feat: SSR #5777

loks0n · 2023-07-06T15:21:15Z

What does this PR do?

Session Secrets for API key authenticated clients

Adds the secret field to the Session response object when authenticated using API key, including the response of all existing Account session creation endpoints.
Adds the sessions scope, used for session creation endpoints. It is added available to guests by default and will be optional for API key.

Tokens

🟢 New endpoint Create session in users service POST /users/:userId/session
🟢 New endpoint Create token in users service POST /users/:userId/token
🟢 New endpoint Create session [from token] in account service POST /account/sessions/token
🔴 Removes and aliases PUT /account/sessions/phone to POST /account/sessions/token
🔴 Removes and aliases PUT /account/sessions/magic-url to POST /account/sessions/token

Token for SSR OAuth

Appends URL parameters userId & secret from a generated token to the final OAuth2 redirect to allow SSR clients to exchange this for a session.

Test Plan

e2e tests
manual w/o sdk
manual w/ sdk

Related PRs and Issues

RFC

Checklist

Have you read the Contributing Guidelines on issues?
If the PR includes a change to an API's metadata (desc, label, params, etc.), does it also include updated API specs and example docs?

…-ssr

…ppwrite into feat-ssr

…-ssr

christyjacob4 · 2024-01-15T21:14:10Z

app/controllers/api/users.php

+App::post('/v1/users/:userId/sessions')
+    ->desc('Create session')
+    ->groups(['api', 'users'])
+    ->label('event', 'users.[userId].sessions.create')


This needs to be users.[userId].sessions.[sessionId].create

christyjacob4 · 2024-01-15T21:16:19Z

app/controllers/api/users.php

+        if ($user !== false && !$user->isEmpty()) {
+            $user->setAttributes($user->getArrayCopy());
+        } else {


what is the need for this ?

christyjacob4 · 2024-01-15T21:20:09Z

app/controllers/api/users.php

+            $user->setAttributes([
+                '$id' => $userId,
+                '$permissions' => [
+                    Permission::read(Role::any()),
+                    Permission::update(Role::user($userId)),
+                    Permission::delete(Role::user($userId)),
+                ],
+                'email' => null,
+                'emailVerification' => false,
+                'status' => true,
+                'password' => null,
+                'hash' => Auth::DEFAULT_ALGO,
+                'hashOptions' => Auth::DEFAULT_ALGO_OPTIONS,
+                'passwordUpdate' => null,
+                'registration' => DateTime::now(),
+                'reset' => false,
+                'prefs' => new \stdClass(),
+                'sessions' => null,
+                'tokens' => null,
+                'memberships' => null,
+                'search' => implode(' ', [$userId]),
+                'accessedAt' => DateTime::now(),
+            ]);
+
+            $user->removeAttribute('$internalId');
+            Authorization::skip(fn () => $dbForProject->createDocument('users', $user));
+        }


This is a createSession endpoint right? I see this is performing 2 functions

Creating a user

Creating a session for the user

this goes against REST principles where each endpoint should handle only one responsibility unless absolutely necessary.

What is the need to create a user here when we already have the createUser endpoint?

This createSession endpoint should return 404 if the user does not exist

I agree it seems to violate REST principle, but it offers pontentially better DX, and Matej proposed this change justifying it as the existing behaviour for endpoints in account service.

Should we:

Auto-create users for endpoints in account service and NOT users service?

Auto-create users for endpoints in both account and users services?

Change accounts service so we never auto-create users?

christyjacob4 · 2024-01-15T21:21:03Z

app/controllers/api/users.php

+            $user->setAttributes([
+                '$id' => $userId,
+                '$permissions' => [
+                    Permission::read(Role::any()),
+                    Permission::update(Role::user($userId)),
+                    Permission::delete(Role::user($userId)),
+                ],
+                'email' => null,
+                'emailVerification' => false,
+                'status' => true,
+                'password' => null,
+                'hash' => Auth::DEFAULT_ALGO,
+                'hashOptions' => Auth::DEFAULT_ALGO_OPTIONS,
+                'passwordUpdate' => null,
+                'registration' => DateTime::now(),
+                'reset' => false,
+                'prefs' => new \stdClass(),
+                'sessions' => null,
+                'tokens' => null,
+                'memberships' => null,
+                'search' => implode(' ', [$userId]),
+                'accessedAt' => DateTime::now(),
+            ]);


same comment as above. The endpoint should only perform one function.

christyjacob4 · 2024-01-15T21:22:29Z

app/controllers/api/users.php

+App::post('/v1/users/:userId/tokens')
+    ->desc('Create token')
+    ->groups(['api', 'users'])
+    ->label('event', 'users.[userId].tokens.create')


This event needs to be added to the events.php file

And it should also be users.[userId].tokens.[tokenId].create

app/controllers/api/users.php

christyjacob4 · 2024-01-15T21:34:59Z

app/controllers/shared/api.php

+            case 'token':
+                if (($auths['token'] ?? true) === false) {
+                    throw new Exception(Exception::USER_AUTH_METHOD_UNSUPPORTED, 'Token authentication is disabled for this project');
+                }
+                break;


This needs to be added to the auth.php file in the config directory. Else it will break the updateAuthStatus endpoint

Also what is "token" based auth? How does it sit well in this screen?

I am to understand that tokens are created by emailPassword, phone, magic URL etc. So if we add a new check box for token here, what does it mean to disable token based auth?

does it mean, we also disable emailPassword, phone, magicURL etc? Because a token is generated by all those methods right?

Good point, I think we should remove these. It doesn't fit in this screen.

The user can already control where a token is created with the existed toggles.
If we let them disable token auth it would break magic url and phone auth.

docs/references/account/create-email-password-session.md

docs/references/account/update-magic-url-session.md

docs/references/account/update-phone-session.md

christyjacob4 · 2024-01-15T21:45:17Z

app/config/auth.php

@@ -42,7 +42,7 @@
        'name' => 'Phone',
        'key' => 'phone',
        'icon' => '/images/users/phone.png',
-        'docs' => 'https://appwrite.io/docs/client/account?sdk=web-default#accountCreatePhoneSession',
+        'docs' => 'https://appwrite.io/docs/references/cloud/client-web/account#accountCreatePhoneToken',
        'enabled' => true,
    ],


we're missing a new array item for token

christyjacob4 · 2024-01-15T21:51:47Z

app/config/scopes.php

+    'account' => [
+        'description' => 'Access to make actions on behalf of a user account',
+    ],


Can you give me some reasons why this is not account.read and account.write

There was an existing hidden scope called account.
I wanted keep this name to reduce the scope of the changes.

christyjacob4 · 2024-01-15T21:52:03Z

app/config/scopes.php

+    'account' => [
+        'description' => 'Access to make actions on behalf of a user account',
+    ],
+    'sessions' => [


similarly why is this not sessions.write ?

We can change this.

…t-ssr

app/controllers/api/account.php

feat: return encodedSecret in session body

f384fc0

loks0n changed the title ~~feat: return encodedSecret in session body~~ feat: SSR Jul 6, 2023

loks0n added 2 commits July 6, 2023 21:10

feat: poc oauth2 ssr

7cee36a

chore: include secret instead of encoded

074e974

github-actions bot mentioned this pull request Aug 1, 2023

PRs Opened in July 2023 appwrite/.github#61

Closed

loks0n added 17 commits September 28, 2023 11:21

Merge branch 'main' of https://github.com/appwrite/appwrite into feat…

ef93c59

…-ssr

chore: revert oauth workaround

b8f2c1d

feat: add userId to abuse-keys

5ed2da4

feat: oauth ssr token flow

739be81

Merge branches 'main' and 'feat-ssr' of https://github.com/appwrite/a…

dbf1874

…ppwrite into feat-ssr

fix: token verification

e94631f

fix: edge cases

c4e82e4

Merge branch 'main' of https://github.com/appwrite/appwrite into feat…

e75b3b9

…-ssr

test: null token type case

bd83c16

fix: unhash session responses

a88175f

test: fix magic url assertions

c30c024

chore: fmt

c343d75

fix: edge cases

e41fab7

test: e2e universal token

0332d35

chore: fmt

4f11cba

docs: add descriptions to universal token endpoints

f9d6ebd

test: fix warning

8379551

loks0n self-assigned this Oct 11, 2023

loks0n marked this pull request as ready for review October 11, 2023 16:00

loks0n added 3 commits October 11, 2023 17:02

chore: remove comment

3474fa8

chore: rename $sessionSecret

b299ed0

feat: replace session confirmation endpoints

8ab429b

loks0n requested review from christyjacob4, Meldiron and eldadfux October 13, 2023 10:04