Authentication with Github OAuth2 (proof of concept, do not merge)

[alvinchow86]

Implementing alternative user authentication using Github OAuth2, using Github Flask (https://github-flask.readthedocs.org/en/latest/). Tested and works. You need to register a Github Oauth application, and then set these in your config JSON:

• GITHUB_CLIENT_ID
• GITHUB_CLIENT_SECRET
• GITHUB_AUTHORIZED_ORG: right now provides login access to a Github user that's a member of this organization
• REGISTRATION_ENABLED=false: no need to register new accounts
• BASE_URL: set this to the URL the wiki is hosted on (necessary for the Oauth2 callback).

Basically when a user clicks on "Sign in with Github", they go to Github, authorize this application, Github redirects to the wiki with an Oauth2 access token. We then use this to fetch the user's username/email/organization membership, and log them in if it matches.

This is a proof of concept, and I'm not 100% happy with the integration into the existing codebase. I basically added a separate app/module called github, and use it for doing auth instead of the existing auth module. Originally I tried to fit the code in auth, but I wanted to avoid needed to have a DB-backed User model because you don't really need it anymore. Another approach might be to make a more generic oauth.

We might want to look into making this more generic and supporting other OAuth backends (e.g. Google). For me Github makes sense because I can imagine this wiki being popular for programming teams moving off of Github wikis. If a team is already set up on Github, this makes for a very smooth transition, as people don't have to make a new account. (May make sense to also set PRIVATE_WIKI=true)

Upcoming changes:

• refactor out if/else statements in layout.html https://github-flask.readthedocs.org/en/latest/
• maybe github app should be github_auth
• add GITHUB_AUTHORIZED_USERNAMES to whitelist by usernames in addition to organization.
• get ?next redirect after-login working again

Can also get ideas from https://github.com/scragg0x/realms-wiki/pull/79

https://developer.github.com/v3/oauth/

[scragg0x]

Added in PR #85

[alvinchow86]

@scragg0x nice to see that auth branch merged in. did you implement something like GITHUB_AUTHORIZED_ORG or GITHUB_AUTHORIZED_USERNAMES, to automatically authenticate users based on Github membership?

[scragg0x]

I haven't but it's a good idea.