Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add registering and login with OTP through email #1068

Merged
merged 15 commits into from
Oct 31, 2024
Merged

Conversation

josepegea
Copy link
Collaborator

@josepegea josepegea commented Oct 20, 2024

Add new auth method, using just email and an OTP link.

Based in the work of @phoet in https://github.com/weg-li/weg-li

Both for registering and for logging in, the user just inputs their email and receives a message with a OTP link.

Users registered through this provider lack nickname , name and image on creation.
In order to deal with the validations for these properties, they're initialized as follows:

  • nickname is generated by hashing the email address.

  • name is filled in with a known marker for "missing name" declared in User::EMPTY_NAME (currently "********"). It doesn't use the email address as a placeholder in order to avoid exposing it, as the user name is displayed in several pages in the application.

  • image is set to the Gravatar URL for the email.

In order to urge users registered through email to provide a name that can be used in the app, after log in, a user with such an "empty" name is redirected to the profile edit page and asked to provide one.

As with any other source, if such a user later adds another provider, the name and image coming from those will take over the existing ones.

Should help deal with the Twitter problem described in #1063

@josepegea josepegea changed the title Add login with email Add registering and login with OTP through email Oct 26, 2024
@josepegea josepegea marked this pull request as ready for review October 26, 2024 17:13
@josepegea josepegea mentioned this pull request Oct 26, 2024
@JoschkaSchulz
Copy link
Member

@josepegea it looks a bit hacky :) But I understand the problem. Is it really necessary to add the Actionmailer Cop? Couldn't we just solve it, that way we don't have to worry about it in the future?

@salzig what are you thinking?

@josepegea
Copy link
Collaborator Author

@josepegea it looks a bit hacky :) But I understand the problem. Is it really necessary to add the Actionmailer Cop? Couldn't we just solve it, that way we don't have to worry about it in the future?

@salzig what are you thinking?

Indeed, there are many "hacky" parts about this.

Truth be told, I feel the user system is too influenced by Twitter being the first login method supported, and not having email as the main, unique, identifier has made this addition quite more complex than it should. It's only ironic that now it's Twitter, too, who pushes us to change 😅

As for the Metrics/ParameterLists cop, I have my own personal opinion about the overuse of Rubocop and I would gladly remove this one. Making the parameters list shorter here would imply either passing an opaque hash or having the mailer itself deal with getting the data from Whitelabel, and I feel that both options would make the solution more difficult to follow. I was just assuming that the set of cops was already agreed upon and was honoring it. But if we're all fine with removing it, I'll be happy to do that

config/locales/de.yml Outdated Show resolved Hide resolved
lib/omni_auth/strategies/email.rb Outdated Show resolved Hide resolved
spec/controllers/sessions_controller_spec.rb Outdated Show resolved Hide resolved
spec/models/user_spec.rb Outdated Show resolved Hide resolved
spec/support/factories/authorizations.rb Outdated Show resolved Hide resolved
spec/models/user_spec.rb Outdated Show resolved Hide resolved
@salzig
Copy link
Collaborator

salzig commented Oct 29, 2024

That's my initial 2cents about it. Sorry for the delay.

@josepegea
Copy link
Collaborator Author

That's my initial 2cents about it. Sorry for the delay.

Thanks for the review! Updated

@josepegea josepegea requested a review from salzig October 29, 2024 20:52
config/initializers/omniauth.rb Outdated Show resolved Hide resolved
enter_email: "Bitte geben Sie Ihre E-Mail-Adresse ein"
submit: "Autorisieren"
email_sent: "Eine E-Mail wurde an %{email} mit Details zum Einloggen gesendet"
invalid_email: "Bitte geben Sie eine gültige E-Mail-Adresse ein"
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

we do not use "Sie" but "Du" in the rest of our communication

Copy link
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I speak no German (nor Polish) I'm afraid. I asked ChatGPT to do the translations hoping they would be a good starting point that could be improved by native speakers. Still, I asked again to rewrite the German texts in the colloquial form. Hoping they're not too bad!!

lib/omni_auth/strategies/email.rb Outdated Show resolved Hide resolved

get :edit, params: { id: user }

doc = Nokogiri::HTML(response.body)
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

there is probably some matcher for this kind of stuff, but i dont remember, so whatever.

Copy link
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think they're available for "request" or "feature" specs, but not for "controller" ones.
Maybe this kind of test belongs more to a Capybara spec, but, I think it fits well here, given the current suite

app/controllers/sessions_controller.rb Outdated Show resolved Hide resolved
@josepegea
Copy link
Collaborator Author

Thanks for your review, @phoet !

I applied the changes you suggested.

If there's no more comments, I'll merge this tomorrow in the morning, as I'd like to have it ready for users in preparation of a meetup for next week

@josepegea josepegea merged commit 2efb197 into master Oct 31, 2024
1 check passed
@josepegea josepegea deleted the add-email-otp-auth branch October 31, 2024 10:40
@josepegea
Copy link
Collaborator Author

Ok, I merged it and tried to use it. Unfortunately, it turns out that the sending of the email fails, because of missing SMTP auth. @phoet , could you please take a look at the configuration? 🙏

@josepegea
Copy link
Collaborator Author

Ok, I merged it and tried to use it. Unfortunately, it turns out that the sending of the email fails, because of missing SMTP auth. @phoet , could you please take a look at the configuration? 🙏

I confirm that email login works if you manage to get the login link, but that's not possible as long as the app cannot send emails. I managed to make it work for myself and for one user of Madrid.rb by looking at the exception in AppSignal and forwarding the token from there. However, this is far from sustainable.

@phoet mentioned that is quite possible that the Heroku app has lost the Sendgrid configuration. I guess it used to have one, as there's another mailer that was used for usergroup notifications and the app configuration seems to point to Sendgrid. Unfortunately, I don't have access to the Heroku app, so I cannot check. @phoet is on holidays and away from a proper workplace. @salzig could you please check? 🙏

@salzig
Copy link
Collaborator

salzig commented Nov 2, 2024

SENDGRID_USERNAME and SENDGRID_PASSWORD, as expected by config/environments/production.rb, aren't configured in Heroku. Only reference I could find is SENDGRID_DOMAIN.

@salzig
Copy link
Collaborator

salzig commented Nov 2, 2024

Screenshot 2024-11-02 at 20 49 55
and adding/"unlocking" the twilo SendGrid Heroku Addon ends here. <3

@josepegea
Copy link
Collaborator Author

Thanks for looking at it! 🙌

I was just going to ask if you could enable that addon 😅

@josepegea
Copy link
Collaborator Author

I was looking at the docs and it seems that they generate a unique email address to manage the addon and require SSO from there. Maybe it was already setup?

@phoet
Copy link
Member

phoet commented Nov 3, 2024

I deleted and reinstalled the addon. login works, maybe emails too

@josepegea
Copy link
Collaborator Author

Hey, thanks for that. Unfortunately, I just tested and still got SMTP-AUTH requested but missing user name (see AppSignal, under the ArgumentError 2081.

Maybe it's just a matter of setting the user and password provided by the addon on the proper ENV vars: SENDGRID_USERNAME and SENDGRID_PASSWORD

@salzig
Copy link
Collaborator

salzig commented Nov 4, 2024

Maybe it's cause no sender was configured. You should have received a verification mail on hello@. Can you confirm?

@josepegea
Copy link
Collaborator Author

I just checked and, yes, there was a verification email from this morning and I just clicked in the confirmation link. I'm afraid I'm in the dark regarding the configuration of the addon or the Sendgrid account as I don't have access to the Heroku dashboard

@salzig
Copy link
Collaborator

salzig commented Nov 4, 2024

Screenshot 2024-11-04 at 10 29 02
maybe you where a bit late, I just resend the verification mail.

@josepegea
Copy link
Collaborator Author

Clicked it again. Still same error "550 The from address does not match a verified Sender Identity. Mail"

@salzig
Copy link
Collaborator

salzig commented Nov 4, 2024

Screenshot 2024-11-04 at 10 41 42
I'm not surprised by the 550, cause send grid still shows the sender as unverified.

@josepegea
Copy link
Collaborator Author

I verified the address and registered in Sendgrid
image
I'm really not sure if I should also "Create a new account" 🤔

@salzig
Copy link
Collaborator

salzig commented Nov 4, 2024

ah, not sure if it was the right way to create a new account. Cause maybe we can't have it verified for our send grid account now?

@josepegea
Copy link
Collaborator Author

I finalized creating the account and now no error is raised, but emails still don't arrive. Maybe now it's because of lack of SPF or similar setup for the domain, that prevent the email from being delivered. Not even in spam 🤔

@salzig
Copy link
Collaborator

salzig commented Nov 4, 2024

I don't think so, cause for Hamburg.onruby.de it works now, but the sender is verified in our account.

@josepegea
Copy link
Collaborator Author

So maybe you need to add the emails for each of the RUGs as verified senders on your account, indeed

@salzig
Copy link
Collaborator

salzig commented Nov 4, 2024

Yes, I just send you a message via Discord. Maybe we can have a shortcut for "exchange" of a link there.

@salzig
Copy link
Collaborator

salzig commented Nov 4, 2024

And we should introduce a "feature switch", so only Whitelabel where the email is verified/added can use email login.

@salzig
Copy link
Collaborator

salzig commented Nov 4, 2024

Madridrb sender mail is now added and verified to our send grid account. Login for HamburgOnRuby and Madridrb via Email works now.

@josepegea
Copy link
Collaborator Author

Thanks for your help, @salzig!

And we should introduce a "feature switch", so only Whitelabel where the email is verified/added can use email login.

I'll work on that later today or tomorrow

@salzig
Copy link
Collaborator

salzig commented Nov 4, 2024

Just as you suggested via Discord, maybe it's best to support a "generic" fallback via a "onruby" Global Sender first. So the feature at least works for all Labels. After that we can figure out how to support individual senders (verfied in a single account, different sendgrid account per label, etc)

@josepegea
Copy link
Collaborator Author

Yes, I think that's better. I will do that, then

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

4 participants