-
Notifications
You must be signed in to change notification settings - Fork 33
Implement an auth solution for publish #480
Comments
@gideonthomas Where does authentication take place with the current system? Does makedrive pick up on the webmaker auth cookie and use that to confirm a valid user? |
I'm pretty sure none of that logic is handled by makedrive. I believe that makedrive receives a token from the hosting app which is sent to the server and is handled by the passport.js stuff which honestly is sorta a black box to me. |
I've done the work on the front-end mostly, so the right person to ask would be @cadecairos |
a good resource to have while writing a strategy would be https://github.com/mozilla/id.webmaker.org/blob/develop/docs/oauth.md I'm not familiar with passport, so your best bet is their docs |
Initial research into this has surfaced the problem of how to prove the user is authenticated. If this was webmaker, we'd be relying on a cookie to allow a user to interact with makedrive in a seamless manner. There's no such mechanism without The most straightforward solution for thimble is to authenticate through the websocket, rather than before one is opened. Thimble could request a token from makedrive and pass it along to the user, who puts it through the websocket as the first message. We tried something similar with makedrive in the past. This would mean dropping passportjs entirely from the My guess is that a more general SSO solution will be needed. Follow the discussion in mozilla/thimble.webmaker.org#534 to see how this unfolds. |
We use passport.js for authentication so that we can make it pluggable. Currently we support multiple ways to authenticate with makedrive such as github, facebook, etc. This is done by us writing "passport-strategies" to make use of these apis.
Right now, we have one for the old
login.webmaker.org
system, however, sinceid.webmaker.org
is what's used now, we need to write a strategy (and provider I think) for that. Passport.js provides some oauth2 providers that we might be able to make use of to help us code the provider forid.webmaker.org
.A good person to find out more information from re: this is @alicoding since he wrote most of the existing code.
The text was updated successfully, but these errors were encountered: