Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

chore(friendshipper): move oidc auth + refresh logic into the backend #384

Open
wants to merge 3 commits into
base: main
Choose a base branch
from

Conversation

rudoi
Copy link
Member

@rudoi rudoi commented Dec 16, 2024

No description provided.

@rudoi rudoi requested a review from a team as a code owner December 16, 2024 01:06
@rudoi rudoi changed the title chore(friendshipper): move oidc auth + refresh logic into the backend" chore(friendshipper): move oidc auth + refresh logic into the backend Dec 16, 2024
@rudoi rudoi added the ci ready label Dec 16, 2024
Copy link
Contributor

@chris-believer chris-believer left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Wow, this is great! I think this shares SSO with the browser, whereas before they were independent, correct?

I'm definitely less clear on the JS interactions, and potential edge cases with the error handling around the backend. It looks like the token json is stored in localStorage, so across a restart the frontend will have the last-saved token, but how does that token get used by the backend? I think the answer is that the backend only accesses AWS with credentials provided by the frontend?

During testing (on Linux!) I got into a state where pages other than Home were reporting back only "500 Internal Error". This happens after using the Logout button in Prefs. After clicking logout it restarts the client, pops the browser window and that looks successful, but tauri fails to build any of the other pages.

Otherwise, everything seems solid. Other than the couple of questions, everything LGTM!

core/Cargo.toml Outdated
@@ -78,14 +78,15 @@ ureq = "2.6.2"
which = "4.4.0"
json-patch = "1.1.0"
ring = "0.17"
graphql_client = { version = "0.13.0", features = ["reqwest"] }
graphql_client = { git = "https://github.com/graphql-rust/graphql-client.git", rev = "9b91a7f7d4a21dbbeacf974bce63fe5e55620ca8", features = ["reqwest"] }
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Worth calling out why this and openidconnect are pinned to git?

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

for sure, i'll comment it (it's underlying dependency nonsense)

let auth_handle = handle.clone();
thread::spawn(move || {
while let Ok(tokens) = oidc_rx.recv() {
auth_handle.emit_all("oidc-tokens", &tokens).unwrap();
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Is this unwrap safe? Are there any non-catastrophic conditions where the emit_all can fail but the tauri app doesn't exit completely?

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'll handle it instead. I've never run into an issue here but famous last words

@@ -91,7 +95,16 @@
}
},
"security": {
"csp": null
"csp": {
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Could you describe what this is doing?

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actually this might not be necessary anymore. Let me do some testing. Originally I was popping the OIDC login into the friendshipper window directly, which requires some CSP modification. Lemme get back to you.

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

confirmed unnecessary

@@ -415,7 +356,7 @@
if ($appConfig.repoPath !== '') {
const [repoConfigResponse, repoStatusResponse, commitsResponse] = await Promise.all([
getRepoConfig(),
getRepoStatus(SkipDllCheck.False, AllowOfflineCommunication.False),
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Why do these parameters change?

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

these are actually the function's defaults

@rudoi rudoi force-pushed the ar/okta-mac-2 branch 3 times, most recently from a6452eb to b5a39f6 Compare December 16, 2024 20:07
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
Projects
None yet
Development

Successfully merging this pull request may close these issues.

2 participants