[openstreetmap/openstreetmap-website] Add support for OAuth 2 (#3177)

Andy Allan notifications at github.com
Wed Apr 14 17:52:12 UTC 2021 

@gravitystorm commented on this pull request.

I'm not in a great position to review this PR since I have no idea how either OAuth 2 nor Doorkeeper work! So I've read through the changes and commented on things that jumped out to me. 

I also intend to review the front-end pages and forms, and maybe see if I can rearrange the translations slightly (I like having e.g. form buttons auto-translated, although I know it can be a faff to discover the right i18n key for them), but I don't think any of that would be a blocker. 

I don't have enough knowledge about the deeper questions of how the fundamental OAuth2 stuff works to comment on that.

> @@ -73,7 +73,7 @@ en:
       way_node: "Way Node"
       way_tag: "Way Tag"
     # Translates all the model attributes, which is used in error handling on the web site
-    # Only the ones that are used on the web site are translated at the moment
+    # Only the ones that are used on theweb site are translated at the moment

typo

> @@ -141,6 +141,10 @@ Rails/HelperInstanceVariable:
   Exclude:
     - 'app/helpers/title_helper.rb'
 
+Rails/LexicallyScopedActionFilter:
+  Exclude:
+    - 'app/controllers/oauth2_applications_controller.rb'

Alternatively, we could add something like

```
def show
  super
end
```

for each of the affected methods

>        set_locale
       report_error t("oauth.permissions.missing"), :forbidden
     elsif current_user
       set_locale
       respond_to do |format|
-        format.html { redirect_to :controller => "errors", :action => "forbidden" }
+        format.html { redirect_to :controller => "/errors", :action => "forbidden" }

I'm curious about the additional forward slash. I assume it's some kind of scoping thing, but it's not something that I've seen before. Is `:controller => :errors` and alternative?

> @@ -68,6 +68,8 @@ class User < ApplicationRecord
   has_many :client_applications
   has_many :oauth_tokens, -> { order(:authorized_at => :desc).preload(:client_application) }, :class_name => "OauthToken"
 
+  has_many :oauth2_applications, :class_name => Doorkeeper.config.application_model.name, :foreign_key => :owner_id

Although we currently have it disabled in rubocop, we should probably start adding dependent definitions to our `has_many` relationships. https://docs.rubocop.org/rubocop-rails/cops_rails.html#railshasmanyorhasonedependent As it stands, it's not clear what should happen to the `:oauth2_applications` when a user is destroyed, or whether having the applications should block the destroy from completing.

> +
+    create_table :oauth_access_grants do |t|
+      t.references :resource_owner, :null => false, :type => :bigint
+      t.references :application, :null => false
+      t.string :token, :null => false
+      t.integer :expires_in, :null => false
+      t.text :redirect_uri, :null => false
+      t.datetime :created_at, :null => false
+      t.datetime :revoked_at
+      t.string :scopes, :null => false, :default => ""
+      t.column :code_challenge, :string, :null => true
+      t.column :code_challenge_method, :string, :null => true
+    end
+
+    add_index :oauth_access_grants, :token, :unique => true
+    add_foreign_key :oauth_access_grants, :users, :column => :resource_owner_id, :validate => false

I think we'll need a follow-on migration to validate these, or alternatively some safety_assured work given that we know the tables will be empty when the foreign key is added.

> @@ -68,6 +68,8 @@ class User < ApplicationRecord
   has_many :client_applications
   has_many :oauth_tokens, -> { order(:authorized_at => :desc).preload(:client_application) }, :class_name => "OauthToken"
 
+  has_many :oauth2_applications, :class_name => Doorkeeper.config.application_model.name, :foreign_key => :owner_id
+

At the bottom of https://doorkeeper.gitbook.io/guides/ruby-on-rails/getting-started it suggests adding more has_many definitions (to access_grants and access_tokens), mainly it seems so that the `:dependent` option can be set. Do we need these too?

-- 
You are receiving this because you are subscribed to this thread.
Reply to this email directly or view it on GitHub:
https://github.com/openstreetmap/openstreetmap-website/pull/3177#pullrequestreview-635875662
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstreetmap.org/pipermail/rails-dev/attachments/20210414/952d9a1b/attachment-0001.htm>

More information about the rails-dev mailing list