OAuth user login & Firebase Authentication

[mayacakmak]

Currently users can operate the robot and are logged into Firebase as anonymous. However to remember a user's preferences over time and when they change browsers/computers, the interface needs to know who they are. For this the safest simplest thing to do is to have them "Login with Google" through OAuth. We have done this in the past, and the data visualization tool (in shared/data.html) should have some code we can reuse for this.

[kavidey]

How should this interact with the current MongoDB login? Should the user visit localhost, enter the o1 xXTgfdH8 login, and then also have the OAuth login, or are we replacing the existing login with the OAuth login, for the operator side (Replacing the existing login might be weird because it would result in different login pages for the operator and the robot, which could mess up the puppeteer script that logs in the robot automatically).

[kavidey]

After looking into the current login system a bit more, I think the best option will be to just add a "Login with Google" button to the operator.html page. That way the current operator/robot communication and mapping stays intact, and we can access firebase code where necessary.

I have run into a number of issues with the CSP, I think related to Issue #26, that prevent communication with firebase. It seems like operator.html has its own CSP that overrides the one set in app.js? I think adding additional domains should fix the problem

[kavidey]

I moved the database config object out of database.js and into a new file called database.config.js that is also in the shared folder. That file has been added to the gitignore so that it will not be uploaded.

Once refactor has been merged into master, I'll generate a new API key so that the old one is invalid. I added a login entry to the lab wiki that has the contents of database.config.js, and instructions to the refactor branch readme on how to set it up (if there is a better way to store it in the wiki, I'm happy to move it).

That should solve the security issue of anyone being able to write data to the firebase. I was not able to find an easy solution to the domain name issue. From what I can tell, there is no way to allow all domain names with the API key to write to firebase (or even just specific IP addresses, it has to be a proper website URL). I think that means that if Stretch is hosting the website, and we load the operator page from another computer, we won't be able to write to firebase at all. Is this a problem that we have run into before?

This page contains all the firebase settings: https://console.firebase.google.com/u/0/project/stretchteleop/authentication/providers