Use Arctic for OAuth providers

[infomiho]

Status

Needs to be implemented

• We need the serverUrl in our server environment (⚠️ breaking change)
  Define the WASP_SERVER_URL env var #1856
• We need to implement support for providing configFn again
• We need to implement env vars validation again (e.g. GOOGLE_CLIENT_ID)
• Fetch full user info for Github like the Passport libs did (mostly to get the email which is important to Wasp users)
• Improve error handling in case of an error with OAuth providers
  • Redirect to the client with the error message instead of showing JSON.
• Fix the type error in OAuthCallback.tsx
• Write migration docs Docs updates for OAuth overhaul #1890
• Redirect with Prisma errors in the query params raises an error due to Unicode chars in the query
• Write a migration script (bonus)
• Write a specific error handling if users used "scope" in their configFn before to say "Hey, we changed this, you have to use "scopes" now" to make the migration easier (bonus)

Improvements

• The client page now receives a one-time-code and exchanges it for a session
  • Ideally, we don't redirect to "on login failed" path, but show a message Auth UI and OAuth: show auth errors on screen #1817
• Move some of the paths (login path, oauth callback paths) in Haskell
• createToken and verifyToken functions need to be refactored (tech debt from old auth)
  Replaces jsonwebtoken with oslo/jwt #1852
• DRY up the code for google.ts and github.ts (to reduce the effort of adding next providers)

Changes for user

• They need to change the redirect URL from client to server since we now do the OAuth redirect from backend to Google to backend (⚠️ breaking change)

Open questions

• The property in the user config (when users use configFn property in Wasp file) to set scopes changed from scope to scopes (⚠️ breaking change) -> we can maybe make it backwards compatible?
• Passport strategies that we used mapped the Google data into a specific shape -> do we want to do it as well to be backwards compatible? (Same things goes for Github)

Closes #1817

[infomiho]

The passport strategy did it by default if the scopes included user or user:email https://github.com/cfsghost/passport-github/blob/master/lib/strategy.js#L119

[Martinsos]

What are the options? Either we get it for them, or they get it on their own.

Maybe let's do the same as Passport strategy did, it sounds useful in practice, and will be a less of a breaking change.

But if you feel that is too much, we can also skip it.

[infomiho]

Okay, this comment got outdated with latest changes. I replicated the logic that Passport had to keep the same information available. I think that makes the most sense!

[infomiho]

I vote that we show the user an error instead of redirecting to "onAuthFailedRedirectTo" or if we were to redirect to "onAuthFailedRedirectTo" we attach an error message to the redirect.

[Martinsos]

yeah that sounds about right! I guess "onAuthFailedRedirectTo" serves multiple things -> where to send user if they try to open a page that needs auth but they are not authenticated, but then also where to send user on failed login. First scenario is ok, but we don't want to use it upon failed login / signup -> better to just show an error message.

[infomiho]

better to just show an error message.

I agree. Let's do that.

[sodic]

I don't think failed logins and signups do any redirecting as it currently stands. Or do they?

[infomiho]

The OAuth login and signup, do in fact redirect. We are taking about this line: https://github.com/wasp-lang/wasp/blob/main/waspc/data/Generator/templates/react-app/src/auth/pages/OAuthCodeExchange.jsx#L58

[infomiho]

Not needed anymore

[infomiho]

Hard coded path, ideally we would move it to Haskell

[infomiho]

Existing function

[infomiho]

No need for client ID or client secret in the user config any more. Although, I believe that wasn't needed for some time since we merged our default options and their options.

[infomiho]

Moved the env variables knowledge in the template

[sodic]

How come you decided to do this?

[infomiho]

I believe we prematurely abstracted stuff here. This code assumes that there are only client ID and client secret env vars, but in reality, there can be 2, 3 or 4 even env vars needed to set up a provider. We don't use the knowledge about the env vars in Haskell so it wasn't really useful.

Also, I wanted to keep things as simple as possible to make the rewrite easier :)

[infomiho]

We used _oauth.ts as a common template before, but now each provider has their own template file because their code now differs (the way we fetch the user info, some providers require extra steps, some not)

[sodic]

Understood!

Still, the new provider files have a lot in common. There are differences, sure, but there's definitely repetition. Could we extract the similar parts into functions and maximize the signal-to-noise ratio in the createRouter functions.

This will probably make adding new providers simpler. Still, I haven't studied the similarities and differences between the provider files in extreme detail, you'll be a better judge of whether such an effort makes sense or not.

[infomiho]

I've given it a shot to minimise the repeated code. We could probably go further, but I didn't to be too smart about inventing new abstractions, this now feels okay, check it out and tell me what do you think. Should we go further?

[sodic]

I think that's enough abstraction for now. We'll come back to it when we add more providers and are smarter.

[Martinsos]

Nice job @infomiho , I like the analytical and detailed approach!

I answered some top level stuff, and will leave the details to @sodic . Let me know if I missed something that you would like to get my opinion on.

scope -> scopes: why did that change? Because underlying thing names it that way? What is better, sounds like there is some semantic involved with those names? Is it actually scope or scopes, what makes more sense? I wouldn't try to avoid breaking change, I would instead go for the name that we think works the best, be it a breaking change or not, doesn't matter.

Passport strategies mapped the provider data into a specific shape -> how breaking is it? Will they need to migrate the database, because we stored that stuff in the DB? If so, then maybe it might make sense to do that mapping. If we are doing the mapping, is it complex, does it feel silly, or does it make sense, do we lose some info, ... -> how do we feel about it?
If there is no DB migration involved, then I would certainly not bother with any mapping (unless you think they way data is returned by Artcic is ugly and could benefit from mapping).

[sodic]

The property in the user config (when users use configFn property in Wasp file) to set scopes changed from scope to scopes (⚠️ breaking change) -> we can maybe make it backwards compatible?

I don't think we should focus on the breaking change part - we're not stable enough for such sacrifices in consistency (we shouldn't support both names).. Pick the more appropriate name, regardless of whether it causes a breaking change or not. What we can do is throw a nice error. Instead of "Unknown property: scope". We can say "Please change 'scope' to 'scopes' in this file".

Passport strategies that we used mapped the Google data into a specific shape -> do we want to do it as well to be backwards compatible? (Same things goes for Github)

I think the same principle applies here. Wasp is still immature enough to have the luxury of breaking stuff on account of creating something of high quality. Of course, change purely for the sake of change is also something we should avoid (especially when it impacts users). In short:

• If the current format is a random thing people at passport) came up with and you see something obvious you want to change, I say "go for it".
• If the current format is a well-documented or standard way of storing this particular provider's data (which could be the case if everyone uses passport), I say we should leave it as is.

By the way, can we create migration scripts for these things?

[sodic]

A couple of old comments

[sodic]

I don't think failed logins and signups do any redirecting as it currently stands. Or do they?

[Martinsos]

Nice job @infomiho , I like the analytical and detailed approach!

I answered some top level stuff, and will leave the details to @sodic . Let me know if I missed something that you would like to get my opinion on.

scope -> scopes: why did that change? Because underlying thing names it that way? What is better, sounds like there is some semantic involved with those names? Is it actually scope or scopes, what makes more sense? I wouldn't try to avoid breaking change, I would instead go for the name that we think works the best, be it a breaking change or not, doesn't matter.

Passport strategies mapped the provider data into a specific shape -> how breaking is it? Will they need to migrate the database, because we stored that stuff in the DB? If so, then maybe it might make sense to do that mapping. If we are doing the mapping, is it complex, does it feel silly, or does it make sense, do we lose some info, ... -> how do we feel about it? If there is no DB migration involved, then I would certainly not bother with any mapping (unless you think they way data is returned by Artcic is ugly and could benefit from mapping).

@infomiho just a reminder not to miss this comment.

[infomiho]

Of course! I've been waiting to get input from both Filip and you and I'll give some sort of a conclusion after we agree on what is the best here 👍

[infomiho]

@Martinsos

scope -> scopes: why did that change? Because underlying thing names it that way? What is better, sounds like there is some semantic involved with those names? Is it actually scope or scopes, what makes more sense? I wouldn't try to avoid breaking change, I would instead go for the name that we think works the best, be it a breaking change or not, doesn't matter.

We just passed through the options to Passport before. Passport used scope, and that we pass through the options to Arctic, Arctic uses scopes. If we don't care about the backwards compatibility, I think it's okay to change the naming.

IMHO We'll need good migration docs from 0.12 to 0.13 (Maybe even a script is possible?)

Passport strategies mapped the provider data into a specific shape -> how breaking is it? Will they need to migrate the database, because we stored that stuff in the DB? If so, then maybe it might make sense to do that mapping. If we are doing the mapping, is it complex, does it feel silly, or does it make sense, do we lose some info, ... -> how do we feel about it?
If there is no DB migration involved, then I would certainly not bother with any mapping (unless you think they way data is returned by Artcic is ugly and could benefit from mapping).

1. No database migrations will be necessary. What changes: the shape of the data they receive in userSignupFields handlers. So, if they used data.profile.emails[0] they'll need to use ... data.profile.email or smth along those lines to get the email.
2. Passport has their own format they tried to keep across their strategies: https://www.passportjs.org/reference/normalized-profile/ We could try to replicate their approach. Alternatively, we can just return what we receive from the provider. This will make our maintenance easier since if something changes, we are just passing it along anyways and no changes from our side our needed.

@sodic

I don't think we should focus on the breaking change part - we're not stable enough for such sacrifices in consistency (we shouldn't support both names).. Pick the more appropriate name, regardless of whether it causes a breaking change or not.

Makes sense 👍

What we can do is throw a nice error. Instead of "Unknown property: scope". We can say "Please change 'scope' to 'scopes' in this file".

This could be a nice little touch. I've done stuff like this e.g. "Hey this error might mean you didn't run migrations" and it seemed to help the user.

If the current format is a random thing people at passport) came up with and you see something obvious you want to change, I say "go for it".

As I said above, the format is something Passport invented and tried to stick to. But they are not the "one true solution" for OAuth, so I'd say, maybe stick to just passing through the info we get from providers. At least that way, it matches what the providers' might have in their docs?

By the way, can we create migration scripts for these things?

+1 from me. I'd like to have at least good 0.12 to 0.13 migration docs.

[Martinsos]

@Martinsos

scope -> scopes: why did that change? Because underlying thing names it that way? What is better, sounds like there is some semantic involved with those names? Is it actually scope or scopes, what makes more sense? I wouldn't try to avoid breaking change, I would instead go for the name that we think works the best, be it a breaking change or not, doesn't matter.

We just passed through the options to Passport before. Passport used scope, and that we pass through the options to Arctic, Arctic uses scopes. If we don't care about the backwards compatibility, I think it's okay to change the naming.

IMHO We'll need good migration docs from 0.12 to 0.13 (Maybe even a script is possible?)

Passport strategies mapped the provider data into a specific shape -> how breaking is it? Will they need to migrate the database, because we stored that stuff in the DB? If so, then maybe it might make sense to do that mapping. If we are doing the mapping, is it complex, does it feel silly, or does it make sense, do we lose some info, ... -> how do we feel about it?
If there is no DB migration involved, then I would certainly not bother with any mapping (unless you think they way data is returned by Artcic is ugly and could benefit from mapping).

1. No database migrations will be necessary. What changes: the shape of the data they receive in userSignupFields handlers. So, if they used data.profile.emails[0] they'll need to use ... data.profile.email or smth along those lines to get the email.
2. Passport has their own format they tried to keep across their strategies: https://www.passportjs.org/reference/normalized-profile/ We could try to replicate their approach. Alternatively, we can just return what we receive from the provider. This will make our maintenance easier since if something changes, we are just passing it along anyways and no changes from our side our needed.

@sodic

I don't think we should focus on the breaking change part - we're not stable enough for such sacrifices in consistency (we shouldn't support both names).. Pick the more appropriate name, regardless of whether it causes a breaking change or not.

Makes sense 👍

What we can do is throw a nice error. Instead of "Unknown property: scope". We can say "Please change 'scope' to 'scopes' in this file".

This could be a nice little touch. I've done stuff like this e.g. "Hey this error might mean you didn't run migrations" and it seemed to help the user.

If the current format is a random thing people at passport) came up with and you see something obvious you want to change, I say "go for it".

As I said above, the format is something Passport invented and tried to stick to. But they are not the "one true solution" for OAuth, so I'd say, maybe stick to just passing through the info we get from providers. At least that way, it matches what the providers' might have in their docs?

By the way, can we create migration scripts for these things?

+1 from me. I'd like to have at least good 0.12 to 0.13 migration docs.

I would then say let's do what is easy for us and also gives us nice DX. Wasp is in Beta, and it is ok we are changing fast.
I wouldn't do a migration script, because we can have instructions and they are not complex, they can be done manually. This will not be such a big release as 0.12.
Also, I wouldn't throw an error if they passed scope -> that is something we have to maintain then, we are not yet 1.0 and no need for this. Let's just mention it in the Changelog under migration instructions and that is ok.

[sodic]

Left improvement suggestions, but no major problems.

Here's the only major thing I'd like us to discuss: #1851 (comment)

Nice work!

[sodic]

How come it can be both of these? I'm guessing because undefined happens on the first render, while null happens when the user isn't logged in?

If so, there's a trick that many linters recommend (although I'm not sure I like it). It sits halfway between being fully explicit and using coercion:

if (user != null) {
  // ...
}

This covers both undefined and null.

[infomiho]

I'd like to skip the non strict check if possible. I know this looks ugly e.g. checking both undefined and null but it's at least not relying on implicit JS behaviour.

[sodic]

Explicit check (if you want)

[sodic]

Why not:

function getVerifiedToken(token: string) Promise<id: string> {
  return validateJWT(token);
}

It's a part of the public API through the returned object, so it makes sense to type it explicitly. Also, I'd say it's always better to type function signatures and leave the type inference for the body than the other way around.

[sodic]

A less error prone way to implement this is by generating the resulting state first, and then using that to set the value. In pseudocode:

// construct the result
setOAuthCookieValue(provider, res, result); // this function would iterate the object and set all cookies
return result

I probably wouldn't do this now though and would just merge this. Not a big deal.

[sodic]

I don't think you need this cast as the function is currently written.

[sodic]

Explicit check if you want

[infomiho]

This function always returns a value or it throws an error, so I've removed this check.

[sodic]

I think that's enough abstraction for now. We'll come back to it when we add more providers and are smarter.