Authentication Module Refactor

[ajeshbaby]

• Rewrite/Refactor the authentication server to make it lightweight and modular so that
  • It can be moved into a separate repository
  • Handle different authentication modules
    • Local
    • Gmail Auth (Mandatory)
    • Github (Optional)
• Need a feature to reset the existing password.

[Debanitrkl]

@rajdas98 @ajeshbaby I'm interested in this project. Could you help me with some resources to begin

[imrajdas]

Hi @Debanitrkl, This issue is locked for GSoC 2021, Feel free to send a proposal once GSoC announces this project.

[specter25]

@rajdas98 hi sir i am interested to contribute to this project in GSoC 2021 . Could you provide me with some additional resources if available . I did study the code of the authentication server ( https://github.com/litmuschaos/litmus/tree/master/litmus-portal/authentication ) . I believe the gmail auth and github auth is yet not implemented .

[Debanitrkl]

Hi @Debanitrkl, This issue is locked for GSoC 2021, Feel free to send a proposal once GSoC announces this project.

Yes sir I'm interested for contributing through GSoC, would start writing my proposal soon, just wanted to get started with the code base of authentication server

[specter25]

@rajdas98 the current auth setup uses "mgo" go package which is not well maintained as compared to the official go.mongodb.org/mongo-driver/mongo driver , should we prefer using the official mongo-driver in the new api ?

[gdsoumya]

Yes you have to use the official mongo go driver

[specter25]

@rajdas98 @gdsoumya , sir one more doubt , the current implementation uses mongodb for session management but i believe using redis is a better solution for session management . So should we go with mongodb or switch to redis for managing sessions ?

[gdsoumya]

There is no session management I believe, we use jwt tokens for authorization so session management in the true sense is not needed in our case.

[specter25]

okay sir thanks .

[imrajdas]

@specter25 , Currently, we are not planning to use other db. The goal of this project is to make the auth-server light-weight and add other thirty party integration.

[specter25]

Okay sir got it .

[DarthBenro008]

@rajdas98 by light-weight, in what aspects is it expected to be light? lesser third party dependencies? or more memory efficient paradigms of code? A quick gist would be insightful!

[imrajdas]

@rajdas98 by light-weight, in what aspects is it expected to be light? lesser third party dependencies? or more memory efficient paradigms of code? A quick gist would be insightful!

Currently, authentication-server has a lot of unnecessary code complexity and uses some outdated packages like mgo. Also, we have seen authentication-server taking more memory than graphql-server.

The first goal of this project would be to rewrite/refactor to make it simple, light-weight and modular, and the second goal is to add the google and GitHub auth integration.

@gdsoumya Do you want to add anything?

[specter25]

@rajdas98 @gdsoumya as we have to create a light weight server , so should I implement the functionality of refresh token in the custom (jwt auth) so that the token automatically refreshes after it expires and the user doesn't has to login again or leave it ?

[gdsoumya]

I don't think we need refresh tokens, this will change the auth flow which we don't want to do right now. Adding refresh tokens will also need to be complemented with blacklisting or revoke feature or else it will be vulnerable to attacks. Currently I think asking the user to log back in is a better approach and more secure, because if by chance the refresh token is exposed(and goes undetected) the attacker can gain access to critical resources which we do not want.

[specter25]

Yeah i agree . Got it . Thanks for helping :)

[imrajdas]

Hi folks,
Google Summer of Code just opened the portal for student's applications. Feel free to submit your proposal before the deadline. Following are the things we need in the proposal.

• Description of the problem (Mandatory)
• Solution according to your opinion (Mandatory)
• Relevant work experience and skills (Mandatory)
• Deliverables with proper timeline (Mandatory)
• Willingness to take other issues after the primary task (Optional)
• Proof of Concept (Optional)

  For PoC, push your code to a private repo and make me(rajdas98) a collaborator to that repo.

• Time availability during the period (Mandatory)
• Questions/Notes for the mentor (Optional)

Note(s):

• Early/late submission doesn't increase the chances of selection/rejection
• We will try to do a quick video conference with the suitable candidates before the GSoC result.

Best of luck,
Raj

[specter25]

sure sir . Thanks for the heads up :)

[imrajdas]

Hi folks,
The application deadline is coming close. Please make sure to submit the proposal from the GSoC dashboard before April 13 2021 18:00 UTC

[specter25]

sure sir .