Revisit authentication

[ikornaselur]

Likely remove flask-dance from server and just use jwt tokens from web, with web taking care of authentication?

1. [Web] User wants to authenticate
2. [OAuth] User approves on third party service
3. [Web] Token from third party saved locally and sends it with each request
4. [Server] Gets user by token (if token changed, get by email and validate token and update it in db)
5. [Server] (New signup?) Validate the token with third party service and create user

Should only be required to validate token when it's first seen, since if it hasn't changed, it's valid. Unknown tokens used to find if already signed up (if not, create user) and then validate the token.

[ikornaselur]

My current thought for the flow on the server goes something like this:

0. The user goes through oauth flow on web to google (to begin with)
1. The user sends the full oauth token to a /login endpoint on the server
2. The endpoint will start by validating the token has not been tampered with
3. Verify that that aud and azp in the token payload are the voyage Client ID
4. If all is valid, check if user is signed up already, if not, create a new user on voyage.
5. Generate a voyage specific JWT for the user tat they will use.

I think this is the flow that makes most sense, since I want to use JWT on the server and handle the OAuth dance on the web end. This way I only have to validate the google token once (during "login"), since it's more "expensive" (as far as I know, I don't have the private keys to verify the token, but you can talk to the google API for that) while it's quick for me to validate the local JWT.

This way I can also support more than one OAuth provider, just have to handle different types during login, since after that it's going to be my own JWT that the user will be using.