Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Separate Authentication Module #26

Open
wants to merge 6 commits into
base: main
Choose a base branch
from
Open

Conversation

Adi-204
Copy link
Contributor

@Adi-204 Adi-204 commented Dec 24, 2024

Closes #22

Copy link
Collaborator

@saharsh-agrawal saharsh-agrawal left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

  1. move verifyUserMail to the backend, i.e., check that once the request is sent to the backend and send the appropriate error msg as a response if it fails. Anyone can overwrite the frontend check. You don't need to make a separate function in utils for the same, simply verify the domain before sending the top email.
  2. the API route validate-jwt is logically incorrect:
    i) access cookies using cookieStore and not req.headers.
    ii) you should know what cookie to look for and not simply anything and everything that exists. Also, your current code breaks down if multiple cookies are received, which will mostly be the case. An approach to solve both your issues involves sending the instiCode as a param, like in the generate-otp route. Hence, you will know which cookie to look for and verify.
  3. Store the route path and not the full URL for authLink and verifyAuthLink in the insti db. Modify the code (Axios) to work accordingly. It should detect if the link is external or internal route and treat them accordingly.
  4. Handle the errors you might get while Axios.get(verifyAuthLink) in /register route. This might not be an 'error' error but the response may not be 200 OK or might simply return a text like 'No JWT session token found.' (in case of Heimdall). So it must not try to extract an email field and fail uncontrollably.
  5. Find a way to redirect to the register page after successful authentication.
  6. Add the instructions to add the necessary env variables in readme. Maybe make a sample env file.

@saharsh-agrawal saharsh-agrawal self-requested a review December 31, 2024 12:15
Copy link
Collaborator

@saharsh-agrawal saharsh-agrawal left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

i) check if instituteCode exists and is provided as a pram in genrate otp page. Also, display the chosen college name while asking for email
ii) display a successful otp sent message and to check inbox.
iii) dont use loader on full page on form submissions - show loading animation or something like "Submitting..." in the button iself and disable it when the form is submitted, until response is received. (ex - in otp submitting page)
iv) in otp submitting page, redirect to /authenticate when otpData not present, as genrate otp page without knowing instituteCode should be a problem
v) use headers or req.url (origin key) to find the hosted url while making verifyrouteURL in /register route for internal routes, instead of fixing it to be https://travel.metakgp.org. Do something similiar for redirect_url in register page, while going to auth link.
vi) remove the leftover console logs if any, apart from when catching errors in backend.

Copy link
Collaborator

@saharsh-agrawal saharsh-agrawal left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

You haven't implemented the logic for showing the relevant locations based on the user's college instead of the hardcoded data.json ones 😐.
Also, while doing this, I hope you realise why the current format of storing the locations in the insti model as a simple string array will not be sufficient. Have a look at data.json for reference.

Copy link
Collaborator

@saharsh-agrawal saharsh-agrawal left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

i) Unhandled error at http://localhost:3000/authenticate/generate-otp?instituteCode=A13 for insti not found. Simply doing this:
if (!selectInstitute) {
alert('Institute not found.');
router.push("/authenticate");
}
will not help as the code has already thrown an error before that.

ii) Currently showing "Error during email domain validation." while entering email if someone adds a invalid domain email. Change this msg to something more helpful - "Invalid email. Choose the correct institute." and hence, add a button to go back to the authenticate screen.

iii) Change button to Verfiy instead of Submit when entering OTP.

iv) "OTP is valid, Verification successful!" - Change to a user-friendly and helpful message, like "OTP verified successfully!".

v) genuinely use the redirect_url feature on every redirect to /authenticate or /register or other authentication pages and actually redirect back to the correct site where the user was redirected out of (for authentication or registration), instead of the homepage everytime.

vi) If otpData is invalid or does not exist when user goes to /verify-otp, you are redirecting to "/authenticate/generate-otp", which obviously will cause an error in the absence of the institute code, which again, is uncaught and causes a nextjs error before correctly redirecting to /authenticate. We may redirect it to /authenticate instead.

Copy link
Collaborator

@saharsh-agrawal saharsh-agrawal left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

i) http://localhost:3000/register?instituteCode=AB13&redirect_url=http://localhost:3000/trips/create
redirect not working

ii) don't do database access in page.jsx in trips/[tripID]. Do it in a use server function or in the backend itself, while getting trip details. You can find the user email also in the backend itself.

iii) You WILL need to access user details, and then institute details, for trip details and train details, in backend, as you need to implement the criteria that only trips/trains from users of the same college are returned while checking for commons, not others. You might to set up a pipeline for faster querying for implementing the same. Either that, or somehow put the instituteCode in the trips and trains model too, either directly as a field or maybe save the src and dest as IITKGP-CCU and extract the instiCode (IITKGP) from it, or maybe store the trainID and tripID as IITKGP-XXXXX. Or may be simply match the email domain too (considering every college will have a different domain). Find the most efficient, secure and fastest way to do this, considering we will have thousands of entries in the trips and trains database.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

2 participants