This is one big change that replaces all the auth. It has a couple of smaller commits, but I can't really split the big one down much further.
As this changes the process flags, it will break if deployed without a corresponding service-conf change.
Before:
There's a Providers structure, as part of the global API state
The Providers structure contains a map of providerName -> Provider
A Provider is an abstraction of some social login, e.g. Google or Github
Email login is completely different - emails work by matching user
level tokens.
After:
There's an Auth0 structure, that takes the place of the Providers
structure - however, this structure now handles all login and
logout actions. Even if we want to move to a different SSO service,
we don't want to use more than one at a time.
The Auth0 structure contains a mapping of providerName -> Connection
Connection is the Auth0 integration with Google or Github. It
allows us to set connection specific options (e.g. scopes).
Email login is part of Auth0, so it's almost just another login
form - except it needs slightly different API calls. Ugh.
In order to start making auth0 a source of truth for users, this
pushes user data up into auth0 - including our custom company name
question from signup. This does not export any kind of team/org
membership though, nor does auth0 provide any of that back.
Things I haven't been able to test properly locally:
Pushing SSH keys to github - I'll be able to do that in dev.
Things that are still bad:
2 month sessions with no session extension with your identity provider
This will make GetAccessToken fail with expired tokens. I'm not
sure yet what that means in practice - however, that's only used by
github, so see above.
Things that are now worse:
The Auth0 configuration is not version controlled.
Auth0 now sends login/team invite emails instead of us, and those
templates are not version controlled.
This is one big change that replaces all the auth. It has a couple of smaller commits, but I can't really split the big one down much further.
As this changes the process flags, it will break if deployed without a corresponding service-conf change.
Before:
After:
Things I haven't been able to test properly locally:
Things that are still bad:
Things that are now worse: