login: Support web-based auth methods

[chrisbobbe]

RPReplay_Final1711671338.mov

Fixes: #36

[gnprice]

Thanks @chrisbobbe! Looking forward to having this in.

Generally the code all looks good. Comments below, mostly small.

As you mention, we'll want some tests on WebAuthPayload. We have a few tests of that kind in zulip-mobile in webAuth-test.js.

Let's also have a screenshot of the new login screen, and a video of the end-to-end auth flow. Those will be helpful for seeing what the UX is like.

[gnprice]

Suggested change

	class LoginPageState extends State<LoginPage> {
	@visibleForTesting
	class LoginPageState extends State<LoginPage> {

That way it's clear this isn't meant for any other part of the app to meddle in the details of.

(And then I think the similar annotation on debugOtpOverride becomes redundant.)

[gnprice]

… Ah I see, this type is used by _ZulipAppState.didPushRouteInformation, to call handleWebAuthUrl.

Oddly when I added this @visibleForTesting, that didn't cause any analysis error. I guess in particular that means the one on debugOtpOverride wouldn't be redundant with it after all.

From my comment at lastBuiltKey, though, I think this state type can remain private.

[gnprice]

We can leave a brief note on how these are generated:

Suggested change

	apiKey: 'dQcEJWTq3LczosDkJnRTwf31zniGvMrO',
	// A Zulip API key is 32 digits of base64.
	apiKey: 'dQcEJWTq3LczosDkJnRTwf31zniGvMrO',

[gnprice]

test [nfc]: Move prepareBoringImageHttpClient to test_images.dart

This was already being used for tests outside the test file it was
defined in, and we'd like to start using it in an additional
different test file. So, define it centrally in this place that
makes sense.

Ah good thought, thanks. I'd forgotten there was this natural home for it already.

[gnprice]

nit: On my first reading, I thought "like Google" referred to the divider resembling something Google does.

Probably possible to reword, but I think the ", like Google" part can be left out entirely and it seems just as clear.

[gnprice]

Suggested change

	"errorWebAuthOperationalErrorTitle": "Operational error",
	"@errorWebAuthOperationalErrorTitle": {
	"description": "Error title when third-party authentication has an operational error (not necessarily caused by invalid credentials)."
	"errorWebAuthOperationalErrorTitle": "Something went wrong",
	"@errorWebAuthOperationalErrorTitle": {
	"description": "Error title when third-party authentication has an operational error (not necessarily caused by invalid credentials)."

Or other possibilities. But I think "operational error" is likely to be opaque jargon for most users.

[gnprice]

This fallback between the two fields gets repeated several times, so let's pull it into a little method, like _getOtp.

Then as a bonus, if you want to write this 100% the way the Flutter framework would: that method can use asserts so that outside of debug mode, the debug field never even gets read. (In a hot path, that sort of thing is important if you don't fully trust the optimizer to be able to prove that the field is always null. This is far from a hot path, so the optimization really doesn't matter.)

[chrisbobbe]

I'm a little curious how the Flutter framework does this, but in this case I'm not sure how exactly to do it. assert only does anything in debug mode, right, so I'm not sure what change we'd want to make to affect things outside of debug mode.

[gnprice]

An example of what I have in mind is UpdateMachine.debugEnableRegisterNotificationToken. The key is that the assert callback sets a local variable that belongs to the outer function.

Then for authentic upstream examples, browse through framework.dart with that pattern in mind. The first one I spot from just starting to read through the Element implementation is Element.debugIsDefunct.

[chrisbobbe]

Interesting; thanks! I think I've got it:

  String? _otp;
  String? _getOtp() {
    String? result = _otp;
    assert(() {
      result = LoginPage.debugOtpOverride ?? _otp;
      return true;
    }());
    return result;
  }

[gnprice]

Yeah, exactly.

I think you can also simplify slightly, deduplicating the use of _otp, by initializing to null, having the assert override that, and then using ?? _otp after that.

[gnprice]

This code feels a bit cramped from being indented so far to the right. I think it'd benefit from pulling out a piece as a local variable.

Specifically I think the Column, with a name like loginForm, would work well.

[gnprice]

Hmm, wacky.

Let's perhaps limit this condition more tightly, like only to iOS. That way if there's an error we didn't expect — which might mean the launch really did fail — we'll show the user an error message rather than silently do nothing.

[gnprice]

Two other upstream reports that are directly about errors like this one:

• [url_launcher] Throw exception when clicked on Stop loading button on Safari flutter/flutter#75691
• [url_launcher] - PlatformException on ios 13.3 when opening a docx file flutter/flutter#49162

This looks like possibly the most relevant:
flutter/flutter#75691 (comment)

Does that match the situation you were seeing these errors in?

[chrisbobbe]

I'm not sure. In that comment, the person says "if anything fails browser side". But when I watch what goes on in the browser, nothing stands out to me as matching that description.

[gnprice]

nit:

Suggested change

	await tester.pumpWidget(ZulipApp(navigatorObservers: [testNavObserver],));
	await tester.pumpWidget(ZulipApp(navigatorObservers: [testNavObserver]));

[gnprice]

nit:

Suggested change

	final encoded = debugEncodeApiKey(eg.selfAccount.apiKey, LoginPageState.debugOtpOverride!);
	final encoded = debugEncodeApiKey(eg.selfAccount.apiKey, otp);

where otp is a local, and you refer to debugOtpOverride just to set it once.

That way this line doesn't get so long.

[chrisbobbe]

Hmm, a test failure in CI:

❌ /home/runner/work/zulip-flutter/zulip-flutter/test/model/store_test.dart: UpdateMachine.load retries registerQueue on NetworkError (failed)
  Bad state: Exceeded timeout 1:00:00.000000 while flushing timers
  package:fake_async/fake_async.dart 217:9   FakeAsync.flushTimers.<fn>
  package:fake_async/fake_async.dart 241:21  FakeAsync._fireTimersWhile
  package:fake_async/fake_async.dart 214:5   FakeAsync.flushTimers
  test/fake_async.dart 29:7                  awaitFakeAsync
  test/model/store_test.dart 176:57          main.<fn>.<fn>

A flake, do you think?

[chrisbobbe]

Thanks for the review! Revision pushed, and I've posted a screenshot and video in the PR description.

[gnprice]

Hmm, a test failure in CI:

Hmm. Does seem unlikely to be caused by this change — so it may be a pre-existing flake.

If so, then it's a bug in either the test or the code under test, so it'd be good to fix. Would you file a bug to track that flake?

[chrisbobbe]

Would you file a bug to track that flake?

Sure: #602

[gnprice]

Thanks! Generally this all looks great. There's one more test I'd like, and then various small style things.

I also want to try this end-to-end myself, and look closer at those settings in the manifest and Info.plist. But posting these code comments without blocking on those.

[gnprice]

nit: put these in general-to-specific order, same as in the pattern above

[gnprice]

Let's order all these members in the way suggested in the Flutter style guide:
https://github.com/flutter/flutter/wiki/Style-guide-for-Flutter-repo#order-other-class-members-in-a-way-that-makes-sense

I think that'll make it somewhat easier to look at this class and understand the API.

(It looks like the existing code wasn't quite in that order, and perhaps it'd be better if it were. But that matters a lot less when it's so simple; as it gains more complexity, the structure becomes more important for the reader.)

[chrisbobbe]

It looks like the existing code wasn't quite in that order

Hmm, really? Here's the class before the commit that adds to it:

class LoginPage extends StatefulWidget {
  const LoginPage({super.key, required this.serverSettings});

  final GetServerSettingsResult serverSettings;

  static Route<void> buildRoute({required GetServerSettingsResult serverSettings}) {
    return _LoginSequenceRoute(
      page: LoginPage(serverSettings: serverSettings));
  }

  @override
  State<LoginPage> createState() => _LoginPageState();
}

I see the following, matching the order in the style guide:

1. Constructors […]

[…]

4. Final fields that are set from the constructor.
5. Other static methods [i.e. that don't return the same type as the class].

[…]

10. Methods […]

[chrisbobbe]

I see that the updated class, with web-auth things added to it, doesn't match the numbered list; I'll fix that.

[gnprice]

I see the following, matching the order in the style guide:

Oh, I guess that's right. I was reading buildRoute as returning the class's type, but it doesn't.

I think it's likely helpful to treat it for the ordering as if it does return the class's type, though. It plays pretty much the role of a factory constructor — it's the thing that application code, at least, should always use instead of calling the actual constructor directly. (Possibly we should even make the constructor private when we have a buildRoute method like this; but that might be annoying in tests.)

[gnprice]

This is functionally a getter backed by a mutable field, so let's follow the Flutter style guide's order for those:
https://github.com/flutter/flutter/wiki/Style-guide-for-Flutter-repo#order-other-class-members-in-a-way-that-makes-sense

[gnprice]

Also could make this an actual getter/field pair. E.g. String? get _otp and String? __otp;.

[chrisbobbe]

Interesting; yeah, I guess it's fine to have a thing that starts with two underscores. 😛

[gnprice]

nit: break line for readability

Suggested change

	final wellFormed = Uri.parse(
	'zulip://login?otp_encrypted_api_key=$encryptedApiKey&email=self%40example&user_id=1&realm=https%3A%2F%2Fchat.example%2F');
	final wellFormed = Uri.parse(
	'zulip://login?otp_encrypted_api_key=$encryptedApiKey'
	'&email=self%40example&user_id=1&realm=https%3A%2F%2Fchat.example%2F');

[gnprice]

nit: key detail is off past 80 columns, so break line:

Suggested change

	final queryParams = {...wellFormed.queryParameters}..['otp_encrypted_api_key'] = 'asdf';
	final queryParams = {...wellFormed.queryParameters}
	..['otp_encrypted_api_key'] = 'asdf';

[gnprice]

nit:

Suggested change

	test('decodeApiKey fails when otp is nonsense', () {
	test('decodeApiKey fails when otp is wrong length', () {

Seems more precise about what's really being checked here. (And an OTP is random noise when it is properly generated, so the reader may wonder what it means for it to be "nonsense".)

[gnprice]

nit: I like the name "payload" for similar locals elsewhere in this commit — I think that'd be clearer here than "result".

[gnprice]

Let's give this a unit test, too. For a smoke test: it returns a value (rather than throw), and the value is a hex string of the right length.

And then given that a previous draft of this function elsewhere actually had a bug where the randomness was off — it had rand.nextInt(255) instead of 256 — let's have a test that would have caught that, so necessarily a probabilistic test.

We can follow the lead of our BackoffMachine test and say the probability of a false failure just needs to be under 1e-9. So…

• generate N = 216 of these
• take the set of bytes that ever appear (after decoding them all from hex)
• check that all 256 possible byte values do appear somewhere.

That should be plenty quick to run, I hope. And each possible byte value gets N * 32 opportunities to show up, each with probability 1/256; so its probability of missing all of those is exp(- N * 32 / 256) < 2e-12, and there are 256 such possible byte values so the probability that any of them gets missed is < 1e-9.

[gnprice]

Then since we'll be generating all those sample results, may as well use those to subsume the smoke test: just check each of them has the right length (and we'll already be decoding them as hex so implicitly checking they're hex strings).

One possible failure mode of a buggy implementation could be to drop leading zero bytes, for example, and this check would catch that.

[chrisbobbe]

Thanks for the review! Revision pushed.

[gnprice]

Thanks for the revision! Small comments on the new test; otherwise all looks good.

There's also those other review steps (#600 (review)) that I want to make before merging.

[gnprice]

nit: process more on the result of check rather than its argument:

Suggested change

	check(bytes.length).equals(32);
	check(bytes).length.equals(32);

[gnprice]

nit: can use Iterable.generate instead of allocating a List, and then in fact can leave out the callback argument:

Suggested change

	final byteValues = List.generate(256, (index) => index);
	final byteValues = Iterable.generate(256);

Then probably clearest to just inline that.

[gnprice]

Let's make the principle here a bit more explicit — helpful for anyone thinking of adding another probabilistic test and finding this as an example:

Suggested change

	test('smoke, and check all 256 byte values are used', () {
	const n = 216;
	test('smoke, and check all 256 byte values are used', () {
	// This is a probabilistic test. We've chosen `n` so that when the test
	// should pass, the probability it fails is < 1e-9. See analysis below.
	const n = 216;

[gnprice]

I did a quick test to confirm this test runs quickly, and it does. Running this test file with or without this test case included, 3 runs each, the difference in runtime is less than the noise between runs:

$ time flutter test test/api/model/web_auth_test.dart 
00:09 +8: All tests passed!                                                         
time: 10.660s wall (13.258s u, 0.864s s)

$ time flutter test test/api/model/web_auth_test.dart 
00:01 +8: All tests passed!                                                         
time: 2.808s wall (3.231s u, 0.613s s)

$ time flutter test test/api/model/web_auth_test.dart 
00:01 +8: All tests passed!                                                         
time: 2.724s wall (3.155s u, 0.596s s)

$ time flutter test test/api/model/web_auth_test.dart 
00:01 +8: All tests passed!                                                         
time: 2.702s wall (3.165s u, 0.581s s)

$ time flutter test test/api/model/web_auth_test.dart --name WebA
00:01 +7: All tests passed!                                                         
time: 2.764s wall (3.275s u, 0.580s s)

$ time flutter test test/api/model/web_auth_test.dart --name WebA
00:01 +7: All tests passed!                                                         
time: 2.759s wall (3.110s u, 0.642s s)

$ time flutter test test/api/model/web_auth_test.dart --name WebA
00:01 +7: All tests passed!                                                         
time: 2.710s wall (3.188s u, 0.568s s)

(I made one warmup run before the runs I counted, though I was surprised how big the warmup effect was.)

In particular I'm pretty sure the runtime is <50ms, which is fine.

[chrisbobbe]

Thanks!

[gnprice]

Hmm, well — this doesn't work for me, when I try it on my device.

I tried rust-lang.zulipchat.com, and hit the GitHub button. In the UI, I got the "Something went wrong" dialog box. In logcat, there was this:

I/UrlLauncher(11715): component name for https://rust-lang.zulipchat.com/accounts/login/social/github?mobile_flow_otp=affc188a02b5d5fb2da77fc4215fab209dc466a71e279dd9589e51f65748f904 is null
I/UrlLauncher(11715): component name for https://flutter.dev is null
I/flutter (11715): Instance of 'Error'

That "component name for" message appears to come from canLaunchUrl. The UrlLauncher tag on the log line is a hint to look in the url_launcher package, and indeed:

greg@dark-matter:~/n/flutter/packages/packages/url_launcher (main u=) 
$ gr -C7 'component name'
url_launcher_android/android/src/main/java/io/flutter/plugins/urllauncher/UrlLauncher.java
65-
66-  @Override
67-  public @NonNull Boolean canLaunchUrl(@NonNull String url) {
68-    Intent launchIntent = new Intent(Intent.ACTION_VIEW);
69-    launchIntent.setData(Uri.parse(url));
70-    String componentName = intentResolver.getHandlerComponentName(launchIntent);
71-    if (BuildConfig.DEBUG) {
72:      Log.i(TAG, "component name for " + url + " is " + componentName);
73-    }
74-    if (componentName == null) {
75-      return false;

If I just comment out our canLaunchUrl call, though:

@@ -321,9 +321,9 @@ class _LoginPageState extends State<LoginPage> {
     try {
       final url = widget.serverSettings.realmUrl.resolve(method.loginUrl)
         .replace(queryParameters: {'mobile_flow_otp': _otp!});
-      if (!(await ZulipBinding.instance.canLaunchUrl(url))) {
-        throw Error();
-      }
+      // if (!(await ZulipBinding.instance.canLaunchUrl(url))) {
+      //   throw Error();
+      // }

then…

• it does successfully launch the URL — I get the Zulip server's "choose account" web page, to choose from the different email addresses I have on my GitHub account
• when I choose one, I get a bit of system UI asking what app to open with, and I choose "Zulip beta" (this is something normal users, who only have one Zulip app installed at a time, should never see)
• then I'm back in the app's own UI, and:
  • there's that error dialog again
  • but also the progress indicator on the app bar
• and when I dismiss the error dialog, it's back on LoginPage as if nothing had happened.

And meanwhile in logcat there's this:

W/CustomTabsClient(11715): Unable to find any Custom Tabs packages, you may need to add a <queries> element to your manifest. See the docs for CustomTabsClient#getPackageName.
I/flutter (11715): 'package:zulip/widgets/login.dart': Failed assertion: line 290 pos 15: 'await ZulipBinding.instance.supportsCloseForLaunchMode(_webAuthLaunchMode)': is not true.

Then I commented out that other check:

-      assert (await ZulipBinding.instance.supportsCloseForLaunchMode(_webAuthLaunchMode));
+      // assert (await ZulipBinding.instance.supportsCloseForLaunchMode(_webAuthLaunchMode));

and tried again, and it works!

[gnprice]

So in short it does work if we remove those two checks.

Both checks seem to be trying to confirm that the thing the code is about to do next is expected to work. So it's probably best to just try the thing, and if it doesn't work then that's an error we have to deal with.

[gnprice]

This also probably indicates it's a good idea to make a minimal effort to report the actual error message when there's an error, because it's likely there will be errors some users run into and we'll want that information for debugging.

In particular if e is Exception, we can use e.message. The error dialog's title can remain short and generic like "Something went wrong".

[gnprice]

OK, the changes here and in Info.plist LGTM.

(The intent filter and CFBundleUrlTypes match what we have in zulip-mobile; the other bits are what's prescribed in the docs under https://docs.flutter.dev/ui/navigation/deep-linking .)

So what remains to do on this PR is those small comments at #600 (review) on the new test, and then the bigger point from my end-to-end testing after that.

[chrisbobbe]

In particular if e is Exception, we can use e.message.

Hmm, I'm seeing that Exception doesn't have a message.

[chrisbobbe]

Thanks for the review! Revision pushed, and see my comment just before this: #600 (comment)

[gnprice]

Hmm, I'm seeing that Exception doesn't have a message.

Ah, yeah, I read too quickly:

abstract interface class Exception {
  factory Exception([var message]) => _Exception(message);
}

So it's an interface, but with no members — just a marker interface. And its "message" is only an argument to the factory constructor.

Anyway, we can do so for PlatformException, which is likely to include anything thrown by launchUrl or closeInAppWebView.

[gnprice]

OK, retested and this version works out of the box. The changes look good, so I'll go ahead and merge. Glad to have this feature in!

Then I'll file a follow-up issue (→ #609) for putting more information in the error dialog, for the sake of debugging whatever errors people turn out to run into. Probably be good to do that soon after, while it's fresh in mind (and also so we have it soon for that debugging.)