react-github-login icon indicating copy to clipboard operation
react-github-login copied to clipboard

Published 20 hours ago verified publisher icon jlumbroso

Two changed on auth negotiations procedure

Open majioa opened this issue 7 years ago • 2 comments

The code negotiations procedure are taken place on the server side, and I have the data passed to the react via the 'pkg' already resulted to use:

{
  auth_token: "....",
  avatar_url: "https://avatars3.githubusercontent.com/u/417632?v",
  login: "majioa",
  name: "Павел Скрылёв (Malo Skrylevo)"
}

But since the pkg checks for a code it blocked my response. Also non URI-compliant data is passed wrongly. So:

  • [x] Added decode from a non-url-compatible strings returned from OAuth authentication procedure.
  • [x] Added condition to allow skipping code presence validation on success result.

majioa avatar Dec 20 '17 21:12 majioa

Hey @majioa,

Thanks for the contribution.

The code negotiations procedure are taken place on the server side, and I have the data passed to the react via the 'pkg' already resulted to use:

So, if I understand you correctly, you're redirecting and the code query parameter is then used on the server-side to retrieve an access token and the user profile. Then, is the user profile serialized in the resulting query string, e.g. http://example.app/callback?auth_token=$auth_token&login=$login?

My initial feedback would be that more work would be required to support this workflow properly. For one, it sounds like you're redirecting from the redirect URI to another location and, with how the component is written now, the popup could potentially be closed before reaching the terminal destination. Secondly, even with a lot of context around how this works, requireCode isn't entirely obvious to me; it's technically still required.

How about...

  1. Adding a hook, onRedirect, to allow custom behavior in checking the popup. In the case where onRedirect returns true, params are parsed sent back to the parent and the window is closed. Otherwise, returning false will continue the poll cycle.

  2. In place of the requiresCode property in the onSuccess method, adding another property validates which optionally can take a validation function (so you can validate you're getting back user data, for instance). The default validation should still check code, however.

Thoughts?

kruppel avatar Dec 22 '17 18:12 kruppel

So, if I understand you correctly, you're redirecting and the code query parameter is then used on the server-side to retrieve an access token and the user profile.

The code parameter has gotten from GET request initiated by a github, and is being acquired by a method on server-side. Then the method redirects to a destination page, which can be processed by a the pkg, and the request doesn't contain the 'code', but resulted data, which should be get in react app. Please refer to the auth flow here: https://groundberry.github.io/development/2017/04/08/build-an-app-with-rails-and-react-user-authentication.html

  1. I dont' know, it seems to introduce an unexpectable complexity.
  2. Just I introduce the flag to allow skipping the 'code' presence validation in success procedure, since that flow will not pass a 'code' to the polled by popup redirect request, rather than to server request part GET handler (see GTE /auth/github?code=XXX).

majioa avatar Dec 22 '17 21:12 majioa