Add Eventbrite Authentication #38
Conversation
Upstream Upate with LinkedIn
In production its best to go with a docker image that is nailed down to its patch number , very useful duing debugging
Instagram Addition
Added Eventrbite OAuth 2.0 to the list of authentication mechanism
The merge conflict resolution added an extra space before the square bracket which tripped standard js
src/strategies/eventbrite.js
Outdated
| username, | ||
| name: displayName, | ||
| provider: 'eventbrite', | ||
| email: emails[0].value |
There was a problem hiding this comment.
up to now, email is not included in public profile, since it it considered private information. the profile is not http-only and thus is more likely to be subject to an evil script / "attack".
There was a problem hiding this comment.
You are right ...I just realized that we dont require the email per se but rather we can have the Eventbrite userId in the username.
index.js
Outdated
| @@ -4,6 +4,8 @@ const cookieParser = require('cookie-parser') | |||
| const expressSession = require('express-session') | |||
| const MemoryStore = require('session-memory-store')(expressSession) | |||
|
|
|||
| require('dotenv').config() | |||
There was a problem hiding this comment.
not sure if we really should use it... do you have some hoster/deployment scenario which honors this way to pass env?
There was a problem hiding this comment.
The use is mostly for local deployment or when not using Docker ....especially when we are deploying directly to cloud like EC2 instances, we can just deploy .env file along with the production bundle
|
besides comments 💯 |
Since the email stored is not secure and could be misused, we should not use email but rather store Eventbrite user id Closes lipp#39
package.json
Outdated
| @@ -35,6 +36,7 @@ | |||
| "cookie-parser": "^1.4.3", | |||
| "express": "^4.14.0", | |||
| "express-session": "^1.14.2", | |||
| "dotenv-extended": "^2.0.1", | |||
There was a problem hiding this comment.
do we really need this? isn't dotenv enough?
| @@ -39,7 +39,7 @@ const Index = ({profile, origin}) => ( | |||
| <h2 className='subtitle is-4'> | |||
| Stateless authentication microservice for | |||
| <ul> | |||
| {['Twitter', 'Facebook', 'Google', 'GitHub', 'Reddit', 'LinkedIn', 'Instagram'].map(name => <Item name={name} key={name} />)} | |||
| {['Twitter', 'Facebook', 'Google', 'GitHub', 'Reddit', 'LinkedIn', 'Instagram', 'Eventbrite'].map(name => <Item name={name} key={name} />)} | |||
There was a problem hiding this comment.
I will not feature every login strategy on the demo page. Could you remove this?
There was a problem hiding this comment.
I am in two minds about this
- If there is a particular strategy thats implemented within the login-with mircoservice, it should follow that there should be a button that will enable that authentication.
- It is unreasonable to expect everyone to enable buttons for ALL auth strategies
=> The auth buttons that are needed to be enabled or disabled should be configurable.
Also the URL in the example is hardcoded for it to make a call to login.login-with.com for auth calls, this too should be configurable because it will help others to test their added strategy on their own domain before pushing it unto upstream repo
There was a problem hiding this comment.
The login-with.com page (and the related demo code) is not meant to be deployed by anyone else.
The respective user / developer can configure which strategies to use via environment variables.
To test a specific strategy, you can directly connect (from browser) to your auth endpoint (e.g. auth.login-with.com/twitter or auth.your-service.com/eventbrite)
There was a problem hiding this comment.
-
But on the login-with site, no one will know ALL the strategies that have been implemented. I thinks its in the best interest of this OSS project to advertise all the strategies it supports.
PS: I do not have a skin in the game nor do i rep Eventbrite. Its just that we run a OSS meetup group and we use EB for our checkins and we are building an OSS app to do this automatically. -
Also test not just the API but test it as a consumable from an app[which is its actual purpose] which the nextjs is ideal...since we can compare the behaviour across strategies.
| @@ -26,7 +26,7 @@ const Login = ({profile, origin}) => { | |||
| const redirect = encodeURIComponent(origin + '/') | |||
| return ( | |||
| <div className='section'> | |||
| { !profile && ['Twitter', 'Google', 'GitHub', 'Reddit', 'Facebook', 'LinkedIn', 'Instagram'].map(service => ( | |||
| { !profile && ['Twitter', 'Google', 'GitHub', 'Reddit', 'Facebook', 'LinkedIn', 'Instagram', 'Eventbrite'].map(service => ( | |||
There was a problem hiding this comment.
I will not feature every login strategy on the demo page. Could you remove this?
| @@ -87,8 +88,8 @@ must be: `https://login.yourdomain.com/facebook/callback` | |||
| You need to create your own LinkedIn OAuth2 application. If `LW_SUBDOMAIN=login.yourdomain.com` your Authorization callback URL | |||
| must be: `https://login.yourdomain.com/linkedin/callback` | |||
|
|
|||
| - `LW_LINKEDIN_CLIENTID` - Your Google Client ID | |||
|
we can keep dotenv in... just wanted to know why dotenv-extended is required. |
Modified environment variable names as per the eventbrite.js strategy…
No description provided.