1Password Support for Database Connections

[cocojoe]

All PasswordPolicy levels supported in Sign Up password generation
Added Lock options showPasswordManager, passwordManagerAppIdentifier
Embedded OnePassword ObjC Extension into Lock

[cocojoe]

[cocojoe]

Test Notes:

Must have 1Password app installed on device.

info.plist

Add following to the app's info.plist:

<key>LSApplicationQueriesSchemes</key>
<array>
    <string>org-appextension-feature-password-management</string>
</array>

Options

By default the bundler identifier will be used, If you want to share credentials with a website that uses Auth0, then use the name of the site e.g.

.withOptions {
    $0.passwordManagerAppIdentifier = "www.website.com"
}

[cocojoe]

Additional thoughts, currently the password recipe will match the DB password policy, although this feels incredibly weak for anything < fair. Given that if you are using a password manager you are mostly setting it and forgetting it. Perhaps the default should be fair+ ?

[hzalaz]

Also the 1password button is a bit bigger than I'd like

[hzalaz]

I'd keep the name without the Lock prefix and also I hope this is no part of the public headers right?

[cocojoe]

No it's not, they recommend renaming it so I did that 'just in case'. I made it an isolated commit so easy to revert.

https://github.com/auth0/Lock.swift/blob/added-1password-support/Lock/LockOnePasswordExtension.h#L57

[hzalaz]

Probably makes sense for apps to avoid clashing

[hzalaz]

But here we don't need to rename it since it won't be a public header

[hzalaz]

Let's split this in two

      /// Show password manager button when user credentials are needed, e.g. during Sign Up, and allow storing/retrieving credentials from the password manager
var showPasswordManager: Bool { get set }

     /// Application identifier used by the password manager, if you also have a web app we recommend adding your site url. By default is the application bundle identifier
var passwordManagerAppIdentifier: String { get set }

[cocojoe]

I merged it into one, as I look at it from the perspective of if I am going to enable it then I will want to use it, so why not in streamline into one option? However I have no strong feelings either way.

[hzalaz]

First I'd like it to be enabled by default and ideally some people won't set the app identifier and prefer to use the bundle identifier

[cocojoe]

I thought perhaps passwordManagerAppIdentifier should be optional as Bundle.main.bundleIdentifier is an optional. Although the user has bigger issues in their app if their bundleIdentifier is nil. So forced it.

We should probably add another option for the Password Title in 1Password, by default it will parse the identifier however it's designed to parse website urls so looks weird.

We could of course just pass the CFBundleDisplayName on the store method as it would also be strange not to use the same name as the app for 1Password.

[cocojoe]

I've set it to use display name as title for now.

[hzalaz]

We can have passwordManagerDisplayName(Default bundle display name) or improve the options and have a struct to configure the password manager with the three properties inside

[hzalaz]

There was a comment and yes use excellent for every rule even if there is no rule

[hzalaz]

Also the 1pass icon seems too big compared to the field. I'd try to leave around 3-4 pt of padding in the edges

[hzalaz]

Why don't use the same PasswordManager instead of creating yet another type?

[cocojoe]

I do not see any requirement or need for PasswordManager Protocol to be a Public API. It also utilises internal types such as InputField...
It is debatable to use a struct vs properties for 2-3 values anyway. So can always revert to properties.
Although another type is not a big deal either.

[hzalaz]

We can use the OnePassword type and configure it, the protocol can still be private (and implemented by OnePassword) since we are not allowing any extra extensibility.

[hzalaz]

Can we explain a bit better what it means in the code comment?

[hzalaz]

Also we need to explain its attributes

[hzalaz]

I think enabled is fine

[hzalaz]

Having https://github.com/auth0/Lock.swift/pull/422/files#diff-04c6e90faac2675aa89e2176d2eec7d8R371 why not follow the same approach?

[cocojoe]

I did originally then changed it, will revert.

[hzalaz]

Below I suggested to join the config with the object itself so we could just ask it if its enabled (user settings + app availability in the same query).

Ideally we could just assign it all the time and ask it if its enabled when trying to use it since we will do the same but with the optional

[cocojoe]

Not sure there is any real life advantage, if OnePassword is not available on device (still needs checked), there is not much point in initialising the manager just to perform a bool check vs an optional check.

[hzalaz]

Less code, encapsulation and simplicity. The presenter will always have a password manager and will always ask it if it should display the button. All the thing is done in the presenter and the router only needs to inject it.

[hzalaz]

But here we don't need to rename it since it won't be a public header

[hzalaz]

Just merge the password manager and the config its not necessary to add an extra type

[hzalaz]

Also let's add code comments to the attributes

[hzalaz]

lets use enabled

[hzalaz]

Lets explain it a bit more

[hzalaz]

@cocojoe also please update the screenshots showing the button, if needed, so I can see how it looks now

[hzalaz]

Probably I wasn't clear before but ideally the passwordManager.isAvaliable() could be encapsulated inside the passwordManager.enabled

[hzalaz]

From a design stand, passing the password manager is sort of breaching the separation of concerns of the view and presenter. Ideally the view should only know that it should show the button (just a simple true or false) then the rest of the work should be in the presenter (the wiring)

[hzalaz]

Not sure why I didnt spot this before but I am not too convinced about this mapping. AFAIK the dict will strong retain the field and thats a thing we want to avoid. Also mixing something from the view here is sort of a code smell, maybe we need to work this around by either having closures but maybe that is not enough either

[hzalaz]

No force-wrap please

[hzalaz]

I'd rather use here a default like <No App>. This wont be ever execute since Xcode will fail without the bundle name but its better than a force-wrap

[hzalaz]

Is there some way we can test this in a better way?

[cocojoe]

Will add styling to this once I can rebase style branch (WIP)

[hzalaz]

Good but in the end we end up having the same retain behavior with a different implementation

[hzalaz]

Being picky but can't we disable this constraint and add a new one between field and button?

[hzalaz]

LOL, nice trick

[cocojoe]

@hzalaz this can be merged

[hzalaz]

we are retaining the presenter here

[hzalaz]

we are retaining the presenter here

[cocojoe]

For both, there is no strong reference to the block which is why I didn't modify in the last pass. Quick checked in DatabasePresenter.swift with:

deinit {
    print("dealloc")
}

[cocojoe]

@hzalaz I can't merge as the codecov is a bit weird, I set the 3rd Party OnePasswordExtension .h/.m to be ignored in CodeCov