search

veritus / veritus-backend

1 stars 0 forks source link

Enhancement/facebook auth #61

Closed skabbi closed 2 weeks ago

skabbi commented 7 years ago

Status

Looking for feedback

Description

Allows for login in using Facebook credentials in addition with user/pass login.

Ways to try out Facebook login

  1. By using swagger:

Swagger authentication now offers the user to use OAuth2.0 to authorize. swagger_oauth_login

which prompts a Facebook login screen swagger_facebook_login_screen

after login, the user is redirected to the swagger API screen. swagger_oauth_login_success

Notice that you should now have a cookie named csrftoken. This is what is used for authentication. swagger_oauth_login_cookie

  1. By using postman

Veritus-Login-and-add-promise.postman_collection.zip I've added a postman collection that has both user/pass and Facebook login and how to add a promise.

For the Facebook login you will need to get an access_token from the Facebook developer page. @AriHrannar @Ragnar-H I've given you developer access to the Veritus-backend project I created so you should (hopefully) have permission to get an access_token for it. facebook_developer_access_token

  1. By using the veritus-web

I created the branch poc/facebook_login_example in the veritus-web project to make sure the login would work end-to-end. In the "Login" section there is now a small "Login With Facebook" button veritus_facebook_login After pressing the button make sure you have a "csrftoken" cookie and a "veritus-token" in "Local Storage". veritus_confirm_token

You should now be able to add a promise using the "Add Promise" section.

Admin roles On the admin screen, you will now see an "SOCIAL_DJANGO" section admin_main_screen

where admins can keep track of users that use social login. admin_social_users_screen

These users then appear in the "Users" page where they can be edited and given roles and/or permissions as usual. admin_users_screen

Ragnar-H commented 7 years ago

I ❤️ the detailed description in the PR!

Aside from some questions on HTTP status codes: What's the reason for saving the token-type : csrf?

Is there any specific part of the PR you want feedback on?

Otherwise this looks awesome!

skabbi commented 7 years ago

What's the reason for saving the token-type : csrf? @Ragnar-H Great question and something I really should have mentioned.

When authorizing with the server after user/pass login you use the header "Authorization" with the value "Token {token}" with the server as before. And when authorizing with the server after facebook login you use the header 'X-CSRFToken' with the value in the cookie, plus sending the cookie itself with the request. But you can't send both headers at the same time, unless both are valid, or else you get an error.

So adding a "token-type" was just an easy way for me to prevent both headers from being sent and getting a PoC up and running. This can be seen being used here.

Is there any specific part of the PR you want feedback on? Mostly I was unsure if I should be adding any other files than just "apps.py" and "views.py" and what, if any, logging I should be doing.