-
Notifications
You must be signed in to change notification settings - Fork 280
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Web auth to authenticate CLI from browser #1024
Comments
Hey @Benjamin-Philip, thank you for your interest in this feature. Currently, we authenticate with Hex using the command line:
It has a couple of issues:
By pushing more logic to the server side, we avoid having to duplicate the logic between clients (Hex, rebar3, etc). For authenticating with passwords in particular, using the Web will make it easier to leverage password managers like 1Password, etc. In a nutshell we want to achieve something like this: Screen.Recording.2021-05-07.at.10.10.47.mov(I happened to be already logged-in on GitHub, otherwise I'd have to log in on that screen) We need to add:
This list of tasks roughly mirrors what we discussed on the WG: erlef/build-and-packaging-wg#21 I hope this gives you some context. I guess it is still low on details how exactly it is going to work on the technical side so if you decide to work on it, you'd need to do some experimentation (e.g. with GitHub flow to see how exactly they do it) I think the next step would be to build a proof-of-concept, just adding an endpoint to hexpm and a |
Yes it does. Even though it is low on details, I was planning to look at the Github implementation as well.
Ok will do. I'll notify you by email if I get it ready. I'm unfamiliar with how hex manages authentication. So here are some questions:
PS: Starting next week, (10th May) I'm going to get very busy, so updates are gonna be slow. |
We have a cookie, see
If they are nit logged in they should be redirected to a login screen and upon logging in, they should be presented with the option to finish authorizing the CLI. If the user doesn’t even have an account we could somehow explicitly handle that but I also think it’s ok if they'd restart the whole flow after signing up.
I think that is completely orthogonal so let’s not worry about that for now. But no, we have no plans for OAuth integration at the moment.
Yes, currently upon successful auth, the API token is saved to ~/.hex/hex.config and we’d continue to do so. |
@wojtekmach I was browsing through hex and rebar3_hex, and I noticed that a lot of logic is duplicated ( a good example of which is the API key generation). Why don't you write the tasks in hex_core, and write wrappers for mix and rebar ? |
Yeah things like that can for sure be improved, please send PRs. |
The Hexpm team is looking for a means of authenticating a hex client from the browser. The plan is to default to this new means of authentication and deprecate the Username/Password authentication. The github cli (https://github.com/cli/cli) had a similar problem. What they did was implement the device OAuth flow (https://datatracker.ietf.org/doc/html/rfc8628). I decided that a flow of that sort would work very well for Hexpm. However, Hexpm has no support for OAuth. So, I can only "mock" the device flow. This commit does the following: - Adds all the endpoints at the router for such a flow - Creates a controller - Add support for step 1 of the device flow - Adds tests for the above functionality See also: hexpm#1024, erlef/build-and-packaging-wg#21
@wojtekmach and @ericmj, I am having some trouble with mocking logged in users in tests and key generation. I am implementing an OAuth device flow like flow, with the only difference being that I am not bothering with a Now, I am currently implementing step 2 of the device flow where the user verifies a To generate a key, I am using When testing, I receive the following error:
For the following function call in the GenServer: Keys.create(user_id, key_params, audit: audit) Initially I felt something was wrong with the def setup_users(context) do
user = insert(:user)
organization = insert(:organization)
insert(:organization_user, organization: organization, user: user)
Map.merge(context, %{user: user, organization: organization})
end with the following test: describe "POST /web_auth/submit" do
setup :setup_users
test "redirects to sucess page on valid user code", c do
{:ok, user_code} =
post(build_conn(), Routes.web_auth_path(build_conn(), :code, @test))
|> json_response(200)
|> Map.fetch("user_code")
request = %{"user_code" => user_code, "user_id" => c.user.id}
conn =
c.conn
|> test_login(c.user)
|> post(Routes.web_auth_path(c.conn, :submit, request))
assert redirected_to(conn, 200) =~ Routes.web_auth_path(conn, :success)
assert html_response(conn, 200) =~ "Congratulations, you're all set!"
end
# more tests
end I am using The fact _ = IO.inspect(conn.assigns.organization, label: "Conn OID")
_ = IO.inspect(conn.assigns.current_user, label: "Conn UID") There was no printed output. Now my question is this:
(Note: the actual business logic is in a GenServer in |
test_login/2 is definitely the way to go. Keys.create is also good choice. Not sure off the top of my head what is wrong. feel free to send a work-in-progress pr to debug this issue. |
Ok. I will commit my files. Just note that the code is still in a mess and some function might be incomplete. |
@wojtekmach, I have created a draft PR at #1058. |
The Hexpm team is looking for a means of authenticating a hex client from the browser. The plan is to default to this new means of authentication and deprecate the Username/Password authentication. The github cli (https://github.com/cli/cli) had a similar problem. What they did was implement the device OAuth flow (https://datatracker.ietf.org/doc/html/rfc8628). I decided that a flow of that sort would work very well for Hexpm. However, Hexpm has no support for OAuth. So, I can only "mock" the device flow. This commit does the following: - Adds all the endpoints at the router for such a flow - Creates a controller - Add support for step 1 of the device flow - Adds tests for the above functionality See also: hexpm#1024, erlef/build-and-packaging-wg#21
José mentioned that you (the hexpm team) are interested in creating a means of authenticating the CLI from the browser. Could I get some more info on this please ?
/cc @josevalim
The text was updated successfully, but these errors were encountered: