sedge
commented
9 years ago @gideonthomas Where does authentication take place with the current system? Does makedrive pick up on the webmaker auth cookie and use that to confirm a valid user?
Open gideonthomas opened 9 years ago
sedge
commented
9 years ago @gideonthomas Where does authentication take place with the current system? Does makedrive pick up on the webmaker auth cookie and use that to confirm a valid user?
gideonthomas
commented
9 years ago I'm pretty sure none of that logic is handled by makedrive. I believe that makedrive receives a token from the hosting app which is sent to the server and is handled by the passport.js stuff which honestly is sorta a black box to me.
alicoding
commented
9 years ago I've done the work on the front-end mostly, so the right person to ask would be @cadecairos
cadecairos
commented
9 years ago a good resource to have while writing a strategy would be https://github.com/mozilla/id.webmaker.org/blob/develop/docs/oauth.md
I'm not familiar with passport, so your best bet is their docs
sedge
commented
9 years ago Initial research into this has surfaced the problem of how to prove the user is authenticated. If this was webmaker, we'd be relying on a cookie to allow a user to interact with makedrive in a seamless manner. There's no such mechanism without webmaker-auth.
The most straightforward solution for thimble is to authenticate through the websocket, rather than before one is opened. Thimble could request a token from makedrive and pass it along to the user, who puts it through the websocket as the first message. We tried something similar with makedrive in the past.
This would mean dropping passportjs entirely from the publish server instance of makedrive.
My guess is that a more general SSO solution will be needed. Follow the discussion in mozilla/thimble.webmaker.org#534 to see how this unfolds.
We use passport.js for authentication so that we can make it pluggable. Currently we support multiple ways to authenticate with makedrive such as github, facebook, etc. This is done by us writing "passport-strategies" to make use of these apis.
Right now, we have one for the old
login.webmaker.orgsystem, however, sinceid.webmaker.orgis what's used now, we need to write a strategy (and provider I think) for that. Passport.js provides some oauth2 providers that we might be able to make use of to help us code the provider forid.webmaker.org.A good person to find out more information from re: this is @alicoding since he wrote most of the existing code.