[Issue #3247] logged in header #3458
Conversation
…private vs secret jwk
doug-s-nava
force-pushed
the
dschrashun/3247-logged-in-header
branch
from
28b2f3e to
5fd25dd
Compare
| @@ -12,7 +14,7 @@ const sprite_uri = SpriteSVG.src as string; | |||
| export function USWDSIcon(props: IconProps) { | |||
| return ( | |||
| <svg | |||
| className={props.className} | |||
| className={clsx("usa-icon", props.className)} | |||
There was a problem hiding this comment.
since all usage of this component had this class added manually, figured we should add it to the shared implementation and make this component a bit more useful. Removal of "usa-icon" from other files is a result of this change
| /** | ||
| * View for managing feature flags | ||
| */ | ||
| export default function FeatureFlagsTable() { | ||
| const { setFeatureFlag, featureFlags } = useFeatureFlags(); | ||
| const { user, isLoading, error } = useUser(); |
There was a problem hiding this comment.
with a working header we no longer need these changes on the feature flag page as a proof of concept
| @@ -2,12 +2,12 @@ import { getSession } from "src/services/auth/session"; | |||
|
|
|||
| import { NextResponse } from "next/server"; | |||
|
|
|||
| export const revalidate = 0; | |||
There was a problem hiding this comment.
we don't want to cache anything here
There was a problem hiding this comment.
Not sure if this has an effect since a fetch isn't called in the session creation AFAICT. Next says it doesn't cache GET routes if cookies are used. force-dynamic might be the way to make sure that the GET request is re-rendered every time, but can't hurt to tell it to revalidate as well.
There was a problem hiding this comment.
Also wondering if this is better as a POST method.
There was a problem hiding this comment.
yeah, I had this in there just for safety, but I just verified and the 'no-store' on the fetch call is doing all the work. We can safely pull this out. As for POST vs GET, I'm not sure I see a reason to make a change, but we can discuss
| <Footer /> | ||
| <GrantsIdentifier /> | ||
| </div> | ||
| <UserProvider> |
There was a problem hiding this comment.
we could be more targeted here, but I don't see a need
| @@ -62,7 +62,7 @@ const OpportunityStatusWidget = ({ opportunityData }: Props) => { | |||
| switch (status) { | |||
| case "archived": | |||
| return ( | |||
| <div className="usa-tag bg-base-lighter text-ink border-radius-2 border-base-lightest width-100 radius-md margin-right-0 font-sans-sm text-center text-no-uppercase"> | |||
There was a problem hiding this comment.
width-100 isn't a valid uswds class
| @@ -0,0 +1,46 @@ | |||
| import { KeyObject } from "crypto"; | |||
There was a problem hiding this comment.
where I ended up is a little confusing, but the idea was to split out functionality that needs access to JWT keys from functionality that doesn't in order to help with testing and organization. I think we could put everything back in one file at this point, given what I learned in the process, but leaving as is for now
There was a problem hiding this comment.
deleteSession seems like it belongs with createSession but the others make sense as utils. Could do as a follow-up though.
| console.error("Failed to decrypt session cookie", error); | ||
| return null; | ||
| // isolate encoding behavior from file execution | ||
| const initializeSessionSecrets = () => { |
There was a problem hiding this comment.
this implementation probably isn't strictly necessary, but it's a little bit cleaner than instantiating on each module load, and helps deal with situations (like our build) where the keys won't be available
doug-s-nava
requested review from
acouch,
coilysiren,
mdragon,
andycochran and
btabaska
as code owners
frontend/.env.development
Outdated
| @@ -32,4 +32,4 @@ USE_SEARCH_MOCK_DATA=false | |||
| NEW_RELIC_APP_NAME= | |||
| NEW_RELIC_LICENSE_KEY= | |||
|
|
|||
| SESSION_SECRET=extraSecretSessionSecretValueSssh | |||
| # SESSION_SECRET=extraSecretSessionSecretValueSssh | |||
There was a problem hiding this comment.
It occurs to me we should update the dev docs for the auth work, created a separate ticket #3474
| import { cookies } from "next/headers"; | ||
|
|
||
| export const CLIENT_JWT_ENCRYPTION_ALGORITHM = "HS256"; | ||
| export const API_JWT_ENCRYPTION_ALGORITHM = "RS256"; |
There was a problem hiding this comment.
Should these live in src/constants? If not what is our criteria for what goes there vs not?
There was a problem hiding this comment.
that's a good question...
in this case I think it's ok to leave them here as they don't take up much space and their usage should be pretty limited. I'm open to moving them, but would maybe want to create a "generalConstants" file to put them in since I don't see the point of having lots of tiny constants files for every individual slice of functionality
| @@ -41,4 +42,5 @@ export const environment: { [key: string]: string } = { | |||
| NEXT_BUILD: NEXT_BUILD || "false", | |||
| SESSION_SECRET: SESSION_SECRET || "", | |||
| NEXT_PUBLIC_BASE_URL: NEXT_PUBLIC_BASE_URL || "http://localhost:3000", | |||
| API_JWT_PUBLIC_KEY: API_JWT_PUBLIC_KEY || "", | |||
There was a problem hiding this comment.
Thinking out loud, might be useful to error or write debug statements here if certain envars are missing.
There was a problem hiding this comment.
one problem there is that these will always be undefined in the build process, so we'd be polluting the logs there unless we check the NEXT_BUILD env var to gate the logging. We're only setting that flag in the Dockerfile at the moment, though. Worth a further discussion
Summary
Fixes #3247
Time to review: 45 mins
Changes proposed
Context for reviewers
Notes
I made as much as possible of USWDS styling, but given that we are going against the grain in a number of ways with this nav implementation I ended up needing to create a few override styles. If anyone sees a way to work around these styles with build in USWDS stuff, that'd be great, but I reached the limit of my powers on a couple of these
while doing this work I created a hook for JS side media queries that I ended up not needing. In case we need it in the future it's here https://github.com/HHS/simpler-grants-gov/compare/use-media-query?expand=1
note that in building this functionality I had some difficulty working around the initialization of the encoded secrets, which relates to testing. If we are ok with leaving this functionality untestable, then this complexity I created here isn't necessary, but if we want to test that the env vars are being encoded properly, we need some way to encode them independent of the file initialization. We also potentially have the difficulty of handling cases where the keys are not available (such as when the session code runs during build). Here's what I tried to work around this that didn't work:
does not include new e2e tests, ticket for that work is here e2e tests for login / logout #3459
Test steps
Refer to screenshots below throughout
make setup-env-override-filein apiAPI_JWT_PUBLIC_KEYvalue from your override.env filenpm run build && SESSION_SECRET='anything' AUTH_LOGIN_URL=http://localhost:8080/v1/users/login API_JWT_PUBLIC_KEY="<yr public key>" FEATURE_AUTH_ON=true npm run startsign inAdditional information
Logged out
Logged in
Logged in drop down
Logged in mobile
Logged in mobile drop down