thoughts on multi auth provider

[amitu]

Currently fastn handles oauth by storing the auth tokens etc in a cookie. fastn can use this cookie to for auth-groups feature. But how do we develop say a django app, with uses auth?

We are building fastn to be the main framework that takes care of authentication, else fastn can not have any authentication related features. Further we want to free most apps that are built on top to be free from auth related concern, they just want the user to be logged in and have access to some sort of unique user id.

User Table

class User(models.Model):
    email = models.EmailField()
    username = models.TextField(null=True)
    password = models.TexitField()  # bcrypted  password of the user
    name = models.TextField()  # full name of the user
    created_on = models.DateTimeField()

Session Table

class Session(models.Model):
    user = models.ForeignKey(User)
    created_on = models.DateTimeField()  # when user logged in

On logout we delete the row from session table.

Team/User Groups

Other than the user-group feature we have, we do not want to support team/group as that ends up being too much. Maybe we can tomorrow have some app that comes from community that tackles team or user groups.

User's Always Have Email

If we are using multiple auth provider, our biggest concern is to tie them together into one. Say you are signed up via github and next time you used Google auth, do we create a new user or re-use the existing account?

We can make our lives much simpler by saying a. all auth providers must return email for it to be successful, and b. if email from two auth provider is same it is the same account.

class Email(models.Model):
    email = models.EmailField()
    user = models.ForeignKey(User)

Password Based Auth

Do we support password based auth? We will have to worry about email confirmation. We can do that by creating another table fastn_incomplete_account:

class IncompleteAccount(models.Model):
     email = models.EmailField()
     username = models.TextField()
     password = models.PasswordField()
     confirmation_code = models.TextField()
     created_on = models.DateTimeField()

Username?

Since username is not always provided by auth providers, we will have to check with developer if they want username to be compulsory, and if so show "pick username" step in the auth journey.

Multiple Emails For An Account

For each user we have an ability to store more than one email address. One of those email addresses would be the "default", this can be useful for notification etc, this would be stored in the fastn_user table. All emails, including primary email, would be stored in fastn_email table, with a foreign key to fastn_user row.

Tokens Table

For every auth provider one has used to login, we get a auth token, we store all of them in fastn_auth_token table.

class Token(models.Model):
    session = models.ForeignKey(Session)
    token = models.TextField()
    provider = models.TextField()
    created_on = models.DataTimeField()

Tokens are associated with session, and are deleted with a session is deleted on logout. You can not use access you granted on Desktop session to your Mobile session (assuming you are logged in on both). If you want to do some Github specific query, you have to be logged in on that specific device.

Backend Queries?

If you have authorised, can we do queries on your behalf in the backend, with no session active? Should we not associate tokens with sessions?

Merge Account

If user is currently logged in, and successfully authenticates using another auth method, with a different email address, we ask the user if they want to attach their new email address to this account.

Along with that we also have an explicit merge account feature. For merging you have to be logged in with both accounts.

How would we build UI?

UI is to be in control of the user's package. We will expose processors to get current state, and APIs that can be used as form actions.

APIs

/-/auth/create-user/

This API takes username, email, name, password to create an IncompleteUser. This API also sends a confirmation email.

TODO: How would we send email? How would we manage email template?

/-/auth/resend-confirmation-email/

/-/auth/login/?next=/

For username/email password based authentication.

/-/auth/send-email-login-code/

For email only login flow, enter login, get a mail, browser shows a form with input for code. Click on the link or enter the code to login.

/-/auth/logout/?next=/

/-/auth/confirm-email/?code=<>

The URL that will be included in the email confirmation emails.

/-/auth/add-email/

To current account.

class EmailAccount(models.Model):
     email = models.EmailField()
     user = models.ForeignKey(User)
     confirmation_code = models.TextField()
     created_on = models.DateTimeField()

/-/auth/update-name/

Updates name.

/-/auth/update-password/

/-/auth/update-username/

/-/auth/update-email/

Does this update it right away or waits for confirmation code?

/-/auth/disable-account/

This can be used to to disable an account, no more logins, existing sessions get cleared.

/-/auth/close-sessions/?session=<session-id|all>

This will clear all the sessions for this user other than current session.

Processors

These processors can be used to get user's information to create various forms.

auth.User-Info

Contains bulk of information.

[siddhantk232]

• migration feature in fastn would be ideal but we can start with implementing these routes first.
• extra configurable json fields. This will be integrated in the signup flow. Eg. city, pincode etc.

[siddhantk232]

Update

• /-/auth/create-user/ is implemented.

[amitu]

Oh, super awesome! Send a PR :-)

[siddhantk232]

I will, after making the login route work with emailpassword login flow.
We can do email confirmations in a separate PR once the basic auth flow works (emailpassword signup/login + github oauth)