refactor(auth): Various build improvements and minor refactoring #2959
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
A testbed that reproduces accessing all of the ZMI, the classic HTML plone UI, and the Volto UI under the same hostname. Originally needed to workout issues with different kinds of authentication working for all UIs. refs #131171
Use `collective.recipe.omelette` to reproduce a single directory tree of the Python packages installed in the `./api/` buildout's `instance` part. Useful for searching, browsing, or otherwise exploring all the source code involved in the application in a way that's more readable and avoids duplicates from older versions of eggs.
This repository has no `master` branch. At least according to GitHub, `main` is the default branch and it also has the most recent activity in `$ git log`.
More sensible ordering of the folder structure documentation so that the library, React, is first, the state framework, Redux, is next, followed by more project specific structure.
Refactor the logic around user session state out of the multiple components into Redux selectors. This is a step on the way to refactoring the UI user session logic to be agnostic of *how* the user is authenticated. Currently this includes 2 selectors: - detecting whether a user is currently authenticated and logged in - retrieving the authenticated users login or ID I note this project isn't using selectors prior to this. From [the Redux docs](https://redux.js.org/tutorials/fundamentals/part-2-concepts-data-flow#selectors): > Selectors are functions that know how to extract specific pieces of information from a > store state value. As an application grows bigger, this can help avoid repeating logic > as different parts of the app need to read the same data That's *exactly* what's needed here. This is particularly true for getting user data state, such as the `userId`. As such, I went ahead and introduced the usage of selectors here. Refs #134784
Seeking an action by id, for example to check for the presence of an action or to lookup the `url` property of a specific action, is a very common task. As such, transform the arrays of actions into objects of actions by action id and include that in Redux state as well. Next, I plan to use this to replace the JWT implementation-dependent check if a user is logged in. Refs #134784
Defer to the API, specifically the presence of the `login` action, to determine if a user is logged in instead of depending on the implementation detail of the UI JWT login process. Refs #134784
* master: (35 commits) Installluxon (#2565) Inlineform default values (#2559) Back to development Release 13.6.0 Prepare for release Fix edit warning (#2443) Allowing user to click on the breadcrumbs of objectBrowser (#2541) Update docs about robotstxt (#2546) #2492 added landmark role to skiplink-container (#2493) #2489 made the breadcrumb link text color slightly darker for a11y (#2491) #2487 changed headline color to black for better contrast (#2488) Add DictWidget (new name: VocabularyTermsWidget) (#2532) Update Brazilian Portuguese translation. (#2558) Back to development Release 13.5.0 Prepare for release Add og tags and seo support (#2510) Upgradestorybook2 (#2556) Revert "Upgrade to Storybook 6.3, refresh deps for babel (#2551)" (#2555) Upgrade to Storybook 6.3, refresh deps for babel (#2551) ...
Switch from a feature to a breaking change in the changelog [because](#2535 (comment)): > In the RenderedView, the `token` is removed and used `userLoggedIn` instead. This will > potentially break all customizations using component shadowing for all customized > Views outthere, so we need to mark it as breaking.
Addresses [feedback](#2535 (comment)): > I would like to maintain the purity of what means to start the backend, what means to > start the frontend without abstractions (docker in the middle using traeffic). It's > fine to maintain it as a separate command, but not as "canonical". The reasons are > mainly for training and newbies to really know what's going on under the hood.
* master: (79 commits) Back to development Release 14.0.0-alpha.0 Prepare for release Remove compatibility with older configuration way based on imports (#2516) Locking support (#2594) Back to development Release 13.15.0 Prepare for release feat: add placeholder to wysiwyg widget (#2653) chore(i18n): update ita translations (#2652) Show loading indicator in listing view when content is loading (#2644) Validate touched-only `required` fields in Forms (#2642) Get SchemaWidget field factories from backend (#2651) Change the batch size of folder content (#2654) Show item title and item type when hovering over item title and item type icon in folder content view (#2649) Back to development Release 13.14.0 Prepare for release cypress: user/groups controlpanel tests (#2650) Reimplement the architecture of user/groups controlpanel (#2064) ...
* master: (38 commits) Fix buildout. Remove indentation in buildout.cfg (#2679) Do not show lead image block when the content type does not have the behavior enabled (#2676) Back to development Release 14.0.0-alpha.8 Prepare for release Fix logout action, removing the cookie as well, if present. (#2677) Back to development Release 14.0.0-alpha.7 Prepare for release German translations updated (#2675) translate Japanese (#2671) Back to development Release 14.0.0-alpha.6 Prepare for release Fix ssr for /edit when using devproxy (#2674) Back to development Release 14.0.0-alpha.5 Prepare for release Fix on form errors in block editor, not changing to metadata tab (#2668) Back to development ...
* master: Back to development Release 14.0.0-alpha.9 Prepare for release Use the block `title` as the source of the translation `id` instead o… (#2684)
This is a regression from when I added defensive make settings in:
build(devel): Avoid silent make errors/failures
The `./Makefile` originally referenced a `test` target, since moved to the `./api/Makefile`, but the `./api/buildout.cfg` installs no such buildout part. Figuring it's better to restore that than remove it, I tried restoring that part to the API buildout and found it easy and that most of the tests are already passing.
For each step in the build process, use the real artifacts that result as targets in `./api/Makefile`. This prevents wasting time in the inner loop of individual development and when the prerequisites, `... ./buildout.cfg ./src/*/setup.py`, are maintained carefully this rarely results in surprising behavior such as something failing because a build step wasn't detected as needed.
When revisiting the proxy test bed I couldn't remember how to start it correctly. Clearly I should have documented it better! :-/ Clarify and expand the comments to address that. Also improves how the proxy test bed is run as well as the output from that test bed. I change the target names from `start-*` to `run-*` because to my mind `start` means to launch something successfully "in the background" and return the shell to the user, such as with `# systemctl ...` and other system service control commands. Whereas `run` means to keep running "in the foreground" until the user interrupts. This means the terminology in the target names is inconsistent but I figured it was better to use incrementally better terminology in the targets I'm touching and avoid breaking things for other developers than to not improve the terminology at all.
…prove-local-devel
These popped up after merging master. The conflicting version messages in order
encountered are:
Version and requirements information containing plone.app.vocabularies:
[versions] constraint on plone.app.vocabularies: 4.3.0 # plone.volto requires it
Requirement of plone.volto: plone.app.vocabularies>=4.3.0
While:
Updating instance.
Error: The requirement ('plone.app.vocabularies>=4.3.0') is not allowed by your
[versions] constraint (4.3.0 # plone.volto requires it)
then:
Version and requirements information containing plone.restapi:
[versions] constraint on plone.restapi: 8.16.2 # force to latest p.restapi
Requirement of plone.volto: plone.restapi>=8.13.0
Requirement of Plone==5.2.6: plone.restapi
While:
Installing instance.
Error: The requirement ('plone.restapi>=8.13.0') is not allowed by your [versions] constraint (8.16.2 # force to latest p.restapi)
then:
Version and requirements information containing plone.rest:
[versions] constraint on plone.rest: 2.0.0a1 # new JSON only traversal
Requirement of plone.volto: plone.restapi>=8.13.0
Requirement of Plone==5.2.6: plone.restapi
Requirement of plone.restapi>=8.13.0: setuptools
Requirement of plone.restapi>=8.13.0: pytz
Requirement of plone.restapi>=8.13.0: python-dateutil
Requirement of plone.restapi>=8.13.0: plone.schema>=1.2.1
Requirement of plone.restapi>=8.13.0: plone.rest>=1.0a6
Requirement of plone.restapi>=8.13.0: plone.behavior>=1.1
Requirement of plone.restapi>=8.13.0: PyJWT
While:
Installing instance.
Error: The requirement ('plone.rest>=1.0a6') is not allowed by your [versions] constraint (2.0.0a1 # new JSON only traversal)
|
For future reference, here's a |
These entries were from when there were changes in Volto to support the unified auth work. That's no longer the case, so cleaning up these changelog entries.
I kept going to Plone`s `buildout.coredev/sources.cfg` to add new checkouts, such as
while developing upstream PRs in combination with work here or after upstream PRs have
merged but not yet released. It was extra work because I had to copy and paste the
`sources` line, but then manually replace the `${remotes:...}` substitutions.
This buildout is for development, we already use external `buildout:extends` URLs, so
would we repeat ourselves.
✅ Deploy Preview for volto canceled.
|
The error message there is about a missing |
stevepiercy
requested changes
Feb 25, 2022
It fails because the version of the You could ignore it, but it might be a good idea to rebase your branch on |
Doh! I should have checked for new commits on master before asking for help there, sorry! Thanks for the helping hand. I've merged and pushed. |
Introduced when [I cleaned up the no-longer-relevant entry](8d887af) but didn't replace it.
…why it is a useful function. Fix typo.
stevepiercy
reviewed
Mar 2, 2022
|
I pushed commit ffc731e for review. I also commented on the function name: #2959 (comment) |
rpatterson
commented
Mar 4, 2022
avoinea
approved these changes
Mar 11, 2022
There was a problem hiding this comment.
LGTM.
Tested on localhost and demo website with LDAP:
- Plone: 6.0.0a3
- PlonePAS: 7.0.0a3
- plone.restapi "fix-unify-auth-logout":feat(auth): Sync classic/API PAS plugin cookies plone.restapi#1303
- plone.restapi "fix-zope-root-auth":fix(auth): Unify Zope root ZMI w/ API log in/out plone.restapi#1304
rpatterson
commented
Mar 11, 2022
rpatterson
force-pushed
the
fix-flashy-toolbar-in-2661
branch
from
8ec98aa to
aa938e3
Compare
Apparently [the `clean-tmp-worktrees` target doesn't work on OS X](#3194 (comment)). Rather than remove all support for testing a clean checkout in a worktree, use a less invasive approach and just remove running it from the `clean` target so that others may still use the `test-clean` and `clean-tmp-worktrees` targets. This reverts commit f7648f5.
rpatterson
changed the title
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Revert the commits that changed the components that refer to the logged in user to use
the response from the actions API endpoint. IOW, those components now, once again, use
the Bearer token instead. Preserves all the other improvements made to the code along
the way.
The new branch for the
plone.restapiincludes the API changes to the PAS plugin neededto set both the Plone classic session cookie and the Bearer token cookie that Volto can
optionally use to initialize authentication without using the Volto login component.
All this put together means that:
in terms of interpreting state
One edge case that remains is when logging in via the Volto UI component as a user from
the Zope root
acl_users(e.g.adminorSITE_OWNER_NAME), they aren't logged intoPlone classic. The other direction is fine, logging in as
adminto Plone classicresults in a new request to the Volto UI being logged in. Digging into that now.
These changes do not address any of the issues that happen when logged in via the ZMI at
the Zope root. A user logged in that way will still appear logged in to classic Plone,
but won't be recognized by Volto components as logged in but API responses will still
reflect their
Manageraccess rights. Tackling that is coming up.This PR supersedes both #2535 #2687.