Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Implement developer authentication bypass for local development #267

Open
bradleyDean opened this issue Apr 19, 2023 · 3 comments
Open

Implement developer authentication bypass for local development #267

bradleyDean opened this issue Apr 19, 2023 · 3 comments
Milestone
M9

Comments

@bradleyDean
Copy link
Contributor

bradleyDean commented Apr 19, 2023
edited
Loading

Note: This description has been edited. It originally (accidentally) blended front end and backend authentication into a single issue. I will link to the front end authentication bypass issue here, as soon as I write up that issue.

The Problem:
As developers working on the openbeta-graphql project, we need a convenient way to bypass the authentication system when running the server locally. This will allow us to test/develop functionality without having to provide real user credentials. Note that this issue describes creating test/dev accounts which could probably be used to authenticate backend request for dev purposes, but I think that process would be clunky and it is probably best not to rely on that strategy.

Proposed Solution Overview:
Allow contributors to bypass the authentication system when running the app locally. We'll achieve this by setting a new, NODE_ENV environment variable to "development" when running a new serve-dev command, which will run the app in development mode.

Implementation Details:

  1. Add a new script entry (below this line) called serve-dev in package.json:
"scripts": {
  ...
  "serve": "yarn build && node --experimental-json-modules build/main.js",
  "serve-dev": "NODE_ENV=development yarn serve",
  ...
}
  1. Update the createContext function in build/auth/middleware.js to bypass the authentication process when process.env.NODE_ENV is set to development. Assign 'admin' and 'editor' roles to the user in this case.
// ...(existing logic)
  if (process.env.NODE_ENV === 'development') {
    user.roles = ['admin', 'editor'];
    user.uuid = 'some-test-uuid';
  } else {
    const authHeader = String(headers?.authorization ?? '');
    if (authHeader.startsWith('Bearer ')) {
      // ... (existing logic)
  1. (Optional) Write tests to cover the updated createContext function.

Acceptance Criteria:

  • A separate script called serve-dev should be available for running the app in development mode.
  • The app should allow developers to bypass the authentication system when running locally with the serve-dev script.
  • Developers should be automatically assigned the roles of 'admin' and 'editor' in the development environment when using the serve-dev script.
  • (Optional )The updated createContext function should be covered by tests.
@zichongkao
Copy link
Contributor

I was facing the same issue and realized that the implementation solves the graphql checks, but not the ones in the open-tacos Nextjs app.

Couple of suggestions here at various levels of mocking:

  • Mock Auth0. ie. Create an Auth0 connector and mock the connection in dev mode. This would enable us to insert custom JWTs upon login.
  • Mock data in Auth0. We insert a few pre-built test accounts into dev version of Auth0. The credentials to these accounts are shared publicly, and when people run yarn dev and connect to dev Auth0, they can immediately select the appropriate account they need for their work. (I tried this, but my yarn dev threw an error connecting to Auth0, probably cos I don't have Auth0 API keys. So I don't know if this is as simply as just inserting data into Auth0, we might need a new Auth0 dev account with API keys that are publicly shared.)

@vnugent
Copy link
Contributor

vnugent commented Apr 20, 2023

How about introducing a really simple bypass switch that only works in development as suggested in #2 above? After all this is for connecting to the developer's own database. When testing in staging you still have to provide your API key.

@bradleyDean
Copy link
Contributor Author

When I wrote up this issue, I described that the problem we're addressing is specifically for bypassing authentication in open-tacos. Now I realize that my solution really is specifically usefull for backend authentication and it does nothing to help someone on the front end, who will be blocked by the authentication window pop-up.

I think that my suggestions in this issue would still be useful for backend development tasks that require bypassing authentication. I am going to edit the title and descrcription of this issue, then write up another issue that deals specifically with the task of front end authentication.

@bradleyDean bradleyDean mentioned this issue Apr 24, 2023
Closed
@vnugent vnugent added this to the M9 milestone Apr 27, 2023
@bradleyDean bradleyDean mentioned this issue May 5, 2023
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
M9
Development

No branches or pull requests
3 participants
@zichongkao @vnugent @bradleyDean