feat(lib-auth): @zooniverse/auth package #6376
Conversation
Adds a basic auth client as detailed in ADR 21 (zooniverse#1361). - Add auth client - Add unit tests - Add functional tests in isolation - Add functional tests for staging API
eatyourgreens
changed the title
|
I closed the original PR because there was no time to finish this off but maybe it's worth picking up again. |
| const { cookieName } = this._config | ||
| const cookies = cookie.parse(document.cookie) | ||
| return cookies[cookieName] || '' |
There was a problem hiding this comment.
The Panoptes session cookie is a HttpOnly cookie, so it can't be read from JS like this. This function will always return an empty string.
There was a problem hiding this comment.
The auth client can only read the Panoptes session cookie on the server, when the client is running in Node. The cookie can't be used when the auth client is running in a browser. Instead, you have to make a POST request to the Panoptes auth API, which returns the access token and refresh token for your session cookie.
There was a problem hiding this comment.
Alternatively, use a third-party OAuth library to interact with the Panoptes OAuth APIs, so that you don't have to worry about the details of implementing an OAuth client here.
| this._state = { | ||
| accessToken: tokenData['access_token'], | ||
| accessTokenCreatedAt: tokenData['created_at'], | ||
| accessTokenExpiresAt: tokenData['created_at'] + tokenData['expires_in'], | ||
| accessTokenExpiresIn: tokenData['expires_in'], | ||
| refreshToken: tokenData['refresh_token'], | ||
| scope: tokenData.scope | ||
| } |
There was a problem hiding this comment.
client._state is a public variable so this makes the refresh token visible via client._state.refreshToken. Your refresh token should be private just to you. _state should be private, so that it's not available outside the instantiated client object. PJC hides private state, like the refresh token, by using the module pattern for exports. Only methods and properties on the following list can be accessed from outside the client, to keep personal data secure.
https://github.com/zooniverse/panoptes-javascript-client/blob/8157794dfacfbc1f5d41c5730b2f47aae6fc013a/lib/auth.js#L341-L354
|
I've left a couple of comments that I remember from when I last worked on this. |
| { | ||
| "name": "@zooniverse/auth", | ||
| "version": "1.0.0", | ||
| "main": "src/index.js", |
There was a problem hiding this comment.
This new package was originally written as a CJS package. Nowadays, it would make more sense to write it as an ES Module. CJS has never been supported in browsers, and ESM is well-supported in Node now.
|
See #6375 (comment) |
This revives the work on a new Panoptes auth client, from 2019, if it's useful. It implements client-side user registration and sign-in in a new, tested package:
@zooniverse/auth.Package
Linked Issue and/or Talk Post
How to Review
See the package Readme for docs, and the
auth-client-testbranch for an example implementation of Panoptes sign-in in cca57bb.Checklist
PR Creator - Please cater the checklist to fit the review needed for your code changes.
PR Reviewer - Use the checklist during your review. Each point should be checkmarked or discussed before PR approval.
General
yarn panic && yarn bootstrapordocker-compose up --buildand FEM works as expectedGeneral UX
Example Staging Project: i-fancy-cats
New Feature