Comments (23)
Ongoing discussion about how to integrate external auth (e.g. OAuth) to Openwhyd's back-end: openwhyd/openwhyd-react#5 => your opinion and help is welcome there!
from openwhyd.
In that discussion, I clarify the reasons why I'd like to encourage the development of new front-end/clients rather than new back-ends (or integrated stacks like Meteor).
from openwhyd.
https://github.com/ianstormtaylor/permit could be used to create a OAuth proxy to the existing API maybe?
from openwhyd.
Could you explain how the API works and why you need a host and a "back-end bridge" for it work. Also what exactly does the back-end bridge do?
from openwhyd.
Thanks for asking, Brandon!
I think that you will find answers to your question in our roadmap.
If there's anything missing and/or not clear enough, please let me know :-)
from openwhyd.
Thanks! I've started doing a little independent research š (https://medium.com/google-cloud/understanding-oauth2-and-building-a-basic-authorization-server-of-your-own-a-beginners-guide-cf7451a16f66)
Just a quick question, should we stick to using node for the backend? I'm also not sure how to best organise potential changes to the server? Should I do it in another repo for now as I would like to play around with Docker etc. My main focus would be to get some sort of server with basic API + Oauth setup, then integrate that with MongoDB to select user. After that's done then the clients can use the APIs. This is a good use case for Docker too, different containers for the API server and the basic web server!
from openwhyd.
Hi Brandon, sorry for the delay.
I don't mind adding another technology, as long as it can still run comfortably on our current $15/month droplet (with 3 GB of RAM), together with Openwhyd's Node server and MongoDB.
I may be wrong, but I believe that it would be simpler (for Openwhyd developers) and more resource-saving to have OAuth inside the same Docker container as Openwhyd's Node server.
That said, please feel free to fork Openwhyd and freely experiment with any approach that you find relevant!
There are just a few things I will need to check before deploying the solution in production:
- make sure that Openwhyd's back-end will be working the same way (i.e. no regressions), without having to spend hours reviewing the PR => avoid changing Openwhyd's back-end code, as much as possible
- make sure that the solution will fit our $15/month server => keep the CPU and RAM usage as low as possible
- make sure that the entire solution is stable (i.e. it can run at least one month without crashing)
from openwhyd.
Hey @adrienjoly ,
Implementing OAuth in the backend shouldn't be that difficult, the link Brandon gave is also helpful. I could start playing around with it. Could you guide me on the current flow of logging in and also what files to touch?
from openwhyd.
from openwhyd.
Hi @uLan08 !
I explained the login flow in the following file: /docs/login-flow.md
.
I'm not experienced with the back-end of OAuth, but I think that the cleanest and safest way to do it would be to create a /oauth
path at the root, with several sub-routes:
- the ones required to create a session and renew tokens (e.g.
/oauth/create
, and/oauth/renew
) - and a
/oauth/api/*
sub-route that would proxy (some of) the existing API endpoints, by passing over the cookie corresponding to that session, e.g.openwhyd.org/oauth/api/stream
would give access to the/stream
API endpoint. (the API user would have to provide the OAuth session token instead of the cookie, and the proxy will take care of turning that token into the cookie, so that the original endpoint remains untouched)
Alternative ways to do it:
- create another middleware that would enable the current API endpoints to extract the session either from a cookie or from a OAuth token
- or wrapping/changing the logic of the existing API endpoints in order to do that without touching the middleware. (note: this may result in a quite fluffy and risky PR to review and merge...)
In order to implement the first solution I proposed, I believe that you will have to:
- add a OAuth controller in
/app/controllers
, that would contain both the token management endpoints and the proxy to the legacy/cookie-based API - add the corresponding route(s) to
app.route
, possibly taking some inspiration from the pattern used in/app/controllers/subdir
in order to allow recursive/hierarchical sub-paths
Please let me know if you need more assistance! I'll do my best to help!
from openwhyd.
Hi Patrick!
Are you still motivated to propose a solution to this issue? Let me know if I can help in any way!
from openwhyd.
from openwhyd.
No worries, I was just checking if I could help ^^
Have a great weekend!
from openwhyd.
If any of you are based in Paris and available tonight, I propose that we work on this topic during the "hackergarten" meetup: https://www.meetup.com/fr-FR/Paris-Hackergarten/events/tvdrwpyxpbkc/
from openwhyd.
Other possible solution: "Grant: OAuth Middleware for Express, Koa and Hapi" (https://github.com/simov/grant)
from openwhyd.
A crash course on securing Serverless APIs with JSON web tokens
from openwhyd.
For reference, we had started using oauth2-server - npm, with Dhafer Dhib, during Hackergarten. I'm considering to follow that route today.
from openwhyd.
WIP: https://github.com/adrienjoly/oauth-bridge
from openwhyd.
I just discovered https://oauth.io/ and asked them by email if they may be a good solution for us.
from openwhyd.
OAuth.io would be to provide assistance if we decide to become a oauth2 provider.
They have a Node SDK that could easily turn our existing server into an OAuth provider: https://github.com/oauth-io/oauthio-server-node
Before checking that out, they suggest looking at the most bare bone example of a Node/Express server using the SDK to become an OAuth provider: https://github.com/oauth-io/provider-node-example
There's a step-by-step on video there: https://cl.ly/3a3x1I3W1r2b
Advantage of using their platform: Any dev that wants to use Openwhyd's OAuth API merely needs to click 'Auto-Configure' on OAuth.io, which automatically provisions the app on our OAuth server, and transfers the keys over to OAuth.io, and they are set. Demo: https://cl.ly/2n2b1k0T142R
Note: it would probably make it easier for us to do that if we migrate to Express.js first => #122.
from openwhyd.
Could also be used: simov/grant: OAuth Middleware for Express, Koa and Hapi
from openwhyd.
Also to check out: Implementing an OAuth Server With Node.js and Express | www.thecodebarbarian.com
from openwhyd.
Note: we should reflect on whether or not we need OAuth.
E.g. could we pass a session cookie as POST parameter instead?
from openwhyd.
Related Issues (20)
- use promises instead of callbacks, when calling mongodb, so we can upgrade it HOT 3
- Monitoring: Make it easy to find which incoming requests triggered logged errors
- fix: `Skip value must be non-negative` error HOT 1
- migrate Facebook calls to Graph API vā„12.0, before Mid September 2023 HOT 1
- remove ANSI color codes from Datadog logs HOT 1
- fix most critical security alerts from https://github.com/openwhyd/openwhyd/security/code-scanning
- prevent occasional `The Cypress App could not be downloaded` error from making CI fail on unrelated jobs
- Performance issue on rendering of home feed HOT 5
- Performance issue on the fetching of `activity` history HOT 1
- Make sure that DB state is properly reset between execution of each API test suite
- `This is not the tsc command you are looking for` error in docker build
- Idea: use buildpack instead of dockerfile
- optim: `web` docker image to leave no waste behind, when iterating on source code HOT 1
- `The play() request was interrupted by a call to pause` error reported by Cypress HOT 1
- new users are not systematically redirected after signing up
- very old posts featured in hot tracks HOT 4
- CI optim: reduce the time between merging a PR and deploying it in production
- Help Facebook to review Login HOT 2
- import users' Facebook id to Auth0 too, so users can still login to Openwhyd using their Facebook account, after migrating to Auth0
- `npm install` fails on apple silicon
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
š Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. ššš
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ā¤ļø Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from openwhyd.