davros icon indicating copy to clipboard operation
davros copied to clipboard

Published 20 hours ago verified publisher icon mnutt

OAuth support

Open nightsh opened this issue 7 years ago • 4 comments

Hi, would it be interesting for anyone to have OAuth support in Davros? What I'm thinking about is nothing too fancy, here's the proposed scenario:

  • having a switch in config to enable/disable OAuth support (I am looking at torii)
  • enabling it would also need some configuration to be provided
  • if enabled, visitors will be presented with a login screen on any route, or any route beyond the main route, this remains to be seen

This would allow Davros usage outside Sandstorm, as a lightweight file manager tied to any app that is able to act as a OAuth server. Since all the major frameworks have such integrations readily available, that won't be a major source of pain.

The reason I'm asking this here is because I tried for the past few days to achieve this without touching Davros source code, but I failed miserably to do so.

I tried creating an Ember addon for it, but this lead me nowhere near what I needed. Then I tried to think about a Davros wrapper, but I've no practical knowledge about how to build such a thing. And last but not least, I desperately tried to create an Ember Engine for Davros, which would be installable and mountable in any Ember app, which indeed seems to be the perfect solution. Just a few minor problems I have with that: the need to separating the express server from the Ember app, my lack of experience on engines (for now) and that I need to mutilate the Davros code in order to do that, which is going to be painful to maintain (even more than a full fork).

So, given these thoughts, would anyone in the Davros dev team be interested in the development of an OAuth feature for it? I can easily be the main actor in this, as I'm going to do it anyway, one way or another, but it would be nice to work with the upstream (i.e. you) to do so.

Cheers!

nightsh avatar Jun 22 '17 09:06 nightsh

Hi Victor,

Thanks for checking out Davros! I'm curious as to your use case--are you planning on using Davros in conjunction with another app, or just want to run it standalone without having to set up Sandstorm? If it's the latter I'd be remiss if I didn't mention that the Sandstorm people are super nice in IRC and are happy to help people get it set up.

As far as how to get Davros doing OAuth, I think that a middleware inside server/index.js would probably be the best place to check to see if the user is authenticated, and if not what to do about it. I actually have another project, https://github.com/movableink/doorman which does something similar to what you're talking about, depending on your use case you may be able to copy some of its middleware or possibly just put doorman in front of davros.

To your point about integrating this into Davros itself, I'm happy to accept something for adding lightweight authentication, but would prefer not to get into reimplementing all of the things that Sandstorm provides: individual user permissioning, sharing, etc would probably result in a lot of duplication. But just for OAuth-based access granted or denied, I think that would be fine?

mnutt avatar Jun 22 '17 22:06 mnutt

Michael, thanks for the reply!

Alright, let's shed some light on that use case :)

There's a small software bundle cooking now, with very specific use cases and integrations. The people who will be using it are already using Sandstorm now and are pretty much used to Davros, and I see no reason to change that. You can see more details on the use case on project's homepage and github.

Now, it would be a shame not to reuse and maybe contribute to further development of tools still valid for this new use case. That's why I came here to ask before spawning yet another project, which would be the case in the event of a full blown fork. Sadly, I couldn't get the Ember engines running, but maybe one day someone smarter than me will pick up the task :)

I'm not planning on reimplementing ACLs and any other advanced user administration into Davros. This project here has some other purposes, none of which is managing users.

However, being able to package it together with any OAuth provider makes it more interesting, as there are many frameworks and platforms offering this possibility. In my specific case now, it's just about not letting people without an account (so inside the "circle of trust") enter the shared storage space. We could go on forever on whether or not this is a secure workflow, but thankfully that's not our topic here.

But just for OAuth-based access granted or denied, I think that would be fine? Precisely this. Get torii up and running, provide a login template/route/component/whatever is lighter and bounce unauthenticated sessions back to the home/login route. These are details I didn't think thoroughly yet, since I spent most of my time trying to find an elegant way around the way Davros is built now. All this off by default, which remains to be seen in practice how it should be implemented.

You make a good point with the middleware, it's definitely worth looking at as a next step for me. I'll have a look tomorrow and check how/if it could be used.

Thanks a lot, please let me know what do you think of the above ideas. I'd be quite happy to get my hands into this project a little, since I got a bit too familiar with it now to move away easily :)

nightsh avatar Jun 22 '17 23:06 nightsh

@mnutt btw is it possible to have google OAuth

omsenjalia avatar Oct 20 '21 12:10 omsenjalia

@mnutt btw is it possible to have google OAuth

Davros runs as an app inside Sandstorm, and Google OAuth authentication is supported in Sandstorm.

ocdtrekkie avatar Oct 20 '21 13:10 ocdtrekkie