)

[ning-y]

If they both return 500, I would rather let it crash. It'd be easier to catch unexpected bahaviour that way. Again, no experience with building APIs and web stuff here, so I'll default to your judgement. I've reverted it, but lmk what you'd prefer and I'll make the change.

[indocomsoft]

LGTM.

Since we're talking about Erlang/Elixir here, I guess just let it crash

[indocomsoft]

Merged this for you -- maybe you could open issues in this PR's To-Do's