Rebrand hooks to workflow(s) #50

aeneasr · 2019-07-25T11:47:00Z

Hooks (selfservice.login.(before|after)) determine how hive should behave when a login or registration was completed without an error state. They do not modify the actual data of the identity and/or session. Therefore, they should be called "workflow" and "workflow step/handler/runner/part/item" from now on.

Example: Password Registration

In this example, we want the user to be immediately signed in and redirected to our home page after registering a new account using email/password.

Configuration:

selfservice:
  registration:
    after:
      password:
      - run: session
      - run: redirect
        config:
          default_redirect_url: http://example.com/welcome
          allow_user_defined_redirect: true # Allows "return_to" feature

Example: Password Registration with (Email/Phone) Verification before login

In this example, we want the user to activate his/her account (by verifying the email or phone) before being able to sign in to our platform using email/password.

Configuration:

selfservice:
  registration:
    after:
      password:
      - run: verify
      - run: redirect
        config:
          default_redirect_url: http://example.com/please-active-account.html
          allow_user_defined_redirect: false
  login:
    after:
      password:
      - run: verify # enforce that at least one email or phone is verified
      - run: session
      - run: redirect
        config:
          default_redirect_url: http://example.com/welcome

Flow:

Example: Password Registration with (Email/Phone) Verification and immediate Login

Alternatively, we could want our new users to be signed in immediately after registration, but still require email verification. The welcome page would then, for example, show a red notification bar with "please verify your email"

Configuration:

selfservice:
  registration:
    after:
      - run: verify
      - run: session
      - run: redirect
        config:
          default_redirect_url: http://example.com/welcome.html
          allow_user_defined_redirect: true

Example: Password Registration with JSON Response

In this example, we would expect a application/json response. This could be used for native apps for example.

Configuration:

selfservice:
  registration:
    after:
      password:
      - run: json

Example: Disallow Registration during Weekdays

We might want to disallow registration during weekdays:

selfservice:
  registration:
    before:
      password:
      - run: json-rpc
         url: http://api.example.com/workflows/before-registration

before-registration.js

const route = (r, w) => {
  if (isWeekDay) {
    w.send(403)
    return
  }
}

Example: Disallow Registration based on external service

Assuming we want to forbid registration because some upstream system (e.g. CRM) says "no" to the identity data

selfservice:
  registration:
    after:
      password:
      - run: json-rpc
         url: http://api.example.com/workflows/after-registration

after-registration.js

const route = (r, w) => {
  if (checkIfAllowedByCRM(r.body.identity)) {
    w.send(403) // this will tell hive to delete the identity
    return
  }
}

Example: Create user at Stripe after Login / Registration

selfservice:
  login:
    after:
      password:
      - run: json-rpc
         url: http://api.example.com/workflows/stripe
  registration:
    after:
      password:
      - run: json-rpc
         url: http://api.example.com/workflows/stripe

stripe.js

const route = (r, w) => {
  const user = r.body.identity.id
  const stripeData = createUserAtStripe(user)

  w.json({ traits: { stripe: stripeData } })
}

Example: enforced 2FA

Here we're using the built-in 2fa module:

selfservice:
  login:
    after:
      password:
      - run: 2fa
  registration:
    after:
      password:
      - run: 2fa

hive/2fa.go

if hasExecuted2FA(ctx.Request) {
  session.Enhance("I am now 2fa yay")
  return nil
} else if has2faEnabled(ctx.Request) {
   return ErrorRedirect("https://example.org/2fa-login")
} else !has2faEnabled(ctx.Request) {
   return ErrorRedirect("https://example.org/2fa-setup")
}

Example: contextual 2FA (e.g. based on source ip)

Assuming there is some context for our 2fa like a non-internal network ip

selfservice:
  login:
    after:
      password:
      - run: json-rpc
         url: http://api.example.com/workflows/2fa
  registration:
    after:
      password:
      - run: json-rpc
         url: http://api.example.com/workflows/2fa

2fa.js

if (ipRange !== "192.168.0.0/24") {
  if hive.is2faEnabled(r.query.request)
    send({ redirect_to: "https://example.org/2fa-setup" })
  else if hive.is2faEnabled(r.query.request)
    send({ redirect_to: "https://example.org/2fa-login" })
  else
    send(200)
}

The text was updated successfully, but these errors were encountered:

aeneasr · 2019-07-25T14:04:47Z

Workflow state machine

Legend:

Dotted lines … represent internal state changes
Solid lines _ represent state changes executed by the user agent (e.g. browser) of the end user
customer.com is the application controlled by the "customer" (adopter) of hive. It's where custom UIs are hosted, for example.

Post-registration

Post-login

Stratosphere View

aeneasr · 2020-01-28T12:25:49Z

We call them workflow and jobs in the docs, in the code it's still "hooks". But we can move this to the next release.

This patch focuses on refactoring how self-service flows terminate and changes how hooks behave and when they are executed. Before this patch, it was not clear whether hooks run before or after an identity is persisted. This caused problems with multiple writes on the HTTP ResponseWriter and other bugs. This patch removes hooks from after login, registration, and profile flows. Per default, these flows now respond with an appropriate payload ( redirect for browsers, JSON for API clients) and deprecate the `redirect` hook. This patch includes documentation which explains how these hooks work now. Additionally, the documentation was updated. Especially the sections about hooks have been refactored. The login and user registration docs have been updated to reflect the latest changes as well. Also, some other minor, cosmetic, changes to the documentation have been made. Closes #348 See #347 See #179 Closes #51 Closes #50 Closes #31 BREAKING CHANGE: Please remove the `redirect` hook from both login, registration, and settings after configuration. Please remove the `session` hook from your login after configuration. Hooks have moved down a level and are now configured at `selfservice.<login|registration|settings>.<after|before>.hooks` instead of `selfservice.<login|registration|settings>.<after|before>.hooks`. Hooks are now identified by `hook:` instead of `job:`. Please rename those sections accordingly.

This patch focuses on refactoring how self-service flows terminate and changes how hooks behave and when they are executed. Before this patch, it was not clear whether hooks run before or after an identity is persisted. This caused problems with multiple writes on the HTTP ResponseWriter and other bugs. This patch removes certain hooks from after login, registration, and profile flows. Per default, these flows now respond with an appropriate payload ( redirect for browsers, JSON for API clients) and deprecate the `redirect` hook. This patch includes documentation which explains how these hooks work now. Additionally, the documentation was updated. Especially the sections about hooks have been refactored. The login and user registration docs have been updated to reflect the latest changes as well. Also, some other minor, cosmetic, changes to the documentation have been made. Closes #348 See #347 See #179 Closes #51 Closes #50 Closes #31 BREAKING CHANGE: Please remove the `redirect` hook from both login, registration, and settings after configuration. Please remove the `session` hook from your login after configuration. Hooks have moved down a level and are now configured at `selfservice.<login|registration|settings>.<after|before>.hooks` instead of `selfservice.<login|registration|settings>.<after|before>.hooks`. Hooks are now identified by `hook:` instead of `job:`. Please rename those sections accordingly.

aeneasr added module:docs package/selfservice Affects selfservice components labels Jul 25, 2019

aeneasr added this to the v0.0.1 milestone Jul 25, 2019

aeneasr self-assigned this Jul 25, 2019

aeneasr modified the milestones: v0.0.1, v0.0.2 Aug 6, 2019

aeneasr modified the milestones: v0.0.2, v0.0.1 Nov 4, 2019

aeneasr modified the milestones: v0.1.0-alpha.1, v0.1.1-alpha.1 Jan 28, 2020

aeneasr added rfc A request for comments to discuss and share ideas. package/2fa Affects 2FA components labels Feb 1, 2020

aeneasr mentioned this issue Apr 15, 2020

refactor: rework hooks and self-service flow completion #349

Merged

aeneasr closed this as completed in #349 Apr 15, 2020

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Rebrand hooks to workflow(s) #50

Rebrand hooks to workflow(s) #50

aeneasr commented Jul 25, 2019 •

edited

Loading

aeneasr commented Jul 25, 2019 •

edited

Loading

aeneasr commented Jan 28, 2020

Rebrand hooks to workflow(s) #50

Rebrand hooks to workflow(s) #50

Comments

aeneasr commented Jul 25, 2019 • edited Loading

Example: Password Registration

Example: Password Registration with (Email/Phone) Verification before login

Example: Password Registration with (Email/Phone) Verification and immediate Login

Example: Password Registration with JSON Response

Example: Disallow Registration during Weekdays

Example: Disallow Registration based on external service

Example: Create user at Stripe after Login / Registration

Example: enforced 2FA

Example: contextual 2FA (e.g. based on source ip)

aeneasr commented Jul 25, 2019 • edited Loading

Workflow state machine

Post-registration

Post-login

Stratosphere View

aeneasr commented Jan 28, 2020

aeneasr commented Jul 25, 2019 •

edited

Loading

aeneasr commented Jul 25, 2019 •

edited

Loading