<p></p>
<p><b>@gravitystorm</b> commented on this pull request.</p>
<p>I'm not in a great position to review this PR since I have no idea how either OAuth 2 nor Doorkeeper work! So I've read through the changes and commented on things that jumped out to me.</p>
<p>I also intend to review the front-end pages and forms, and maybe see if I can rearrange the translations slightly (I like having e.g. form buttons auto-translated, although I know it can be a faff to discover the right i18n key for them), but I don't think any of that would be a blocker.</p>
<p>I don't have enough knowledge about the deeper questions of how the fundamental OAuth2 stuff works to comment on that.</p><hr>
<p>In <a href="https://github.com/openstreetmap/openstreetmap-website/pull/3177#discussion_r613437195">config/locales/en.yml</a>:</p>
<pre style='color:#555'>> @@ -73,7 +73,7 @@ en:
way_node: "Way Node"
way_tag: "Way Tag"
# Translates all the model attributes, which is used in error handling on the web site
- # Only the ones that are used on the web site are translated at the moment
+ # Only the ones that are used on theweb site are translated at the moment
</pre>
<p>typo</p>
<hr>
<p>In <a href="https://github.com/openstreetmap/openstreetmap-website/pull/3177#discussion_r613438996">.rubocop_todo.yml</a>:</p>
<pre style='color:#555'>> @@ -141,6 +141,10 @@ Rails/HelperInstanceVariable:
Exclude:
- 'app/helpers/title_helper.rb'
+Rails/LexicallyScopedActionFilter:
+ Exclude:
+ - 'app/controllers/oauth2_applications_controller.rb'
</pre>
<p>Alternatively, we could add something like</p>
<pre><code>def show
super
end
</code></pre>
<p>for each of the affected methods</p>
<hr>
<p>In <a href="https://github.com/openstreetmap/openstreetmap-website/pull/3177#discussion_r613441355">app/controllers/application_controller.rb</a>:</p>
<pre style='color:#555'>> set_locale
report_error t("oauth.permissions.missing"), :forbidden
elsif current_user
set_locale
respond_to do |format|
- format.html { redirect_to :controller => "errors", :action => "forbidden" }
+ format.html { redirect_to :controller => "/errors", :action => "forbidden" }
</pre>
<p>I'm curious about the additional forward slash. I assume it's some kind of scoping thing, but it's not something that I've seen before. Is <code>:controller => :errors</code> and alternative?</p>
<hr>
<p>In <a href="https://github.com/openstreetmap/openstreetmap-website/pull/3177#discussion_r613445130">app/models/user.rb</a>:</p>
<pre style='color:#555'>> @@ -68,6 +68,8 @@ class User < ApplicationRecord
has_many :client_applications
has_many :oauth_tokens, -> { order(:authorized_at => :desc).preload(:client_application) }, :class_name => "OauthToken"
+ has_many :oauth2_applications, :class_name => Doorkeeper.config.application_model.name, :foreign_key => :owner_id
</pre>
<p>Although we currently have it disabled in rubocop, we should probably start adding dependent definitions to our <code>has_many</code> relationships. <a href="https://docs.rubocop.org/rubocop-rails/cops_rails.html#railshasmanyorhasonedependent" rel="nofollow">https://docs.rubocop.org/rubocop-rails/cops_rails.html#railshasmanyorhasonedependent</a> As it stands, it's not clear what should happen to the <code>:oauth2_applications</code> when a user is destroyed, or whether having the applications should block the destroy from completing.</p>
<hr>
<p>In <a href="https://github.com/openstreetmap/openstreetmap-website/pull/3177#discussion_r613448432">db/migrate/20201004105659_create_doorkeeper_tables.rb</a>:</p>
<pre style='color:#555'>> +
+ create_table :oauth_access_grants do |t|
+ t.references :resource_owner, :null => false, :type => :bigint
+ t.references :application, :null => false
+ t.string :token, :null => false
+ t.integer :expires_in, :null => false
+ t.text :redirect_uri, :null => false
+ t.datetime :created_at, :null => false
+ t.datetime :revoked_at
+ t.string :scopes, :null => false, :default => ""
+ t.column :code_challenge, :string, :null => true
+ t.column :code_challenge_method, :string, :null => true
+ end
+
+ add_index :oauth_access_grants, :token, :unique => true
+ add_foreign_key :oauth_access_grants, :users, :column => :resource_owner_id, :validate => false
</pre>
<p>I think we'll need a follow-on migration to validate these, or alternatively some safety_assured work given that we know the tables will be empty when the foreign key is added.</p>
<hr>
<p>In <a href="https://github.com/openstreetmap/openstreetmap-website/pull/3177#discussion_r613453153">app/models/user.rb</a>:</p>
<pre style='color:#555'>> @@ -68,6 +68,8 @@ class User < ApplicationRecord
has_many :client_applications
has_many :oauth_tokens, -> { order(:authorized_at => :desc).preload(:client_application) }, :class_name => "OauthToken"
+ has_many :oauth2_applications, :class_name => Doorkeeper.config.application_model.name, :foreign_key => :owner_id
+
</pre>
<p>At the bottom of <a href="https://doorkeeper.gitbook.io/guides/ruby-on-rails/getting-started" rel="nofollow">https://doorkeeper.gitbook.io/guides/ruby-on-rails/getting-started</a> it suggests adding more has_many definitions (to access_grants and access_tokens), mainly it seems so that the <code>:dependent</code> option can be set. Do we need these too?</p>
<p style="font-size:small;-webkit-text-size-adjust:none;color:#666;">—<br />You are receiving this because you are subscribed to this thread.<br />Reply to this email directly, <a href="https://github.com/openstreetmap/openstreetmap-website/pull/3177#pullrequestreview-635875662">view it on GitHub</a>, or <a href="https://github.com/notifications/unsubscribe-auth/AAK2OLLEPR63VSIHFEOMSL3TIXI4ZANCNFSM4234LSSQ">unsubscribe</a>.<img src="https://github.com/notifications/beacon/AAK2OLNM2O3WM7OGGFPQGJTTIXI4ZA5CNFSM4234LSS2YY3PNVWWK3TUL52HS4DFWFIHK3DMKJSXC5LFON2FEZLWNFSXPKTDN5WW2ZLOORPWSZGOEXTLCTQ.gif" height="1" width="1" alt="" /></p>
<script type="application/ld+json">[
{
"@context": "http://schema.org",
"@type": "EmailMessage",
"potentialAction": {
"@type": "ViewAction",
"target": "https://github.com/openstreetmap/openstreetmap-website/pull/3177#pullrequestreview-635875662",
"url": "https://github.com/openstreetmap/openstreetmap-website/pull/3177#pullrequestreview-635875662",
"name": "View Pull Request"
},
"description": "View this Pull Request on GitHub",
"publisher": {
"@type": "Organization",
"name": "GitHub",
"url": "https://github.com"
}
}
]</script>