Use Ground Truth for authentication #264
Conversation
petschekr
added
bug
enhancement
hackgt-beekeeper
bot
had a problem deploying
to
registration-ground-truth-pr
hackgt-beekeeper
bot
had a problem deploying
to
registration-ground-truth-pr
hackgt-beekeeper
bot
temporarily deployed
to
registration-ground-truth-pr
hackgt-beekeeper
bot
temporarily deployed
to
registration-ground-truth-pr
hackgt-beekeeper
bot
temporarily deployed
to
registration-ground-truth-pr
petschekr
force-pushed
the
ground-truth
branch
3 times, most recently
from
77ac737 to
80c5ee4
Compare
|
Hey y'all! A deployment of this PR can be found here: |
hackgt-beekeeper
bot
temporarily deployed
to
registration-ground-truth-pr
hackgt-beekeeper
bot
temporarily deployed
to
registration-ground-truth-pr
hackgt-beekeeper
bot
temporarily deployed
to
registration-ground-truth-pr
hackgt-beekeeper
bot
temporarily deployed
to
registration-ground-truth-pr
| if (anonymous) { | ||
| let email = request.body["anonymous-registration-email"] as string; | ||
| let name = request.body["anonymous-registration-name"] as string; | ||
| if (await User.findOne({email})) { | ||
| if (await User.findOne({ email })) { |
There was a problem hiding this comment.
So walk-up registration will be done completely outside the ground truth flow. If they later created an account that matched this email using ground truth, would the accounts properly sync up?
There was a problem hiding this comment.
also did registration ever get a chance to allow walk up for people who started an application but didn't finish?
There was a problem hiding this comment.
@joel99 No that's not implemented yet (and I don't think it's covered by an existing issue)
@ehsanmasdar I don't remember if that's the case. We should do some investigating but that shouldn't block HackGT 6 initial release because walk-up won't happen until day-of
| if (request.session) { | ||
| request.session.loginAction = "render"; | ||
| } | ||
| response.redirect("/login"); |
There was a problem hiding this comment.
Should we redirect user to registration login or ground truth login
There was a problem hiding this comment.
It redirects to /login so that we can tell the user that they've successfully logged out. If we redirect to Ground Truth, the user will be told to login again even if that isn't what they want to do
| } | ||
| } | ||
| user.accountConfirmed = true; | ||
| authRoutes.get("/validatehost/:nonce", (request, response) => { |
There was a problem hiding this comment.
What is the purpose of this? What does this achieve that's not handled by the oauth client library
There was a problem hiding this comment.
This is here because we use the Host header when generating links and callback URLs in the auth code. This verifies that the server behind the domain in the Host header is actually us and not some malicious other instance. Not sure if it's overengineered because Host headers can only be crafted by non-browser HTTP libraries (AJAX requests and JavaScript in browsers cannot override the Host header)
|
adding @joel99 would like to get a second set of eyes since it's so critical |
There was a problem hiding this comment.
@ehsanmasdar can you help spin up a test deployment so we can QA this?
@petschekr embodying refactor as you go 👍
| } | ||
| if (process.env.EMAIL_FROM) { | ||
| this.email.from = process.env.EMAIL_FROM!; |
There was a problem hiding this comment.
any reason a lot of these became optional?
There was a problem hiding this comment.
The types for Node.js were updated sometime after this code was written to make arbitrary properties on the process.env object not throw a possibly undefined compiler error. Therefore the non-null assertion operator, !, is no longer required here (and elsewhere).
| if (anonymous) { | ||
| let email = request.body["anonymous-registration-email"] as string; | ||
| let name = request.body["anonymous-registration-name"] as string; | ||
| if (await User.findOne({email})) { | ||
| if (await User.findOne({ email })) { |
There was a problem hiding this comment.
also did registration ever get a chance to allow walk up for people who started an application but didn't finish?
| if (request.session) { | ||
| request.session.loginAction = "render"; | ||
| } | ||
| response.redirect("/login"); |
| // Load and compile Handlebars templates | ||
| let [ | ||
| indexTemplate, | ||
| loginTemplate, |
There was a problem hiding this comment.
is there some feature that automatically makes a class variable? How does loadTemplate get this.file?
There was a problem hiding this comment.
The constructor of the Template class has constructor(private readonly file: string) {} which makes the first argument when called with new a private readonly property automatically. This is shorthand supported by TypeScript
| @@ -442,14 +462,14 @@ userRoutes.route("/export").get(isAdmin, async (request, response): Promise<void | |||
| for (let branchName of await Branches.BranchConfig.getNames()) { | |||
| // TODO: THIS IS A PRELIMINARY VERSION FOR HACKGT CATALYST | |||
| // TODO: Change this to { "accepted": true } | |||
| let attendingUsers: IUserMongoose[] = await User.find({ "applied": true, "applicationBranch": branchName }); | |||
| let attendingUsers = await User.find({ "applied": true, "applicationBranch": branchName }); | |||
There was a problem hiding this comment.
uhhh should probably fix those TODOs above
There was a problem hiding this comment.
@ehsanmasdar @joel99 Do you think I can just get rid of this /export endpoint? It's kind of a hidden feature that we haven't used since Catalyst 1 I think
There was a problem hiding this comment.
Oh, didn't realize that. We have graphiql and checkin2 can do CSV exports, so I'm guessing we don't need it.
There was a problem hiding this comment.
Export data? Yeah, we can grab what we need from db if it becomes relevant if this is an issue. I'd prefer to leave and mark as legacy code for now if it's not blocking, though.
Use Ground Truth for authentication
Switches to using HackGT Ground Truth for authentication and removes all auth related code from the codebase.
Ground Truth is implemented as the only login strategy which could make initial setup of registration for organizations that don't already host a Ground Truth instance slightly more complicated. Two possible mitigations:
Fixes #252
Fixes #254
Fixes #262