Add idp endpoints to FTW server #1365
Conversation
OtterleyW
force-pushed
the
social-logins
branch
from
d129a75
to
b861f0e
Compare
OtterleyW
force-pushed
the
add-idp-endpoints-to-server
branch
from
75d08d9
to
e5d7fc3
Compare
server/apiRouter.js
Outdated
| @@ -16,6 +16,8 @@ const transactionLineItems = require('./api/transaction-line-items'); | |||
| const initiatePrivileged = require('./api/initiate-privileged'); | |||
| const transitionPrivileged = require('./api/transition-privileged'); | |||
|
|
|||
| const createWithIdp = require('./api/auth/createWithIdp'); | |||
There was a problem hiding this comment.
Or is it omitted on purpose?
There was a problem hiding this comment.
We are using authWithIdp only internally in FTW server (e.g. here: https://github.com/sharetribe/ftw-daily/pull/1366/files#diff-c2569a98b269447cc716700472d37356R51) so there is no specific need for adding a route for it.
First I had the authWithIdp under api-util instead of api/auth but that felt also confusing.
server/api/auth/authWithIdp.js
Outdated
| // after showing a confirm page to user | ||
|
|
||
| res.cookie( | ||
| 'authinfo', |
There was a problem hiding this comment.
We should document our cookies somewhere. Previously, we had just 2 cookies of our own (sdk & cookie-consent cookie). Then integrations brought their own cookies: Stripe, map provider, etc.
This specific info should be cleared from cookies (at least, on logout)
https://github.com/sharetribe/ftw-daily/blob/master/src/reducers.js
server/api/auth/createWithIdp.js
Outdated
| .end(); | ||
| }) | ||
| .catch(e => { | ||
| handleError(res, e); |
There was a problem hiding this comment.
What happens to cookie?
(I assume that it should be cleared here (and ensure it also on logout)
There was a problem hiding this comment.
The cookie will be cleared if the authentication is successful or it will expire after 15 min (or this time can be changed).
I'm not sure if the cookie should be cleared here when there is an error because then the user is not able to try the confirm step again. E.g. the error could be a conflicting email and then the user could try again with a different email (but I'm not sure how likely something like this would happen. One scenario would be that user has signed up with the same email as in e.g. Facebook but not verified the email address yet and for some reason they would decide to use different email in Flex).
server/api/auth/authWithIdp.js
Outdated
| maxAge: 15 * 60 * 1000, // 15 minutes | ||
| } | ||
| ) | ||
| .redirect(`${rootUrl}/login#`); |
There was a problem hiding this comment.
This is assuming that the web app has a route called "login" and customizers haven't changed the route configuration.
would send work instead -> i.e. let web app worry about its own routing?
OtterleyW
force-pushed
the
add-idp-endpoints-to-server
branch
from
e5d7fc3
to
85bec53
Compare
OtterleyW
force-pushed
the
social-logins
branch
2 times, most recently
from
528af30
to
927c290
Compare
OtterleyW
force-pushed
the
add-idp-endpoints-to-server
branch
from
85bec53
to
5e1d608
Compare
This PR adds
authWithIdpandcreateWithIdpendpoints to FTW server which enables authenticating and signing up to Flex using access token from 3rd party identity provider (e.g. Facebook or Google)When done, this branch will be merged to social-logins base branch.