Viqsi
commented
1 year ago Putting this under Public Beta for now because we've been able to do internal alpha testing without, so that strikes me as the time to work on it.
Closed Viqsi closed 4 months ago
Viqsi
commented
1 year ago Putting this under Public Beta for now because we've been able to do internal alpha testing without, so that strikes me as the time to work on it.
Viqsi
commented
1 year ago NRGR themselves are reconsidering how they do authentication, so this is on hold until that determination is made.
Viqsi
commented
1 year ago The previously mentioned authentication change isn't actually about authentication; it's about relevant permissions. Specifically, a possible switch from data access based on collection to data access based on consent. Actual user validation is (at this time, anyways) expected to remain unchanged. So this doesn't have to be on hold for that.
Viqsi
commented
1 year ago Copying in some notes from my work diary while investigating this:
2023-06-15 15:04:51-0400 The sign-in form uses JQuery to submit the login form via POST to https://www.nimhgenetics.org/user/login. It's serialized directly via JQuery's serialize() function on the form. A comment suggests it's being sent as JSON but I can't quite verify that.
Finding that has been surprisingly Not Straightforward. Grr.
I'm not sure how the cookie is checked. I'm reasonably certain it does check the cookie, but how said cookie is validated remains a tad beyond me. Given that on a 204 status code the page is reloaded, though, it's probably an on-request thing that may very well be handled by JSP (i.e. entirely server-side).
So we'd be back to Flask needing support for recognizing and verifying Crowd auth tokens.
2023-06-15 15:27:04-0400 The CROWD information we've gotten before is about implementing our own authentication system, NOT making use of the authentication cookies they already have. I last looked at this in December 2021 (and my notes on it are in that diary file). We never did get a response from ISI because of Convenient Absence.
2023-06-15 15:41:04-0400 Oh, wait, we did; it just wasn't 'till January.
I think https://docs.atlassian.com/atlassian-crowd/5.1.3/REST/#usermanagement/1/session may be all that we need. Validate Token if the cookie is already there to be found, and maybe allow for an Authorize User via diverRPC.
2023-06-15 15:42:56-0400 I wonder if diverRPC can "forward" the request to nimhgenetics.org/user/login without us running into CORS and/or XSS issues... (ha ha no chance)
2023-06-15 15:44:56-0400 Is the expectation that DIVER will always require an NRGR account, no matter what?
2023-06-15 15:47:05-0400 I think we'd have to be located at https://www.nimgenetics.org/diver/ or similar for this to work...
Viqsi
commented
1 year ago Oh wait. Thanks to licensing changes by Atlassian, a move away from Crowd potentially is in the cards. So this is going to depend on their timetable - we may still have to implement this and then later replace it with a new authentication backend.
Right now login's been done in a way such that that should be doable but it's not exactly plug-and-play.
Viqsi
commented
4 months ago Initial implementation from MathematicalMedicine/diverRPC@751899f (plus some subsequent minor revisions, not yet merged into master) appears to be functioning properly for basic signin. SSO would not be working, though, because we have Flask set up to store all the session data together in one handy encrypted blob so the cookie NRGR's site is looking for is not actually set.
But we're a lot closer than we used to be.
The authentication system for DIVER in general is presently barebones and security-free. Obviously this is not acceptable for an end product. The ultimate plan is to hook into the same Atlassian Crowd instance that Data Explorer uses, but pretty much nothing has been done in that regard.