Implement login

[kasbah]

We'll want to hide away most of gitea and allow logging in via our own frontend. Ideally we can also enable "login with github/facebook/google".

[kasbah]

To add some more details on this. The way to authentication works is:

1. nginx routes GET requests for the apex domain, which ishttp://kitspace.test:3000 in development, internally to http://gitea:3000/__kitspace
2. Gitea authenticates the user and attaches the session as a body to the GET request and sends that to the "frontend" which is our NextJS server
3. NextJS reads the session of the body and adds it to the internal NextJS request data
4. It's then accessible both server-side and client-side in React

Gitea runs on http://gitea.kitspace.test:3000 and internally on http://gitea:3000. The first one is used on the client-side and the second one on the server-side. You need to send the same POST requests that are sent when you use http://gitea.kitspace.test:3000/login but we want to use the NextJS "frontend" and have our own login form on http://kitspace.test:3000/login

[AbdulrhmnGhanem]

To make sure I get you clearly. We are going to hook our custom forms (sign in, sign up) to the Gitea endpoints (/user/login/, /user/forgot_password/, /user/sign_up/).

[AbdulrhmnGhanem]

The issue with forwarding the request to /user/login, etc is it returns HTML not JSON response. I tried with Postman.
Or are we going to use the API endpoint /api/v1/admin/user/?
User management requires being authorized as an admin which needs an access token attached to the request. Doing this from the frontend will expose the access token. How are going to work around this? Can we do this on the Nginx level?

[kasbah]

Adding your quote from matrix/element chat:

• The initial plan was to forward the request from our site /login/ to Gitea's /user/login/. The issue is the response from Gitea is an HTML not JSON which will make further processing to the data tedious and will require parsing the document. I think this is a bad approach.
• An alternative plan would be to use a reverse proxy to route Kitspace /login/ to Gitea's api/v1/admin/user/ but the admin endpoint requires being authorized as an admin. We can't put the access token or the header in the frontend so we have to add it through the reverse proxy.
• For login we can create access tokens through api/v1/{user}/tokens/ yet we have to manage all the JWT thing on the frontend ourselves.
• I haven't figured out how reset password is going to be handled.
• some relevant links:
  • creating user access token.
  • create user endpoint.
  • Option to require Users to change their password if they are created by an administrator.

[kasbah]

Thanks @AbdulrhmnGhanem. Some thoughts:

• Have you tried setting an Accept: application/json header?
• Can we make do with the HTML response (I know it's not ideal, but it could still work)
• Another option might be writing our own login endpoint in Gitea.

Anything that requires admin is a no-go in my book. I don't think we should ever use the /admin endpoint for user related things.

You should make a WIP: pull-request with your branch by the way. It makes it easier to review the code in one place.

[AbdulrhmnGhanem]

• Another option might be writing our own login endpoint in Gitea.

Can you elaborate on this?

[kasbah]

Dig into the Gitea source a bit and replicate what's done on /user/login but return JSON. Was just taking a look, maybe it's in this source file? https://github.com/go-gitea/gitea/blob/master/routers/user/auth.go

[AbdulrhmnGhanem]

Yeah, it seems the right file. Bad news it explicitly returns HTML. Are you familiar with Go? I never used it before, I'll see if I can find a resource to get me up rapidly.

• Can we make do with the HTML response (I know it's not ideal, but it could still work).

I'm quite comfortable with the original python BeautifulSoup so I'll consider JSSoup.

[kasbah]

I tend to use learnxinyminutes.com for languages I need to hack something in but am not familiar with. https://learnxinyminutes.com/docs/go/

Alright, JSSoup looks interesting actually. I'm constantly on the search for a nice JS HTML lib that you can use server and client side. Cheerio is still the best I've found but I'm not happy with it.

[AbdulrhmnGhanem]

I'm afraid it needs node to work so it can't be used in the frontend. 😥

[kasbah]

Right, well, if that's all you need for now and it makes it easier for you then I'm still fine with it.

[AbdulrhmnGhanem]

I found the parsing HTML approach will add a chain of 6 requests until the response gets to the client, compared to 2 requests using a custom Gitea endpoint. I didn't consider the proxy server as a stage in both cases. Furthermore, it'll make the JWT part a bit crazy. Let's see what I can do.

[AbdulrhmnGhanem]

closed by #18