[NCM-Cli 1] Username / Password sign-in tokens

[mster]

Referring to #4

TDLR; session token returned from /accounts/auth/login (success condition) when choosing username and password sign-in is unusable with the ncm2-api.

Resolution:

• Why is the session token different from the one retrieved via SSO sign-in?
• How do we work with this token usage, or how do we obtain a usable token using username / password authentication?

[mnedelko]

This relates to the SSO conversation around accounts. Jaz to set up a meeting with accounts-eng.

[pmuellr]

(internal slack conversation) ; it sounds like we can copy the code from ncm-desktop SSO auth. We should still copy the code from nscm to open a browser from the cli to the relevant SSO provider.

[pmuellr]

hmmm, thought I already pasted this, trying again:

from @cxreg in NodeSource Slack

GET /accounts/auth/social-signin-url?source=github&product=ncm -> { url, nonce } you open url in the browser and then use nonce here as a long-poll request: GET /accounts/auth/retrieve-session?nonce=${nonce} -> { session, refreshToken } source can be google or github if the user never signs in that second one will eventually time out, or you can abort if they hit a cancel button

[mster]

GET /accounts/auth/social-signin-url?source=github&product=ncm -> { url, nonce } ... etc.

The current SSO sign-in follows the pattern described above.

We should still copy the code from nscm to open a browser from the cli to the relevant SSO provider.

I took a look at the nscm code, and it uses the open package to do this. The package uses ChildProcess to open a url in the preferred browser.

open does have a security vulnerability, which comes from a lack of input sanitization. This shouldn't be an issue for the tool's usage, but I wanted to bring this to attention before implementation.

We could always just make our own ¯_(ツ)_/¯

[mster]

Authentication Status (01/28):

This issue will now cover the remaining issues with general authentication for the NCM-Cli tool.

Goals:

The tool will support three types of authentication via:

1. Session tokens -- SSO Sign-in (GitHub/Google)
2. Access tokens -- Accounts (email/password)
3. Service tokens -- CI (environment variable, NCM_TOKEN)

Progress:

1. Session tokens:

   • Currently, this is the only functional authentication method. SSO has been built for Google and GitHub. Users may sign-in using this method by entering the command: ncm-cli signin [-G,-g]

2. Access tokens:

   • Currently, these tokens are received from the accounts.nodesource authentication method, which requires a valid email and password to be sent to /accounts/auth/login from which, the request succeeds to fails immediately.
   • Upon a successful sign-in, a session token and refreshToken are returned.
   • Issue: The session token received after successful authentication is unusable with the ncm2-api/v2 -- responding with authentication errors when verification is requested.

3. Service tokens

   • Yet to be implemented.
   • NCM-Cli will accept a service token via the environment variable: NCM_TOKEN

[mster]

TODO:

CI - Service Token implementation via environment variable