Implement authorization / authentication

[chakeresa]

References:

• In Rails + GraphQL: https://www.howtographql.com/graphql-ruby/4-authentication/
• In Express + GraphQL: https://link.medium.com/GTkTJJR7CZ
• In GraphQL: https://graphql.org/learn/authorization/
• In React (1): https://medium.appbase.io/securing-a-react-web-app-with-server-side-authentication-1b7c7dc55c16
• In React (2): https://github.com/ctrlplusb/react-universally/issues/289

Will include update of createUser GraphQL mutation

Possible workflow:

1. User clicks Login with Google button (it doesn’t matter whether they already have an account with us or not)
2. User is taken to a Google site to enter their login details
3. Google redirects to the callback we provide (something like /auth/google_oauth2/callback on the Express app)
4. Within that controller action, we (a) generate a random token and save it to a cookie (which will be passed back to the client), (b) save the token as well as the info received from Google in a session on the server (in memory) — let’s call this identity, and (c) send a request to the Rails app asking whether there’s a user with the email provided by Google or not.
5. The Rails app searches the database for that email and responds 200 or 404 (depending on if it was found our not).
6. Based on the status code received, the Express app either redirects the user to a form to enter their initial registration details (location, etc), or to their own dashboard. The cookie created earlier with the token must be sent to ensure that the user stays logged in.
7. If the user was new (and was sent to the registration form), they fill it out and make a request to the Express app (automatically sending their token cookie back).
8. The Express app (a) searches its memory for a session with that token. (b) If found, it adds the identity created earlier and passes along the new user request to the Rails app as a GraphQL mutation. (c) If not found, it redirects the user to the login page.
9. The Rails app uses the identity and form info entered/passed along from Express to create a new user. It responds 201 or 422 to Express (depending on whether it successfully created the user or not), or maybe 401 if missing the identity.
10. If 201, the Express app redirects the user to their dashboard (or wherever you sent existing users in number 6 above). If 422, the user must re-enter valid details on the new user form.
11. Whenever a user makes a request (no matter whether it’s a GraphQL query or mutation), it goes to the Express app (acting like a proxy for the Rails app). The Express app checks for a valid token, adds the identity, and forwards it on to the Rails app. Rails responds accordingly (knowing the the user has been authenticated) and does the business logic / authorization (e.g. can this user edit that dog? / can this user see that address?). Express gets the response from Rails and redirects / renders pages appropriately.
12. When the user clicks log out, it sends a request to the Express app which removes their identity from the session on the server and deletes their token cookie.