-
Notifications
You must be signed in to change notification settings - Fork 386
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
CLDR-18165 cla: add GitHub login #4244
Conversation
|
CLDR-18165 cla: github sso: generate login url - add LoginManager to manage the sso CLDR-18165 cla: github sso: scaffolding and login mechanisms - add LoginSession abstraction - remove unused dependency - add STRestClient for simplifying REST calls - cleanup hashtable in CookieSession (slightly) - add simplified api in WebContext for retrieving sessions with less drama CLDR-18165 cla: github sso: SameSite=Lax is what we need - Strict cookies DO NOT get sent by browsers after redirect, breaking our session model Discussed at: https://www.nogginbox.co.uk/blog/strict-cookies-not-sent-by-request CLDR-18165 cla: github sso: cla signing scaffolding CLDR-18165 cla: github sso: remainder of auth scaffolding
c5472ee
to
56ebf6d
Compare
Notice: the branch changed across the force-push!
~ Your Friendly Jira-GitHub PR Checker Bot |
- need to fix L&F but all features are there
- use <a-row> and <a-col> - explain error cases
I think this is ready for review (fyi @annebright ) |
- re-add CLA to main menu - hide CLA text for corp and GH users - add link back to cla-assistant on success
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Looks great, except some TODO comments and commented-out code worry me about what might need to be done before this is ready to use in production. This PR doesn't complete the ticket and it may help to have the work in progress committed for testing, so I'm approving, with the suggestion that each TODO either gets fleshed out soon with the ticket number and clarification when/why it needs doing, or gets removed or changed into a non-TODO comment
tools/cldr-apps/src/main/java/org/unicode/cldr/web/ClaGithubList.java
Outdated
Show resolved
Hide resolved
tools/cldr-apps/src/main/java/org/unicode/cldr/web/auth/GithubLoginFactory.java
Outdated
Show resolved
Hide resolved
tools/cldr-apps/src/main/java/org/unicode/cldr/web/auth/GithubLoginFactory.java
Outdated
Show resolved
Hide resolved
tools/cldr-apps/src/main/java/org/unicode/cldr/web/auth/GithubLoginFactory.java
Show resolved
Hide resolved
tools/cldr-apps/src/main/java/org/unicode/cldr/web/auth/GithubLoginServlet.java
Show resolved
Hide resolved
tools/cldr-apps/src/main/java/org/unicode/cldr/web/auth/LoginFactory.java
Outdated
Show resolved
Hide resolved
I will either flesh out or remove the TODOs. |
Hi Steven.
Hope this makes sense - would obviously be a little easier to do in a call, but not possible at the moment.... |
@annebright thanks! I am going to work on the low level comments first (as those are in progress) and then get a new revision incorporating your comments. I had interpreted the priority of GitHub signing as needing a previous screen to the CLA itself. Since the update of the signing list is manual on our side, if the user signs up / newly signs the CLA with GitHub, that's potentially hours or more likely days before they can proceed, versus "Survey Tool only CLA" would be instant. Thank you for the clarification on terms. |
- add tests - other cleanup per code review
- add tests - other cleanup per code review - support the "employer asserts no rights" round trip
@btangmu take a look, addressed comments. Won't merge w/o approval of the flow. |
Also… it actually looks like we might be able to let the SurveyTool update its CLA list itself. The token situation might be different than I thought. If so, then we can have the SurveyTool automatically fetch the status… and even have a "recheck" button if the user has just signed. I will investigate - as a separate PR. |
@annebright updated first screen: if you sign in with GitHub but do NOT have a signature detected: (TC discussed and removed the "sign ST- only CLA" option here) If they choose ST-only, it goes back to a similar page as before: |
Happy new year! |
Hi Steven - Is this ready for my review yet? In looking at the updates you have made to the language, I still think we need further disambiguation of the Unicode CLA and the Survey Tool Only CLA - especially on the first screen. But it might be easier to discuss in a call, so let me know when you can do one. |
(For the record) I think it is ready for review, will send you more review materials and a call offline. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
It looks ok to me, caveat I'm out of my depth on all of this. If you want a more thorough review, maybe Tom?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Looks good based on a quick look. It's a lot of code with a variety of code paths, so there should be some testing, including penetration testing, to try to make it fail. There are still some TODO comments.
As Anne is ok with the wording, LGTM |
CLDR-18165
UI:
Servlet:
/cldr-apps/github-login
to receive GitHub OAuth2 flow.Under the hood:
add LoginManager to manage login flow, in the future this could be leveraged to enable SSO (login to SurveyTool with Github, other providers).
add STRestClient to add a simple JSON-based REST client. Just a refactor of some common code.
we read from
signatures.json
which is a download from cla-assistant.io. We re-read this file on every successful GitHub login currently, so that this file can be updated by some process (this is part of the workflow challenge on our end).This PR completes the ticket.
TODO in a future PR: document! especially GitHub app creation and setup. this article was used as a basis, but also need to document maintenance
This PR does NOT have an admin UI to let the administrator get users 'unstuck', that is a simple matter of SQL (SMOS) currently, with an admin UI for a future PR.
ALLOW_MANY_COMMITS=true
Review Screenshots
Note
Some screenshots may be out of date, see comments below.
New user readonly
Main menu
Login with GitHub
Successful sign with GitHub
github-login
servlet, records the CLA signing in the database, and then shows this page:The details (name, email, employer) are pulled from the GitHub signing data but are not editable. The "to view" link is the usual cla-assistant.io link which gives you the full text and more details.
What if I haven't signed with GitHub?
Manual Sign
See CLDR-17612 cla: update text, record version #4233 for the updates to this page
One new button that takes you BACK to the Login with Github page
Corp users
ibm
) that has already signed the Corp CLA (we don't show the CLA text, because it's not this CLA that was signed.). User would only see this if they click the CLA item in the main menu.