sync-engine icon indicating copy to clipboard operation
sync-engine copied to clipboard
verified publisher icon nylas

Implemented auth api

Open igs013 opened this issue 11 years ago • 2 comments

All auth api routes must be accessed via post with json data as post body.

The "/auth/login" route will resolve the provider and return it's name and type. If the provider is an implemented oauth provider, will also return the authorization an url. Post parameters: email(the email address to authenticate), reauth(if address is already authenticated shall it be reauthenticated?, boolean, optional)

The next step is based on the provider type returned by the route above.

If the provider type is oauth:

  • If the provider name is gmail we must access "/auth/gmail" route, providing the authorization code received from accessing the link returned by the "/auth/login" route. If the code is valid the email address will be authenticated with inbox else an error will be returned. Post parameters: email, code(authorization code)
  • If provider name is outlook: "/auth/outlook" - same as above, only for outlook accounts

If the provider type is generic:

  • A generic provider means that inbox already has the imap settings for the given provider. The "/auth/generic" route does the trick for this. Post parameters: email, password.

If the provider type is custom:

  • Unknown provider, inbox does not have the predefined imap settings for this provider. The "/auth/custom" route handles this type of providers. Post parameters: email, password, imap_server_host, imap_server_port(optional, default 993), smtp_server_host, smtp_server_port(optional, default 587).

igs013 avatar Nov 17 '14 15:11 igs013

Hi @StefanIvanciuc. Thanks for this patch! It has a lot of good ideas, but I think we want to implement this functionality in a different way.

We'd like keep the OAuth flow out of the open source REST API. Because this code is AGPL license, we need to have a clearly defined interface that doesn't directly link a 3rd party developer's codebase. Also, given that the API doesn't have any security, it's unwise to open the OAuth flow to public internet (which is required for the Google callback).

I haven't had the time to fully implement this, but I'd like to add a few endpoints under /account_manager:

  • PUT /account_manager with a JSON body that includes:
  • first_name
  • last_name
  • email_address
  • imap_host
  • imap_port
  • smtp_host
  • smtp_port
  • auth_type (oauth or plain)
  • password
  • GET /account_manager which returns a list of all account objects
  • GET /account_manager/<account_id> which returns a specific account object
  • PUT /account_manager/<account_id> which will update an account object.
  • optionally include active true/false to enable or disable syncing (or some variant of this)
  • DELETE /account_manager/<account_id> which will remove an account object.

Also, please sign the Contributor License Agreement so we can merge future commits faster. Thanks!

grinich avatar Dec 08 '14 01:12 grinich

cool this works great @StefanIvanciuc, thanks.

thepixelmonk avatar Dec 08 '14 02:12 thepixelmonk