Support for Google Account required authentication model #2021
Comments
jpd236
added a commit
to jpd236/jolly-roger
that referenced
this issue
Feb 18, 2024
Show a "Sign in with Google" button on the login page. This sign in flow first attempts to match against existing users who have linked that same Google Account. If there is no such user, a new account is created. Icon taken from: https://developers.google.com/identity/branding-guidelines Notes / issues: - This allows anyone to create a Jolly Roger account as long as they have a Jolly Roger account; previously, access was invite only. This seems reasonable in that hunts have their own ACLs, but if this is a concern, we could reject new account creation until a follow-up change which optionally configures access based on Drive folder access. - A user can unlink their Google Account; if the user was originally created through this flow, they will be left with an account with no password or method of entry. However, they can follow the forgotten password flow to create a new password (if an email server is configured). - At least on local instances, a console warning appears upon showing the Google Account popup: "Cross-Origin-Opener-Policy policy would block the window.closed call". This also occurs for the existing Google Account integration so isn't exclusive to this flow. - If the popup is closed without completing sign-in, the button remains disabled because we don't appear to get a failure callback. I'm unsure why this is happening, though it's easy enough to refresh the page. - Sometimes, when you click Sign Out, the login page renders with a blank "Sign in with Google" button, though the button appears to work as expected. See deathandmayhem#2021
jpd236
added a commit
to jpd236/jolly-roger
that referenced
this issue
Feb 20, 2024
Show a "Sign in with Google" button on the login page. This sign in flow first attempts to match against existing users who have linked that same Google Account. If there is no such user, the signup is rejected. Icon taken from: https://developers.google.com/identity/branding-guidelines Notes / issues: - A follow-up change will provide a way for users to be created with this flow, likely via an ACL check against a Drive folder. - In the future, if a user is created via this flow, they can unlink their Google Account, leaving them with an account with no password or method of entry. However, they can follow the forgotten password flow to create a new password (if an email server is configured). - At least on local instances, a console warning appears upon showing the Google Account popup: "Cross-Origin-Opener-Policy policy would block the window.closed call". This also occurs for the existing Google Account integration so isn't exclusive to this flow. - If the popup is closed without completing sign-in, the button remains disabled because we don't appear to get a failure callback. I'm unsure why this is happening, though it's easy enough to refresh the page. - Sometimes, when you click Sign Out, the login page renders with a blank "Sign in with Google" button, though the button appears to work as expected. See deathandmayhem#2021
jpd236
added a commit
to jpd236/jolly-roger
that referenced
this issue
Feb 20, 2024
Show a "Sign in with Google" button on the login page. This sign in flow first attempts to match against existing users who have linked that same Google Account. If there is no such user, the signup is rejected. Icon taken from: https://developers.google.com/identity/branding-guidelines Notes / issues: - A follow-up change will provide a way for users to be created with this flow, likely via an ACL check against a Drive folder. - In the future, if a user is created via this flow, they can unlink their Google Account, leaving them with an account with no password or method of entry. However, they can follow the forgotten password flow to create a new password (if an email server is configured). - At least on local instances, a console warning appears upon showing the Google Account popup: "Cross-Origin-Opener-Policy policy would block the window.closed call". This also occurs for the existing Google Account integration so isn't exclusive to this flow. - If the popup is closed without completing sign-in, the button remains disabled because we don't appear to get a failure callback. I'm unsure why this is happening, though it's easy enough to refresh the page. - Sometimes, when you click Sign Out, the login page renders with a blank "Sign in with Google" button, though the button appears to work as expected. See deathandmayhem#2021
jpd236
added a commit
to jpd236/jolly-roger
that referenced
this issue
Mar 4, 2024
Show a "Sign in with Google" button on the login page. This sign in flow first attempts to match against existing users who have linked that same Google Account. If there is no such user, or multiple such users, the request is rejected. We use a custom login handler rather than the standard loginWithGoogle module for simplicity since we already have existing linked users that would be difficult to migrate to the standard system due to not storing the necessary credentials. Since we have enough to validate identity in our current schema, this is fine for now. Icon taken from: https://developers.google.com/identity/branding-guidelines Notes / issues: - This fixes a bug in the existing "unlink Google Account" flow where the linked email is cleared but not the linked account ID. - At least on local instances, a console warning appears upon showing the Google Account popup: "Cross-Origin-Opener-Policy policy would block the window.closed call". This also occurs for the existing Google Account integration so isn't exclusive to this flow. - Sometimes, when you click Sign Out, the login page renders with a blank "Sign in with Google" button, though the button appears to work as expected. See deathandmayhem#2021
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Currently, Jolly Roger has its own independent authentication system and set of accounts. In contrast, Ange Management currently requires that all team members have a Google Account. This enables the following:
FWIW, we also use a service account to create the sheets and perform other Google operations. IIRC the current system asks for a dedicated actual user account for this purpose. Service accounts feel better suited to this purpose.
Meteor has a built-in Google Account integration which might be useful (our current system is DIY). At a high level, I imagine offering this as a configurable option that replaces the existing log-in system with a "Sign in with Google" option; after signing in, we create a user entry in JR including any necessary credentials for authenticated requests. Would have to figure out things like the initial user creation flow for the admin, hunt creation creating folders and doing the per-hunt auth dance as needed.
I'm planning to take a look at this myself but concerns, thoughts and ideas would be welcome! I'd like to upstream this to avoid drift, and I think that Palindrome might find at least parts of this useful.
The text was updated successfully, but these errors were encountered: