-
Notifications
You must be signed in to change notification settings - Fork 465
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Feat(app, iam): Implements Twitter OAuth as a Provider #87
Conversation
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
- FYI this won't build on M1 Macbooks due to the new
microtime
dependency added bybroadcast-channel
-- i was able to bypass by forcing"node-gyp": "^9.0.0"
resolution - should clean up commit history before merging into main, unless you plan on squash-merging
95a843b
to
645996d
Compare
App: - twitter oauth redirect appears as a popup - callback variables (passed as query params in redirect back from twitter) are passed between windows - updates other card tests to remove unnecessary test data IAM Server: - add procedures/twitterOauth.ts to handle server-side OAuth 2.0 flow - implement providers/twitter.ts to verify a user's username given an oauth access code and session key we must implement OAuth flow server-side because Twitter API currently does not allow the bearer token request from a browser (CORS issue). this means the twitter stamp is a multi-step process: 1. app requests the authorization url from iam, prompts user to click through 2. when user clicks through to twitter, and approves the oauth request, twitter redirects user back to app 3. app collects access code and state (session key) from query parameters on the redirect 4. app passes in access code and session key with the actual verify request to iam. iam exchanges access code for an auth bearer token to verify user's twitter info, and verify flow proceeds as normal [#28]
…to install - caused by the `microtime` dependency used by `broadcast-channel` package, used in @dpopp/app - `microtime` does not build for M1 Mac architecture, and also does not have an available pre-built for M1 Mac - one fix is to force use of a later version of node-gyp (v9.0.0)
Running into issues running this locally. I might be missing something. I did the following:
|
What |
I added the following to the /app .env file NEXT_PUBLIC_DPOPP_TWITTER_CALLBACK=http://localhost:3000/ |
those look right. which |
NEXT_PUBLIC_DPOPP_IAM_URL=http://localhost:80/api/ |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM! I have it running locally. I was able to add it to my passport. Shavina sent me the needed TWITTER_CLIENT_ID and TWITTER_CLIENT_SECRET for the /iam .env
This PR adds the Twitter oauth authentication flow into the app and iam.
In order to keep this as close to the other implementations as possible, we pass the front-end as the callback url, and keep the IAM *relatively stateless.
* The sdk from Twitter stores state of the verification process in private structs on the sdk instance itself which prevents us from keeping this process entirely stateless.
We must retain sdk instances between connections, so in order to prevent memory leaks, we have a solution whereby each instance is deleted after 60s to give the user a short amount of time to hit
authorise
- if they don't authorise in time, then the system will be unable to complete the verification and the process will fail.Connections/sessions are linked via a
state
variable that is generated by the IAM and passed through to Twitter and eventually theapp
as a queryString in a new window, which is then passed back to the original window via aBroadcastChannel
.--
Closes: #28