Google authentication

[jeromegn]

Protect some routes via a 3rd party auth system (in this case: Google.)

We had that with the old platform (sites), pretty sure it would still be useful.

[nprail]

I once made a POC of this sort of thing with Node.js. I'd be willing to share that code if interested.

[jeromegn]

@nprail sure, anything would help. There's probably a lot that won't work since we can't use the Crypto API from node.js (I'm assuming we'll have to sign some JWTs for Google).

But we already have the sjcl package which can probably do a lot of what we need. Until we have a more complete Crypto API (from the Web API.)

[nprail]

@jeromegn Here is the code: https://github.com/nprail/static-auth-poc

It was a POC for improving auth on Surge.sh so some things would have to be modified. For example, it doesn't do Google login. It just has a static username and password in it. I think the login server piece of the POC can be completely replaced by an OAuth provider.

This is the basic flow:

1. The user goes to a password protected site (e.g. protected.example.com)
2. The user is redirected to the Login Server and logs in (which redirects to Google or any other provider for login)
3. The user is redirected back to protected.example.com with the new JWT token stored in a cookie
4. The JWT token is then used to verify that the user has access to the site