Choose a new API that requires a token for authorization

[toby-thanathip]

Related to: #382

As of now, our project is using an API that doesn't require a token for authorization.

Because we are planning to add Authenticator to our templates, we need a token for this.

Now the main question is, which API should we use? Here are some options:

• ❌ Nimble Survey API (Bad option, because we don't want to expose answers to our code challenge)
• ❌ GitHub API (Bad option, because the token can only be generated from the developer settings, there's no API for it)
• ❌ OpenWeather API (Bad option, because they use a fixed API key in the request)

---

Then it finally hit me that we require an API, which supports OAuth 🙈

1️⃣ There are several options available, it's nice we can work with a real API, but there are some downsides:

• No flexibility or control, as we must follow their API documentation
• It requires storing an API key/secret/username/password, in order to generate a token

2️⃣ The second option is to create a mock server with Postman, sadly this is not a real API, but it has its benefits: 🚀

• More flexibility and control
• It doesn't requires storing any sensitive information

3️⃣ The final option is, don't add Authenticator to our templates and keep the current API.

→ But if all the clients require it, then we must add it anyways.

4️⃣ Any other option? I'm all ears

[ryan-conway]

@toby-thanathip Do we need to include the API in the template though? It seems pretty likely that the generated project is going to update their BASE_URL value 🤔
Since this is a template, it seems like the Authenticator should be API agnostic, so we could use any API for proof of work but we probably don't need the API in the template itself, just the Authenticator 😄 What do you think? 💡

[luongvo]

@ryan-conway @toby-thanathip IMO, we need a base Authenticator to form the standard logic for the implementation with some TODO comments for the refresh token API requesting action, etc. The main purpose of having an initial Authenticator is to avoid missing/wrong implementation.

The initial Authenticator needs to contain:

• max attempt/retry logic (normally set to 3).
• make use of synchronized(this) {} when executing the refresh token and re-build the request to handle multiple authenticator calls at a time.
• try/catch wrapping to catch errors during token refreshing. The default action in case an error has occurred.

[luongvo]

I added these requirements back to the ticket #228 ✅

[luongvo]

Hence, I voted for 4️⃣ Other (explain)

[luongvo]

The idea to have the initial Authenticator is the same as #522.