Authentication API

[christpet]

This is referring to the conversation we had @lutangar around the new feature described here: https://github.com/dis-moi/backend/pull/161

and here: https://github.com/dis-moi/extension/pull/800

Quick background:

• We created a way for users to post contributions to the backoffice as drafts directly from the extension. Yay!
• Users can also post a question to the backoffice, which shows up with the tag "questions"

Problem:

If a user posts a contribution with the same email address as an existing contributor account, the post will appear as coming from that contributor. #314

Solution:

We need a way to authenticate the extension user as the contributor. Exactly how we do this needs to be specified. Let's discuss and choose the best way forward here.

[lutangar]

@christpet I updated a few things since this go beyond the extension usecase.

The authentication mechanism will handle current and future usecase:

• Contribute from the extension
• Bulk contribution
• Contribution interface

The extension will need extra product design (interface, etc...) to use authentication, we should track this somewhere else:

created this https://github.com/dis-moi/extension/issues/843

[christpet]

Oh okay fabulous, thank you! Sounds great. I will assign to myself then in order to push for definition.

[lutangar]

For future reference :

• https://github.com/lexik/LexikJWTAuthenticationBundle
• https://github.com/api-platform/api-platform

Other subjects:

• preserve backward compatibility
• possible domain (models, etc...) evolution

  https://www.w3.org/TR/activitystreams-core/#model https://demo.hedgedoc.org/PIO7i42FRCC4xe1TZwSTPA#

[MaartenLMEM]

About the solution : Do we really need authentification in extension ? In those usecases, as extension user who wants to contibute, I can authenticate in a webpage directly. Why do i need to authenticate before in the extension ? Indeed, really contextual informations (current webpage, even the message I started to draft...) can be trasnfered as filled data in a webpage, without authentification.

[christpet]

Good point @MaartenLMEM , we should be clear that the usecase requires authentication in the extension. This is something to discuss with Pierrick and coordinate with the new contrib UI.

Because through this feature all bulles posted will be posted as "drafts", this problem is not too much of a risk.

So then inside this current issue, we can focus on authentication API for future needs (Bulk contribution, Contributor web interface).

[MaartenLMEM]

Good point @MaartenLMEM , we should be clear that the usecase requires authentication in the extension. This is something to discuss with Pierrick and coordinate with the new contrib UI. Because through this feature all bulles posted will be posted as "drafts", this problem is not too much of a risk.

=> Yes currently it's sent from extension. But tomorrow we can imagine a webpage stage to complete my contribution started in my extension, in context. To summarize, I see two options :

1. Keep contribution publish function in extension, create an authentification in extension and deal with all specific issues related with this in extension option : technical complexty, privacy matters...
2. Put the minimum in extension, and let user complete his contribution in a webpage where authentification is handled, and deal with this classic matter.

[lutangar]

I created issue #332 to tackle step 0 and step 1. And then #333 will follow.

@christpet @prk-dismoi could you take 2 minutes to read this 2016 issue Concerns raised there are still valid in 2021, at least part of it. I know it's code related but it presents very well some of challenges we will face when implementing Users, Authentication, Roles and ACLs related code.