Added oauth2 to authenticate and added documentation for it. #29
Conversation
| if (!useOauth2) { | ||
| // earlier an IIFE. But now, this is called only in case of client_credentials | ||
| accessTokenPromise(); | ||
| } |
There was a problem hiding this comment.
I think this code would really benefit from having a clear separation between the client credentials code and the authorization code code. maybe something like a switch statement over the new grantType argument which contains the relevant pieces.
There was a problem hiding this comment.
Called by default while initializing so as to acquire a token right away. This is just a single case. We cant get the token right away in case of authorization_code
src/splitwise.js
Outdated
| } | ||
| } | ||
| else | ||
| this.getAccessToken = () => accessTokenPromise; |
There was a problem hiding this comment.
would this still work sinceit's not an IIFE anymore?
|
Hi Keri! I have resolved the comments and replied to the ones that needed answers. Please let me know if anything else needs to be changed. |
|
hi! @omkarsk98 sorry for the delay - I was on vacation. I implemented a test oauth application, and it more or less worked so fantastic job!!
|
|
Hi @keriwarr. Thanks for the update. Happy to modify!
|
| consumerSecret: 'your secret here', | ||
| grant_type: 'authorization_code', | ||
| redirect_uri: 'your redirect_uri' | ||
| state: 'your state' // OPTIONAL. But we strongly recomend to have a state parameter and verify it later on as mentioned below |
There was a problem hiding this comment.
ah, this won't work, the state must be distinct for every attempted authentication
There was a problem hiding this comment.
@keriwarr oh yaa! I get it. so how about the client supplies a function that will generate state everytime? But do we expose this state to the client so that they can verify it? Because passing a static state will always result in having the same state for each auth request.
There was a problem hiding this comment.
I think the client should just supply the state individually for each request. We would have to expose it - not just so that they can verify it - it might be used to store information about how the user initiated the original request (such as which page to redirect back @omkarsk98
There was a problem hiding this comment.
@keriwarr Got it. So this is my understanding. Correct me if I am wrong. we add a state key in getAuthorizationUrl. If that is present, we use that, else we generate our state and we expose getState for both the cases?
There was a problem hiding this comment.
That's what i was originally thinking, but i re-read the OAuth spec for the "state" parameter, and my new understanding is that in order to verify the state, it's insufficient to check that it matches the outgoing state, you actually have to check that the user for whom you generated the auth url is the same user who visited the callback. Our library isn't in a position to do that so we have to leave it to the client, meaning that we shouldn't generate a state, we should require the client to generate one. Moreover, the client will receive the state from the inbound callback request, so we shouldn't need to provide a getState mechanism. Indeed, we might not be able to as in theory there could be many users doing oauth authentication at the same time - how would we store all their different states and keep them disentangled without knowing who they are?
| return this.state; | ||
| } | ||
|
|
||
| this.getAuthorizationUrl = () => { |
There was a problem hiding this comment.
i would probably do something like adding state as an argument to this method
| redirect_uri, | ||
| scope: '', | ||
| state: generateState(), | ||
| state, |
There was a problem hiding this comment.
and then this could be state || generateState()
nvm, as above, we probably don't want to generate state
| return new Promise((resolve, reject) => { | ||
| if(!this.authCode) | ||
| return reject(`No auth code generated yet. Visit ${this.getAuthorizationUrl()} and login. You need a callback url in your project as mentioned in callback url in your registered splitwise app. Then call \`getAccessToken()\` to register the access token.`); | ||
| if(this.accessToken) return resolve(this.accessToken); |
There was a problem hiding this comment.
Ah sorry, I realize now this might not work either. What we have to remember is that with the client_credentials flow, the client will be receiving authorization on behalf of exactly one person (the person owning the credentials) so it makes sense to store data on this, however in the authorization_code flow, we have 1 client <=> 1 instance of this library <=> many users, which means that there isn't just one access token, there are many. This line here would give away the access token of the first user who authenticates to whoever comes next, a security problem! In general, we should probably entirely avoid using this for any code that handles authorization_code flow
There was a problem hiding this comment.
@keriwarr Yaa I thought about this. With this, our clients will need to use the authorization_code to allow multiple users interaction. Because, with client_credentials, client can just use his/her account only. As it logs into his own account be default. So authorization_code would become mandatory in case of multiple users.
Like wise, talking about the state, it should be supplied in getAuthorizationUrl and then once logged in, we would give away the access token and we wont have track of it at all as multiple users would be interacting with the client.
So, summing up,
- We can remove the use of this but we wont have the access_token and then the client will have to supply the access_token for each function. Not a good idea
- Client can generate and share the state and we wont have to deal with it at all. Better for both, client as well as the library.
- Else, to track the state, we can have a redis connection to persist the state. But to which user does it belong to?
Also, as per you, will this library be used for a project of multiple users?
Added option oauth2. Initialize the Splitwise object using
useOauth2: trueandredirect_uri. Additional documentation added in the README.