Set login cookie and handle JAAS redirects based on said cookie.

[hatched]

Fixes canonical-web-and-design/juju-squad#590

• Switches cookie handling to third party library.
• Removes package-lock.json as we now use yarn.
• Sets loggedin cookie when logged into the controller.
• Removes loggedin cookie on log out.
• Redirects the user to the JAAS storefront or GUI based on loggedin cookie.

To QA

• Clear your cookies for the GUI domain.
• visit:
  • / it should take you to jaas.ai
  • /home it should take you to jaas.ai
  • /u/hatch/failtester it should take you to jaas.ai/u/hatch/failtester
  • /new should take you to the GUI
• Now log into the GUI and visit:
  • / it should take you to the GUI
  • /home it should take you to jaas.ai
  • /u/hatch/failtester it should take you to the GUI

[webteam-app]

Starting demo at: https://juju-gui-juju-pr-3940.run.demo.haus/

[nottrobin]

Happy to consider this out of scope for this PR, but this just occurred to me - presumably there are some URLs that are only available in the GUI, not in bluesbrowser. Is that right?

Apart from private charms, are there any standard URL patterns that we should be explicitly whitelisting here on jujucharms.com? So users will always be logged-in if visiting those URLs?

With regard to private charms, I forgot what we agreed, but I imagine the flow would be something like this:

• A non-logged-in user goes to https://jujucharms.com/my-private-charm, but Flask has no way of knowing it's a private charm at this point
• They get redirected to https://jaas.ai/my-private-charm. Hopefully https://jaas.ai is able to tell it's a private charm?
• They get redirected back to https://jujucharms.com/login?forward-url=my-private-charm or something

Is that about right?

[hatched]

Unfortunately due to the original URL requirements there is no way for us to distinguish between GUI specific routes, like a model u/username/mymodel and a charm u/username/mycharm without the user first logging in and then us querying the various api's.

If a non-logged-in user, or one without permissions, tries to access a private charm url it fails with a 404 as it would if it didn't exist at all. This is to avoid leaking names. So what this means is that you can only view private charms in the GUI after logging in.

[nottrobin]

@hatched so does that mean that for a user whose login has expired, if they visit jujucharms.com/u/username/private they will get redirected to jaas.ai/u/username/private which will 404? And then they'll need to be savvy enough to click "Getting started", and then log in and then go back to their private charm?

That's a horrible journey. Again I think we need to make it clearer how to get to the GUI from jaas.ai. Again, hopefully @clagom can give us some guidance.

[hatched]

@nottrobin that's correct. That was the requirement at the time.

[clagom]

I had problems with GitHub notifications from this repository for some reasons, without getting any email notifications... anyway, @nottrobin pointed out the discussion so here I am. @hatched, @nottrobin and I discussed briefly about this today, thinking that maybe a call to action like "Your models" could help -partially- solve the issue. The main problem here is that I don't think any label could cover all the use cases we have due of the missing login. E.g. "Your models" works for users who are aware of what a model is, new/potential users would probably wonder what it is. We might start with this for now, instead of "get started" (which is more useful for people who don't know about JAAS), but I think we need to explore other solutions as well. I would setup a meeting next week to discuss this part and the implementation of the future login system with also @anthonydillon. I think we need to map out what we need to do, estimante, and plan this work for the next cycle. Thanks

[hatched]

Ok the requested changes have been made, this is now ready for QA.

[hatched]

Thanks @nottrobin