Implementation plan

[finnhodgkin]

See hapi-auth-github/issues/28 for the original issue.

Implementation plan for a github oauth plugin for elixir.

Things what we should think about

What features does hapi-auth-github have?

• construct url for post to github (with the client id/client secret)
• construct a callback route
  • sends a post request for a github token
  • makes another request using the token to get user details

    How analogous are these to Elixir?

• similarities
  • requests
• differences
  • 'constructing a callback route' is handled very differently in Phoenix/Elixir. We had a read through the Ueberauth code and couldn't figure out how they hijack certain routes. A simpler solution is to just add a set of functions to our module that can then be called within user defined routes. This has the advantage of being less magic because the developers get to pick the names of all the routes and can more easily replace portions of the code.

    How do we make these features in Elixir?

• Add a module with two public functions
  • redirect - redirects the user to a GH Oauth route constructed using the application OAuth client id.
  • callback - recieves a conn containing a Github response code and makes two requests using it: a token request and then one for user data. Add the user data to the conn and return it.

    Would you need any dependencies?

• Something for making HTTP requests, probably HTTPoison

  How do we deploy the module to Hex?

• Adding metadata to mix.exs file
• publishing using mix hex.publish
• https://hex.pm/docs/publish

  Things which will probably be fine:

• initial redirect for user to github
• sending the secret and token to github in exchange for the information

  Pain points

• Intercepting the http request

  As a result:

Our idea of an "MVP" for this module would be to have it so the the module handles:

• The initial request to github with the application client id.
• The request to github with the client's token and the application client secret

The user would still have to handle:

• Creating a route and handler to then call our function which goes to github to get the client token
• A route and handler for the callback URL which will then call our function which will go back up to github for the final call for the user's information
• Dealing with the user's information and token as it comes back from github

How long would it take?

• For a 100% covered, deployed module, with an example, we think 2 days is a reasonable estimation.

Breakdown

Quite hard to judge specifics until we've done some more research on building modules

• [x] Spike on HTTPoison 1hr
• [x] Spike on plugs/Phoenix so we can redirect to the correct Github url within a module function 2hr
• [x] Spike on creating a new hex module 1hr
• [x] Nice documentation 1-2hrs
• [x] Write login redirect 1hr
• [x] Build callback requests to get user data 2hrs
• [x] Explore error handling and edge cases 1hr
• [x] Add meta data and add the module to Hex 1hr
• [x] 100% test coverage 2-4hrs depending on how much error handling we have to do.

Total: 12-14hrs

Implementation for ueberauth

I would say, rather than creating a module for use with ueberauth if that is what we decided, we would write a detailed tutorial for ueberauth with github, extending that which @finnhodgkin has already written here: https://github.com/finnhodgkin/learn-phoenix-todo-example#oauth-authentication

[nelsonic]

Thanks for this detailed plan @finnhodgkin 🥇 Hope you are well. ☀️ (closing as the module has been working for a while...) 🚀