authenticate grails server with GitHub - so users only see what they are doing and only allow some to do upload

[nathandunn]

• [x] link GitHub and Google to certain roles (can set default roles only(
• [ ] test securing rest controller (make sure we can send jwt token across)
• [ ] test access using React client

---

• [ ] hard-code admin users in
• [ ] integrate same within Xena server depending on the page
• [ ] add "Login to Upload" button
• [ ] bootstrap default users and roles
• [ ] have a "user" popup for admins to promote to admins / or just have default admins
• [ ] when getting the initial app-state need to return the max-role

---

• [ ] logged in users can upload GMT files with limit of 50
• [ ] Allow users to delete their own
• [ ] Users may only see their own
• [ ] They CAN share private links, though
• [ ] user uploaded should show up as "(user XXX) . . . gmt name"

---

Follow: https://guides.grails.org/grails-oauth-google/guide/index.html (and) https://github.com/nathandunn/grails-oauth-google

• [x] add roles (2)
• [x] add users with roles (for allowed users)
• [x] setup properly using the google developers API: https://console.developers.google.com/apis/credentials?project=createcertificates2
• [x] verify permissions
• [x] add GitHub authentication
• [x] update for Grails 4 / newer libraries

---

https://grails-plugins.github.io/grails-spring-security-rest/latest/docs/#_google

---

This uses google for Outh2 as below here. This is actually using the REST plugin:

https://plugins.grails.org/plugin/grails/spring-security-rest

https://guides.grails.org/grails-oauth-google/guide/index.html

https://github.com/grails-guides/grails-oauth-google/tree/master/complete

---

Authorize REST version for login:

https://grails-plugins.github.io/grails-spring-security-rest/latest/docs/

good example of how to do the providers with Spring Boot:

https://www.callicoder.com/spring-boot-security-oauth2-social-login-part-1/

[nathandunn]

https://grails-plugins.github.io/grails-spring-security-oauth2-provider/latest/manual/guide/introduction.html

This is a provider.

https://github.com/settings/applications/1479413

[nathandunn]

• [x] setup properly using the google developers API: https://console.developers.google.com/apis/credentials?project=createcertificates2
• [x] verify permissions

---

• [ ] integrate same within Xena server depending on the page
• [ ] add "login" button

[nathandunn]

I was getting it "work" here: https://github.com/nathandunn/grails4-multiple-oauth-example/settings

However, it was using a legacy API.

Using this guide instead:

https://guides.grails.org/grails-test-security/guide/index.html

https://github.com/grails-guides/grails-test-security.git

[nathandunn]

Note for https://github.com/nathandunn/grails4-multiple-oauth-example this almost works.

We need to be able to specify that some users are "ADMIN" and some are not, regardless of their role. I think what happens, is that all users end up being secured in the same way and we use a separate permission service to check particular users.

[nathandunn]

This needs to be replicated using a REST-full controller with React

[nathandunn]

Potentially I need to add the OauthID to the Person object and provide grails.plugin.springsecurity.oauth2.domainClass = 'com.insilico.dmc.OAuthID'

However, its unclear.

[nathandunn]

curl api call:

curl -v -H 'Accept: application/json' -H "Cookie: jwt=" http://localhost:8080/api/

[nathandunn]

https://github.com/geneontology/noctua/blob/b94742910718b5f05c76bf26914c74b2b3e3a8fb/barista.js#L1093

https://github.com/geneontology/noctua/blob/b94742910718b5f05c76bf26914c74b2b3e3a8fb/barista.js#L1141

[nathandunn]

Almost working but react-google-login uses a different token strategy when decoding (i.e., not MAC512, but RS 256) so completely different, though maybe can be transcoded?

Going to use the googleapis oauth2 client instead to get a potentially more consistent token . . .

[nathandunn]

{
  "alg": "RS256",
  "kid": "fed80fec56db99233d4b4f60fbafdbaeb9186c73",
  "typ": "JWT"
}

vs

{
  "alg": "HS256"
}

Also note, this is how you add extractors to pull out users with Spring Boot (less sure about Grails, but may not be necessary):

https://medium.com/@bvulaj/mapping-your-users-and-roles-with-spring-boot-oauth2-a7ac3bbe8e7f

https://github.com/eugenp/tutorials/blob/master/spring-security-modules/spring-5-security-oauth/src/main/java/com/baeldung/oauth2extractors/ExtractorsApplication.java

[nathandunn]

Even if we can do other than we can only verify with HS256. Noted here: https://github.com/grails-plugins/grails-spring-security-rest/issues/490

[nathandunn]

So grails does not support this explicitly. Not sure fix version. Options:

1. authenticate against API directly using a redirect and refresh back with a returned JWT key

2. use auth0 which allows Auth0 and provides a plugin with Grails that does this already
3. provide an API token if authenticated . . . still hard for an open-source tool to use
4. make all uploads ephemeral for non-logged in users and limit users? or just limit security

Will try 1, shoot for 2, and then do 4.

[nathandunn]

Finally will need to map to a domain class at some point as well.

For 1 it is problematic as it comes back as an httponly cookie, which I think is a good thing, but then not rebroadcast as part of the axis request.

[nathandunn]

Because the domain is not (and will not be shared likely), we can't share the httpOnly cookie (even if just different ports).

Definitely possible to put them on the same domain, but a different path. however, not sure if that would work either. As HS256 is less than preferred, especially for open-source, may look to another model.

[nathandunn]

for 1. Note the current state is here: http://github.com/nathandunn/grails4-multiple-oauth-example and https://github.com/nathandunn/test-oauth2-client

Auth0 grails integration example guides here: https://github.com/auth0/auth0-spring-security-api https://github.com/auth0-samples/auth0-spring-security-api-sample

[nathandunn]

Oh, this is the sample we want:

https://github.com/auth0-samples/auth0-grails3-spring-security-mvc-sample

or this one:

https://github.com/auth0-samples/auth0-grails3-mvc-sample

[nathandunn]

Probably the easiest thing to do would be to login the front and then use https://github.com/jwtk/jjwt#jws-key-rsa to verify the key: https://github.com/jwtk/jjwt#verification-key

[nathandunn]

• [x] confirm token is JWT
• [x] attempt to decode accessToken on server
• [ ] integrate within the repo