Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

add support for auth (via email) #19

Merged
merged 5 commits into from
Dec 1, 2023
Merged

add support for auth (via email) #19

merged 5 commits into from
Dec 1, 2023

Conversation

andrewkmin
Copy link
Contributor

@andrewkmin andrewkmin commented Nov 20, 2023

$title

Related: tkhq/sdk#169

This will require dns updates to have this hosted at a Turnkey subdomain.

@andrewkmin andrewkmin marked this pull request as draft November 20, 2023 17:38
@andrewkmin andrewkmin changed the title email auth add support for auth (via email) Nov 22, 2023
@andrewkmin andrewkmin marked this pull request as ready for review November 22, 2023 18:49
@r-n-o
Copy link
Collaborator

r-n-o commented Nov 27, 2023

@andrewkmin do you think we can consolidate recovery and auth under the same iframe? Conceptually they do the same thing?

  • spin up a key pair on first load
  • accept a bundle (we can have different events for different bundle types, if these are different -- but I think in this case both recovery and auth bundles are the same, they contain an encrypted P256 private key)
  • sign / stamp payloads

Are there specific aspects of auth that require a separate iframe? Otherwise we can have a common domain for both.

@andrewkmin
Copy link
Contributor Author

andrewkmin commented Nov 28, 2023

@andrewkmin do you think we can consolidate recovery and auth under the same iframe? Conceptually they do the same thing?

  • spin up a key pair on first load
  • accept a bundle (we can have different events for different bundle types, if these are different -- but I think in this case both recovery and auth bundles are the same, they contain an encrypted P256 private key)
  • sign / stamp payloads

Are there specific aspects of auth that require a separate iframe? Otherwise we can have a common domain for both.

This absolutely makes sense. Arguably the trickiest part in all this is naming 😄 between the two, I feel like both fall under the auth umbrella more so than the recover umbrella, but I'm open to entries here. injector would be too general; secure entry... hmmm. Whichever term/domain name we land on, reminder to self: update docs.turnkey.com, demo-passkey-wallet, and anywhere else it's used/referenced!

auth/index.html Outdated
Comment on lines 866 to 867
window.addEventListener("message", async function(event) {
if (event.data && event.data["type"] == "INJECT_RECOVERY_BUNDLE") {
if (event.data && event.data["type"] == "INJECT_CREDENTIAL_BUNDLE") {
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I don't think we can break compatibility. Let's support both INJECT_RECOVERY_BUNDLE and INJECT_CREDENTIAL_BUNDLE? Old versions of our SDK will keep sending INJECT_RECOVERY_BUNDLE for a while, and it doesn't cost us much to keep supporting this.

Dockerfile Outdated
Comment on lines 10 to 11
COPY auth /usr/share/nginx/auth
COPY export /usr/share/nginx/export
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think we need to keep supporting recovery.turnkey.com. So let's "cheat":

COPY auth /usr/share/nginx/recovery

:)

README.md Outdated
@@ -1,17 +1,22 @@
# Frames

This repository contains code for the recovery and export components of Turnkey. These components can be embedded as iframes by users to support end-users in recovery and export.
This repository contains code for the recovery, export, and auth components of Turnkey. These components can be embedded as iframes by users to support end-users.

## Email Recovery
Copy link
Collaborator

@r-n-o r-n-o Nov 28, 2023

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Update the title to "Auth and Recovery"? (and delete the specific "auth" section)

We'll want to keep recovery.turnkey.com for compatibility but we should recommend people set auth.turnkey.com in both email recovery and auth flows.

@r-n-o
Copy link
Collaborator

r-n-o commented Nov 28, 2023

Arguably the trickiest part in all this is naming 😄 between the two, I feel like both fall under the auth umbrella more so than the recover umbrella, but I'm open to entries here

Yeah I'm with you there! I'd say recovery falls under the auth umbrella 👍

@@ -863,7 +864,7 @@ <h2>Message log</h2>
// TODO: find a way to filter messages and ensure they're coming from the parent window?
// We do not want to arbitrarily receive messages from all origins.
window.addEventListener("message", async function(event) {
if (event.data && event.data["type"] == "INJECT_RECOVERY_BUNDLE") {
if (event.data && (event.data["type"] == "INJECT_CREDENTIAL_BUNDLE" || event.data["type"] == "INJECT_RECOVERY_BUNDLE")) {
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

👏

auth/favicon.svg Outdated
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We might need a different color than usual! Red? Purple?

Doesn't really matter in the end, not many people will visit these iframe as a standalone page.

Comment on lines +17 to 24
- name: Publish Auth
uses: cloudflare/pages-action@f0a1cd58cd66095dee69bfa18fa5efd1dde93bca #v1.5.0
with:
apiToken: ${{ secrets.CLOUDFLARE_API_TOKEN }}
accountId: ${{ secrets.CLOUDFLARE_ACCOUNT_ID }}
projectName: recovery
directory: recovery
projectName: auth
directory: auth
gitHubToken: ${{ secrets.GITHUB_TOKEN }}
Copy link
Collaborator

@r-n-o r-n-o Nov 28, 2023

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Note: this will fail on the cloudflare side, I'll need to edit the project to be named "auth". done!

Copy link
Contributor

@oliviathet oliviathet left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

wooooh 🎉 this looks great. love seeing recovery -> auth.

@andrewkmin andrewkmin merged commit 876c1c1 into main Dec 1, 2023
5 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

3 participants