Remix auth

[sverhoeven]

Fixes i-VRESSE/bartender#54

Should be merged together with i-VRESSE/bartender#73

TODO

• store private key for making bartender tokens
• use remix auth for local users with remix-auth-form
• use remix-auth-oauth2 for
  • github
  • orcid sandbox
  • orcid prod
  • egi-checkin
• associate local user with oauth account aka mail matching
• regenerated app/bartender-client against JWT token only bartender#73
• dont generate bartender token every time, but store/fetch from db
• enforce password length with zod
• store users in postgresql instead of sqlite
• Replace expertise level seed with enum as new level needs code change, so why not have levels as code as well.
• document oauth2 provider setup
• docker-compose with bartender and haddock3-webapp dbs + rsa key pair mount
• explain remix + prisma choice
  • workflow builder works, while in webpack based meta framework the build chokes
  • follow remix blue stack template, for least dev surprises
• Upgraded to latest remix
  • Use v2 route file naming
• use prisma migrations to create tables in db
• Calculate gravatar hash

To test:

1. Start bartender web service from https://github.com/i-VRESSE/bartender/tree/asym-jwt-only branch with public key.
2. Setup webapp according to development instructions in README.md
3. Register + login + give yourself an expertise level
4. Check on build page that topoaa node has options for your selected expertise level
5. Configure social login GitHub, Orcid or EGI and try to login with those accounts. PS. Make sure you a logged out from the webapp before trying to log in again.
7. Start webapp with docker compose using Docker instructions in README.m

[Peter9192]

• Profile popup doesn't go away when clicked
• Checkboxes on admin page shouldn't apply directly, but after a save
• Can't change password on first admin user?
• Batch checker doesn't work on admin page (with single user)

[Peter9192]

I accidentily revoked SU rights for the first registered user... that should not be so easy.

[sverhoeven]

Added confirm dialog in 3821052

[sverhoeven]

Disabling super user toggle when you are the only super user would be nice, but confirm is good enough.

[Peter9192]

It's nice to have this as an npm run alias, but if you stop it (ctrl+c) then the containers will linger on my system (docker ps -a ). I'd like to have either the counterpart with docker compose rm or the docker-compose alternative for docker --rm (is that --abort-on-container-exit?)

[Peter9192]

Additionally, a command to clear the database would be super helpful, at least for developer purposes.

[sverhoeven]

Can add && docker-compose rm -fsv to script so after you kill the up command the rm command is run.

[sverhoeven]

There is no autoclean argument when using just docker compose up. In 0cfa352 added prune command to clean up.

Reset db command was added in 055807a .

[Peter9192]

Add here how to clear the database? And remove the container?

[sverhoeven]

Add clear command in 0cfa352 and a2c50c9 to remove container

[Peter9192]

What about migrations? Do I need to run this command always?

[sverhoeven]

Clearified in a2c50c9

[Peter9192]

Might be good to say here already that the first user is automatically admin.

[Peter9192]

I think this explananation is a bit confusing. What about:

Suggested change

	The haddock3 web application must be trusted by the bartender web service using a JWT token.
	An RSA private key is used by the haddock3 web application to sign the JWT token.
	To tell the haddock3 web application where to find the private key, use the `BARTENDER_PRIVATE_KEY` environment variable.
	The haddock3 web application can prove its identity to the bartender web service using a JWT token.
	An RSA private key is used by the haddock3 web application to sign the JWT token.
	To tell the haddock3 web application where to find the private key, use the `BARTENDER_PRIVATE_KEY` environment variable.

[Peter9192]

Add a note/guideline on changing the secret?

[sverhoeven]

Done in 0cfa352

[Peter9192]

Good stuff! I found a few things in the docker compose file, further mostly some clarification suggestions. While browsing to remix docs, I noticed that they mostly like cookiesessionstorage because you don't need a database for them. So I was wondering, since we have a database anyway, is this really the most suitable choice for storing session info? Furthermore, it would be nice to have a dedicated error page in the same style as the rest of the app. And it would be helpful to clarify (more explicitly) that bartender should not be setting roles, this is done by the web app

[Peter9192]

Shouldn't the web app be the sole owner (and user) of the private key? Bartender should only need the public key to verify the token, right?

Suggested change

	- type: bind
	source: ./private_key.pem
	target: /app/src/private_key.pem
	- type: bind
	source: ./public_key.pem
	target: /app/src/public_key.pem

[Peter9192]

Suggested change

	DATABASE_URL: postgresql://postgres:postgres@webappdb:5432/postgres
	DATABASE_URL: postgresql://postgres:postgres@webappdb:5432/postgres
	BARTENDER_PRIVATE_KEY: /app/src/private_key.pem

[sverhoeven]

Added in 6cfcd2e

[Peter9192]

Shouldn't the web app need the private key to generate tokens?

Suggested change

	source: ./public_key.pem
	target: /app/src/public_key.pem
	source: ./private_key.pem
	target: /app/src/private_key.pem

[Peter9192]

Do we need this min length check on login as well? Since you can't have a password of <8 characters, the password would be wrong anyway. But it's not like this is checking it's valid.

[sverhoeven]

You are right, removed length check on server and client in 6cfcd2e

[Peter9192]

Maybe start with a note that you need to have a running instance of bartender setup before starting this? And point to the section below on how to set it up?

[Peter9192]

That useful info is a bit hidden 🤔

[sverhoeven]

In 5627bb4 moved to https://github.com/i-VRESSE/bartended-haddock3/blob/remix-auth/docs/bartender.md#haddock3-application

[Peter9192]

Disable if there's only one admin left?

[Peter9192]

Confusing to have placeholders that are not implemented without explicitly stating so.

[Peter9192]

Unclear why this is disabled by default. Remove or explain?

[sverhoeven]

Removed in fcc7c68

[Peter9192]

Should this also upgrade their jwt token?

[sverhoeven]

Nope expertise level is not in token

[sverhoeven]

Good stuff! I found a few things in the docker compose file, further mostly some clarification suggestions. While browsing to remix docs, I noticed that they mostly like cookiesessionstorage because you don't need a database for them. So I was wondering, since we have a database anyway, is this really the most suitable choice for storing session info? Furthermore, it would be nice to have a dedicated error page in the same style as the rest of the app. And it would be helpful to clarify (more explicitly) that bartender should not be setting roles, this is done by the web app

The users browser needs to persist something between page loads we are storing the encrypted user id in the cookie just like https://github.com/remix-run/blues-stack/blob/main/app/session.server.ts#L78 . If you would store session id in cookie and session to user mapping as a db table there are more moving parts without much benefit.

For errors you already created #22 so will deal with better error pages when fixing that issue.

Thanks for reviewing this monster pull request and fixing the deployment error I should have caught.