Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

How is a client secret created for new person? #68

Closed
SimonLab opened this issue May 12, 2020 · 5 comments
Closed

How is a client secret created for new person? #68

SimonLab opened this issue May 12, 2020 · 5 comments
Assignees
Labels
bug Suspected or confirmed bug (defect) in the code in-progress An issue or pull request that is being worked on by the assigned person

Comments

@SimonLab
Copy link
Member

I've been tested the login with email feature and found that the following line crash the application:
expected a map, got: nil on localhost
invalid AUTH_API_KEY/client_id please check. on heroku (once every two login attempt)

Enum.filter(apikeys, fn(k) ->
k.client_id == client_id and state =~ k.url
end) |> List.first() |> Map.get(:client_secret)

So the application doesn't manage to get a valid client_secret for the user so either it crashed when using the Map.get function on a nil value or it returns an error unauthorized with:

Enum.filter(apikeys, fn(k) ->
k.client_id == client_id and state =~ k.url
end) |> List.first() |> Map.get(:client_secret)

I think this is due to the referer not properly set up.
I continue to investigate to see why the referer url could produce this error

@SimonLab SimonLab added the bug Suspected or confirmed bug (defect) in the code label May 12, 2020
@SimonLab SimonLab self-assigned this May 12, 2020
@SimonLab SimonLab changed the title How is an api key created for new user? How is a client secret created for new user? May 12, 2020
@SimonLab
Copy link
Member Author

Removing manually the refer on the verification link from the email allow us to verify the email address and to access the key management page.

@SimonLab SimonLab added the in-progress An issue or pull request that is being worked on by the assigned person label May 12, 2020
@SimonLab
Copy link
Member Author

I think this is the cause of the issue:

false -> # no referer, redirect back to Auth app.
AuthPlug.Helpers.get_baseurl_from_conn(conn) <> "/profile"
|> URI.encode
|> append_client_id(AuthPlug.Token.client_id())
end

When there isn't a referrer, one is automatically created with a client_id.
I'm not sure about the logic yet so I need to check the AuthPlug.Token.client_id() function first

@nelsonic
Copy link
Member

@SimonLab as we clarified on our Remote Pairing (Zoom) call,
the problem you were facing is that the seeds.exs file creates a API Key during mix ecto.setup which uses the default url for a Phoenix App: "www.example.com".
When the verify action attempts to lookup the client_secret from the state (URL) it will not match because "localhost:4000" !== "www.example.com" 😞

What you need to do to get this working on your localhost is edit two files:

First: the auth_url in the router.ex needs to be updated:

plug(AuthPlug, %{auth_url: "https://dwylauth.herokuapp.com"})

from: "https://dwylauth.herokuapp.com"
to: "http://localhost:4000"

And then in the seeds.exs file the "url" => "www.example.com"

"url" => "www.example.com" # the default host in %Plug.Conn

Needs to be: "url" => "http://localhost:4000"

Copy the resulting AUTH_API_KEY: value that is generated by mix ecto.setup into your .env file, run source .env and then re-run the app mix phx.server

Now it will work as you expect. 👍

The reason I have left the auth_url hard-coded in the router.ex file for MVP is just for simplicity. We can absolutely make it an Environment Variable in a next iteration.
I don't really care how many environment variables we have in the Auth app.
All I care is that our "Main" App https://github.com/dwyl/app only requires one.
Hence the effort made in PR #43 to create a single AUTH_API_KEY.
Which is demonstrated in: https://github.com/dwyl/auth_plug_example

Hope this helps clarify. 🤞
Thanks again for opening this issue. It helps me be more "Shoshin" in my work. ☯️

@nelsonic
Copy link
Member

I have updated the seeds.exs to not overwrite the AUTH_API_KEY but instead use the existing one in .env. #85
Hope that makes life simpler.

@nelsonic nelsonic changed the title How is a client secret created for new user? How is a client secret created for new person? Sep 15, 2020
@nelsonic
Copy link
Member

When this App is run on localhost the seeds.exs script will create an App
but not overwrite the AUTH_API_KEY (thus client_id / client_secret) in the .env file.
Also, the AUTH_API_KEY will be printed to stdout for confirmation.
So I believe this issue is fixed.

@SimonLab if you still experience any blockers related to this issue, please re-open. Thanks! 👍

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
bug Suspected or confirmed bug (defect) in the code in-progress An issue or pull request that is being worked on by the assigned person
Projects
None yet
Development

No branches or pull requests

2 participants