Create Elixir version of this module?

[iteles]

As our tech stack has now evolved github.com/dwyl/technology-stack , I'd like to explore having this module as an elixir module rather than hapi.

The idea is for us to have a login module that we can pick up and run with for future projects without having to rebuild a login for every project.

The key is that the module is:

• Fully tested
• Has detailed documentation

This one is next: https://github.com/dwyl/hapi-auth-google

[finnhodgkin]

There's a pretty great module for Github/Google/Twitter OAuth that requires minimal setup - Ueberauth. It doesn't handle cookies, jwts or storing users in a db, just the actual OAuth flow. I wrote a WiP guide that uses it a couple weeks ago:

https://github.com/finnhodgkin/learn-phoenix-todo-example#oauth-authentication

I could pare this down to just the bits of code required for authentication, because Ueberauth really does do a great job of OAuth flow.

The only issue is that it's hard to tell how much test coverage it has. There are some tests, but they look more like business logic tests than blanket coverage. It's the highest result on Google (in an incognito tab) for Pheonix Authentication and seems to be top of everyone's recommendation list, but sometimes that doesn't mean much :woman_shrugging:

[finnhodgkin]

There's definitely room for a module wrapped around Ueberauth that handles the app-specific authentication stuff (cookies, protected routes, etc.), but IMO circumventing Ueberauth entirely and writing an OAuth flow from scratch would be a big time sink for a very similar wheel, at least at the start.

We could start by setting up a module around Ueberauth and then think about replacing it after..?

[ZooeyMiller]

I ran code coverage on ueberauth, and their coverage is high, but not 100%.

Rather than making something from scratch, we could potentially look into adding tests to ueberauth to bring it up to 100%.

[iteles]

I would say that it would be an excellent learning exercise to write up the implementation plan for something like this (being built from scratch) as well as for utilising ueberauth; both of which should be broken down and estimated.

[iteles]

@ZooeyMiller Whilst that is certainly a potential solution; from experience, it's unlikely that the 100% test coverage would be maintained without us policing it. Creating that kind of dependency on us is also quite taxing and ultimately not worthwhile.

We push hard with our clients to allow us to spend the time to get to 100% test coverage because it makes everyone's lives so much easier in terms of minimising bugs and especially for future maintenance.

[finnhodgkin]

Implementation plan for a github oauth plugin for elixir.

Things what we should think about

What features does hapi-auth-github have?

• construct url for post to github (with the client id/client secret)
• construct a callback route
  • sends a post request for a github token
  • makes another request using the token to get user details

    How analogous are these to Elixir?

• similarities
  • requests
• differences
  • 'constructing a callback route' is handled very differently in Phoenix/Elixir. We had a read through the Ueberauth code and couldn't figure out how they hijack certain routes. A simpler solution is to just add a set of functions to our module that can then be called within user defined routes. This has the advantage of being less magic because the developers get to pick the names of all the routes and can more easily replace portions of the code.

    How do we make these features in Elixir?

• Add a module with two public functions
  • redirect - redirects the user to a GH Oauth route constructed using the application OAuth client id.
  • callback - recieves a conn containing a Github response code and makes two requests using it: a token request and then one for user data. Add the user data to the conn and return it.

    Would you need any dependencies?

• Something for making HTTP requests, probably HTTPoison

  How do we deploy the module to Hex?

• Adding metadata to mix.exs file
• publishing using mix hex.publish
• https://hex.pm/docs/publish

  Things which will probably be fine:

• initial redirect for user to github
• sending the secret and token to github in exchange for the information

  Pain points

• Intercepting the http request

  As a result:

Our idea of an "MVP" for this module would be to have it so the the module handles:

• The initial request to github with the application client id.
• The request to github with the client's token and the application client secret

The user would still have to handle:

• Creating a route and handler to then call our function which goes to github to get the client token
• A route and handler for the callback URL which will then call our function which will go back up to github for the final call for the user's information
• Dealing with the user's information and token as it comes back from github

How long would it take?

• For a 100% covered, deployed module, with an example, we think 2 days is a reasonable estimation.

Breakdown

Quite hard to judge specifics until we've done some more research on building modules

• Spike on HTTPoison 1hr
• Spike on plugs/Phoenix so we can redirect to the correct Github url within a module function 2hr
• Spike on creating a new hex module 1hr
• Nice documentation 1-2hrs
• Write login redirect 1hr
• Build callback requests to get user data 2hrs
• Explore error handling and edge cases 1hr
• Add meta data and add the module to Hex 1hr
• 100% test coverage 2-4hrs depending on how much error handling we have to do.

Total: 12-14hrs

Implementation for ueberauth

I would say, rather than creating a module for use with ueberauth if that is what we decided, we would write a detailed tutorial for ueberauth with github, extending that which @finnhodgkin has already written here: https://github.com/finnhodgkin/learn-phoenix-todo-example#oauth-authentication

[iteles]

@finnhodgkin @ZooeyMiller The breakdown of the various spike you'll have to do is great!

Carrying out these spikes and documenting your learning in the appropriate repo (that might even be learn-elixir or learn-phoenix) is a great learning experience. This is all core knowledge that all Elixir developers who come after you will need. Definitely worth dedicating a couple of days to.

[nelsonic]

https://github.com/dwyl/elixir-auth-github