Skip to content

fix(auth): update auth to use localStorage#540

Closed
yuvvantalreja wants to merge 7 commits into
vega:masterfrom
yuvvantalreja:master
Closed

fix(auth): update auth to use localStorage#540
yuvvantalreja wants to merge 7 commits into
vega:masterfrom
yuvvantalreja:master

Conversation

@yuvvantalreja

Copy link
Copy Markdown
Member

Problem

The application was experiencing authentication issues specifically in Safari:

  1. Cookies weren't being properly sent with requests in Safari due to its stricter third-party cookie policies
  2. When checking authentication status, Safari would return 304 Network Error
  3. Logout functionality wasn't working in Safari

Solution

Implemented a token-based authentication system as a workaround:

  1. Added localStorage-based authentication token storage:

    • Created browser utility functions to manage auth data in localStorage
    • Implemented token generation and validation on the backend
  2. Updated backend auth controller:

    • Implemented a token-based authentication system with secure validation
    • Enhanced token security with hmac signature verification

@vercel

vercel Bot commented May 15, 2025

Copy link
Copy Markdown

@yuvvantalreja is attempting to deploy a commit to the Dominik Moritz's projects Team on Vercel.

A member of the Team first needs to authorize it.

@yuvvantalreja

Copy link
Copy Markdown
Member Author

Updates:

  • Unified auth to use local storage on all browsers (127ac2c)
  • Implemented new architecture that allows direct GitHub API access from the frontend (62fc996)

Comment thread src/app.ts
this.app.use(passport.session());

// Handle preflight OPTIONS requests explicitly
this.app.options('*', (req, res) => {

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Why do we need to handle preflight? Is that needed for something in auth?

Copy link
Copy Markdown
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

yeah I was getting a bunch of CORS issues without them

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I see let's say in the comment that it's needed for cors

Comment thread src/app.ts
res.header('Access-Control-Allow-Origin', origin);
}

res.header('Access-Control-Allow-Methods', 'GET,PUT,POST,DELETE,OPTIONS');

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Do we really need these?

Comment thread src/controllers/auth.ts
res.header('Access-Control-Allow-Origin', origin);
}

res.header('Access-Control-Allow-Methods', 'GET,PUT,POST,DELETE,OPTIONS');

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

same as above

Comment thread src/controllers/auth.ts Outdated

const dataString = JSON.stringify(userInfo);
const signature = crypto
.createHmac('sha256', process.env.SESSION_SECRET || 'vega-editor-secret')

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

maybe it's better not to have a fallback so we crash if this is not defined

Comment thread src/controllers/gist.ts Outdated

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

can we not remove this now?

@domoritz

Copy link
Copy Markdown
Member

What kind of GitHub auth token are we giving to the front end? I want to make sure it has minimal permissions so that it can't be abused to do many other things.

@yuvvantalreja

Copy link
Copy Markdown
Member Author

What kind of GitHub auth token are we giving to the front end? I want to make sure it has minimal permissions so that it can't be abused to do many other things.

Its a personal access token that is received as part of the OAuth workflow. We can set the token to the gist scope which only allows the token to be used for CRUD operations on public/private gists belonging to the user.

I was also deciding to implement some additional security features, mainly implementing a per-gist authorization system that only allows modification of specific gists, along with rate limiting read/write operations on gists.

Do let me know if this is something reasonable to explore.

@domoritz

Copy link
Copy Markdown
Member

Would the rate limiting mean we have to proxy requests? I'd like to keep the backend lean.

@yuvvantalreja

Copy link
Copy Markdown
Member Author

Would the rate limiting mean we have to proxy requests? I'd like to keep the backend lean.

I see, that would indeed complicate our backend.

@vercel

vercel Bot commented Jun 5, 2025

Copy link
Copy Markdown

Deployment failed with the following error:

Environment Variable "GITHUB_CLIENT_ID" references Secret "github-client-id", which does not exist.

@domoritz

domoritz commented Jun 5, 2025

Copy link
Copy Markdown
Member

I see this is marked as draft. Is this ready for a review?

@yuvvantalreja yuvvantalreja marked this pull request as ready for review June 7, 2025 04:02
Comment thread config/passport.ts Outdated
Comment thread src/app.ts
import express from 'express';
import session from 'express-session';
import passport from 'passport';
import redis from 'redis';

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Remove the dependency then

@domoritz

domoritz commented Jun 8, 2025

Copy link
Copy Markdown
Member

Moved to #543. You have write access.

@domoritz domoritz closed this Jun 8, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants