Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Panoptes.js: add lib-panoptes-js dev server, add experimental auth #6375

Open
wants to merge 23 commits into
base: master
Choose a base branch
from

Conversation

shaunanoordin
Copy link
Member

PR Overview

Package: lib-panoptes-js
Part of: replacing PJC with Panoptes JS

This PR is part of an experiment to remove PJC from FEM, replacing its functionality fully with making Panoptes JS (PanoptesJS? panoptes.js?)

This PR focuses on some small steps:

  • an experimental-auth.js file has been added to lib-panoptes-js
    • The plan: we'll copy PJC's auth, one bit of functionality at a time, into PanoptesJS's experimentalAuth. We'll eventually turn experimentalAuth into auth once we're confident all the features are working.
    • Features in this PR:
      • ✔️ event listener system is functional (addEventListener(), removeEventListener(), broadcastEvent() ; these are analogous to PJC's listen(), stopListening(), and emit())
      • 🛠️ basic sign in action is a WIP (goal: signIn() should, if given a valid username & password, return a Panoptes User resource. That's it.)
  • a dev server has been added to lib-panoptes-js
    • Run with yarn dev
    • Dev server serves a very basic form to test login.

Dev Notes

  • As noted on Slack discussions, I have issues with how Panoptes JS is supposed to (based on the documentation) be "stateless", which conflicts incredibly with how PJC's auth functionality handles login state. (My argument is that if we're moving login state handling to modules/packages that call Panoptes JS, then we're just basically moving the burden up to the modules/packages.)
  • Nonetheless, I'm trying a hybrid to see if I can stay (semi-)true to the Panoptes JS goals:
    • experimentalAuth exports functions, not a single instantiated object. (cf PJC's auth object)
    • each function in experimentalAuth has an optional store variable that can be specified by the calling module/function.
    • if a store isn't specified (which I imagine is the case 99% of the time), the functions use a default, shared, global store.

Status

Experimental WIP.

@shaunanoordin shaunanoordin marked this pull request as draft October 11, 2024 20:48
@eatyourgreens
Copy link
Contributor

eatyourgreens commented Oct 12, 2024

(My argument is that if we're moving login state handling to modules/packages that call Panoptes JS, then we're just basically moving the burden up to the modules/packages.)

But also remember that a stateful client has major bugs like zooniverse/panoptes-javascript-client#207 and zooniverse/panoptes-javascript-client#250.

This is old now, but have a look at packages/lib-auth on these branches:

@eatyourgreens
Copy link
Contributor

eatyourgreens commented Oct 12, 2024

Worth keeping this in mind for any new auth work, given that the password flow code in PJC is ten years old, and not very secure.

The Password grant type is a legacy way to exchange a user's credentials for an access token. Because the client application has to collect the user's password and send it to the authorization server, it is not recommended that this grant be used at all anymore.

https://oauth.net/2/grant-types/password/

The refresh token flow used to get access tokens for authenticated API requests is still secure.

https://oauth.net/2/grant-types/refresh-token/

@goplayoutside3
Copy link
Contributor

@eatyourgreens this is a draft PR and not ready for code review. Please refrain from commenting on draft PRs. While Zooniverse's frontend repos are open source, this PR is marked as a draft because Shaun, myself, and the frontend team are in ongoing discussions about auth and lib-panoptes-js. The context of those discussions is not always available in a draft/experimental PR such as this one, and commenting beyond the scope of this PR becomes unhelpful.

I see why you've opened #6376 based on auth development years ago, but I'm going to close it in favor of keeping this PR focused. Please trust that Shaun, myself, and the rest of the dev team have a plan for FEM, including whether or not to keep using oauth + passwords.

When commenting on Zooniverse Issues or PRs marked as ready for review, please keep comments focused on blocking code such as bugs or best practices that might have been missed while being mindful we're a very small dev team. We do our best to address website bugs and respond to comments on Github, but are working with limited resources and Zooniverse is a large web platform.

@shaunanoordin shaunanoordin force-pushed the remove-pjc-experiment-pt1 branch from 4c15f20 to 736a4eb Compare November 8, 2024 13:12
@shaunanoordin shaunanoordin force-pushed the remove-pjc-experiment-pt1 branch from d1c6eec to 78fd051 Compare November 19, 2024 18:52
@shaunanoordin shaunanoordin force-pushed the remove-pjc-experiment-pt1 branch from 9d2092d to 245060a Compare December 4, 2024 15:01
@shaunanoordin
Copy link
Member Author

PR Update

  • an experimental-auth.js file has been added to lib-panoptes-js
    • Plan: we'll copy PJC's auth, one bit of functionality at a time, into PanoptesJS's experimentalAuth. We'll eventually turn experimentalAuth into auth once we're confident all the features are working.
    • Slight change of plan: for this PR, we've dissected the "sign in" functionality enough to rework & improve it. We can also separate the "sign in" functionality into a standalone thing that we can test as a unit.
    • Features in this PR:
      • 🆕 ✔️ basic sign in action is functional. (See function: signIn())
        • if given a valid username & password, signIn() will return a Panoptes User resource, a bearer token (plus expiry time), and refresh token.
        • signIn() also considers a wide variety of errors, throwing them accordingly. (TODO: error design.)
      • ✔️ event listener system is functional (addEventListener(), removeEventListener(), _broadcastEvent() ; these are analogous to PJC's listen(), stopListening(), and emit())

Testing

Testing Sign In:

  • Run the new dev server: cd packages/lib-panoptes-js ; yarn dev
  • In a new incognito/private browsing window, open the dev page: https://local.zooniverse.org:8080/
    • You should see a simple page with a single login + password form.
  • Login using a Zooniverse staging test account. (Try zootester1)
    • Observe the results in the browser's dev console. *️⃣
    • You should see a returned User object, the bearer token, the refresh token, and the bearer token expiry.
  • Using new incognito/private browsing windows for the next scenarios, (because we haven't implemented signing out yet,) try...
    • Logging in with no login and/or no password. You should get an error message.
    • Logging in with an incorrect login or password. You should get an error message.
    • Logging in with a new account (e.g. zootester2) after already logged in as a different account (e.g. zootester1). You should get an error message.

Testing event listener system:

  • Examine the dev server code: packages/lib-panoptes-js/dev/index.js
  • Note that an event listener is added at addEventListener('change', this.onAuthChange)
  • When a user successfully logs in (as marked by *️⃣ in the test above), expect to see "onAuthChange" trigger and the text "Yahoo! We detected a change of user: ...(user)..."_ appear in the console.

Status

Delilah, Mark, Travis: this PR is now ready for internal review and discussion. The signIn() code has been excessively documented to help us all understand the login process, so please drop a note if anything is unclear. This will also be part of the planned "authentication presentation" on the next dev frontend standup.

Next steps:

  • Use saved bearer token & refresh tokens to gain/regain auth access.
  • Add Sign Out functionality.

@shaunanoordin shaunanoordin marked this pull request as ready for review December 6, 2024 00:05
@shaunanoordin shaunanoordin requested a review from a team December 6, 2024 18:44

const request3 = new Request(`https://panoptes-staging.zooniverse.org/oauth/token`, {
body: JSON.stringify({
client_id: '535759b966935c297be11913acee7a9ca17c025f9f15520e7504728e71110a27',
Copy link
Contributor

@eatyourgreens eatyourgreens Dec 7, 2024

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Apps like Community Catalogue, which use @zooniverse/panoptes-js, will need to pass in their own client ID here.

Copy link
Contributor

@eatyourgreens eatyourgreens Dec 8, 2024

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Roger's auth client used a pattern like

const myAuthClient = new AuthClient({ clientId })

which might work here too.

*/
}

export {
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

You’ll need to change the package type to module if you want to use export in Node. PJC only runs in browsers but lib-panoptes-js is used in Node and in browsers.

@shaunanoordin shaunanoordin changed the title Panoptes JS: add lib-panoptes-js dev server, add experimental auth Panoptes.js: add lib-panoptes-js dev server, add experimental auth Dec 10, 2024
@shaunanoordin
Copy link
Member Author

PR Update

I've just merged PR #6527 to this branch, which adds a bunch of improvements:

  • Output & "error handling" for Event Listener functions:
    • addEventListener() no longer throws errors.
    • addEventListener() and removeEventListener() now returns true/false if the action succeeded/failed.
  • Documentation: the Sign In and Event Listener functions now have full documentation.
  • Code cleanup: unnecessary PJC reference code removed.
  • Dev Server/Dev Test Page:
    • Dev test page now displays success and/or error messages on the web page itself, so we don't need to look at the dev console to see wtf is happening.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

3 participants