Merge pull request #58 from go-bazzinga/9-add-login-page

adding app flow documentation
yral-dapp · Feb 6, 2024 · be8b322 · be8b322
2 parents 214d9f5 + 14cd45d
commit be8b322
Show file tree

Hide file tree

Showing 4 changed files with 64 additions and 1 deletion.
diff --git a/design/anonymous-identity.md b/design/anonymous-identity.md
@@ -0,0 +1,26 @@
+# Anonymous Identity
+
+```mermaid
+---
+title: Generated anonymous identity & session identity for new user
+---
+sequenceDiagram
+    actor client as Client Device
+    participant ssr as SSR Backend
+    participant auth as Auth Service
+    participant canister as Canister
+    participant kv as Cloudflare KV Store
+    client->>ssr: Visits website 1st time
+    ssr->>client: Loads Auth page in iframe
+    client->>auth: Loads anonymous identity page
+    Note over auth: Creates Private KeyPair <br/> & Session KeyPair for a user <br/> using random seed
+    Note over auth: Session KeyPair is <br/> valid for 30 minutes
+    auth->>kv: Store User's private & session KeyPair
+    Note over kv: {pubkey: User's Pubkey, <br/> private_key: User's Private Key, <br/> session_identity: Session KeyPair }
+    Note over auth: Generates DelegatedIdentity <br/> signed by Private KeyPair
+    auth-->>client: Returns Delegated Identity with signed cookie with refresh token
+    Note over client: Builds Secp256k1Identity <br/> & DelegatedIdentity
+    Note over client: Client builds Secp256k1KeyIdentity <br/> & DelegationIdentity <br/> & keeps ready for <br/> future canister calls
+    client->>canister: When needed calls canister using DelegatedIdentity directly for fetching resources
+    canister-->>client: Provides resources
+```
diff --git a/design/oauth2-login.md b/design/oauth2-login.md
@@ -0,0 +1,30 @@
+# OAuth2 Login
+
+## Example provider - Google
+
+```mermaid
+---
+title: OAuth2 Login when user wants to claim tokens
+---
+sequenceDiagram
+    actor client as Client Device
+    participant ssr as SSR Backend
+    participant auth as Auth Service
+    participant ext_auth as External OAuth Service
+    participant canister as Canister
+    participant kv as Cloudflare KV Store
+	Note over client: client passes signed<br /> cookie everytime<br/> with refresh token to auth
+    client->>auth: Client clicks on claim<br /> tokens button is redirected<br /> to auth login page
+    auth-->>client: Returns Login Page with oAuth providers<br /> sets pkce_verifire & csrf_token in cookie
+    client->>ext_auth: Chooses provider & redirects<br /> Client logs-in on provider's page
+    ext_auth-->client: Provides request token & csrf_token in return
+    client-->>auth: passes request Token & provided csrf token.
+    auth->>ext_auth: Verifies token with pkce_verifire & csrf_token
+    ext_auth-->>auth: returns with access token
+    auth->>ext_auth: Requests user's id
+    ext_auth-->>auth: User id returned
+    auth->>kv: Stores user id associated with user's keypair
+    auth-->>client: Returns updated refresh token<br /> and new delegated session<br /> for user's keypair
+    client-->>client: From auth page<br /> Sends post_message with new<br /> delegated session id to ssr page
+    Note over client: Client continues using app & can claim tokens
+```
diff --git a/src/auth/identity.rs b/src/auth/identity.rs
@@ -163,13 +163,15 @@ pub async fn generate_session() -> Result<crate::auth::agent_js::SessionResponse
     user_cookie.set_same_site(SameSite::None);
     set_cookie_expiry(&mut user_cookie);
     user_cookie.set_http_only(true);
+    user_cookie.set_secure(true);
     jar = jar.add(user_cookie);
 
     let mut exp_cookie = Cookie::new("expiration", expiration.to_string());
     exp_cookie.set_domain(app_state.auth_cookie_domain);
     exp_cookie.set_same_site(SameSite::None);
     set_cookie_expiry(&mut exp_cookie);
     exp_cookie.set_http_only(true);
+    exp_cookie.set_secure(true);
     jar = jar.add(exp_cookie);
 
     let jar_into_response = jar.into_response();

diff --git a/src/providers/google.rs b/src/providers/google.rs
@@ -58,12 +58,14 @@ async fn google_auth_url() -> Result<String, ServerFnError> {
     pkce_verifier.set_domain(app_state.auth_cookie_domain.clone());
     pkce_verifier.set_same_site(SameSite::Strict);
     pkce_verifier.set_http_only(true);
+    pkce_verifier.set_secure(true);
     jar = jar.remove(Cookie::from("pkce_verifier"));
     jar = jar.add(pkce_verifier.clone());
     let mut csrf_token = Cookie::new("csrf_token", csrf_token.to_owned());
     csrf_token.set_domain(app_state.auth_cookie_domain);
     csrf_token.set_same_site(SameSite::Strict);
     csrf_token.set_http_only(true);
+    csrf_token.set_secure(true);
     jar = jar.remove(Cookie::from("csrf_token"));
     jar = jar.add(csrf_token.clone());
 
@@ -181,7 +183,10 @@ pub fn OAuth2Response() -> impl IntoView {
     create_effect(move |_| {
         if let Some(Ok(session_response)) = handle_oauth2_redirect.value().get() {
             let message = match serde_json::to_string(&session_response) {
-                Ok(session) => session,
+                Ok(session) => {
+                    leptos::logging::log!("Session: {}", session);
+                    session
+                }
                 Err(error) => error.to_string(),
             };
             let opener = window().unwrap().opener().unwrap();