Skip to content

Resolve "Handle end user authentication on application builder"

Jérémie Pardou requested to merge 2062-06-add-backend-jwt-auth into develop

What is in this MR

This MR adds the possibility to login to a builder application. In this first version, we can use a login/password pair from a Baserow table to authenticate. To do that, a new "Auth form" element has been introduced:

image

This element takes a user source and display the rigth login options according to the user source configuration (only email/password for now).

You can also preview the application with a certain user profile from any user source with this user new selector:

image

Sorry in advance for this big and complex review.

What is NOT in this MR

  • Logout action
  • After login event
  • No customization of email/password form labels/placeholders and button color
  • No visibility change for element/page
  • Auth form element only supports password for now and there is no really a generation logic
  • Password need encoded values in text field (no password field yet but it's coming)
  • The login form becomes a logoff button when logged to be able to logout
  • No registration form (but you can manually create one from the user account table)
  • No password change
  • No refresh token update in the page editor and preview (Not sure we need to implement that)

How to test this MR

The easiest way to start with is to use the ./baserow populate_test_data in a backend shell container. This will populate most of the required element to be able to use authentication.

To let you also create the application from scratch (because it's also a good idea to start from scratch) here's are the necessary steps:

  • You need to create a user account table with at least 3 fields: an email(email, text, long text type), a username(text, long text) and a password field (text or long text for now).
  • Add a few rows in this table.
  • Then create an app and add a user source from the application settings modal.
  • Configure the user source to target the previously created table and fields

Once you have this you have something similar to the populate_test_data command so the next steps are common:

  • Add the "auth form" element to a page and select the previously created user source. It should display the login form. If not it means that your user source is not fully configured.
  • You can use the new "User" section in the data explorer to create formulas that use it. For instance you can use the user id to get the user row from the user account table. You can also filter a list data source with a link to the user account table by filtering this field with the user id. You can display the user email/username in a Profile page, ...
  • Publish the application.
  • Now you can test a few things (in next section)

What to test?

As we don't have the pasword field yet, you have to hash your password in the table to make it work. To create a hash you can:

from django.contrib.auth.hashers import make_password
print(make_password('your password'))
  • In the editor
    • You can't use the login form from the editor
    • Check that if the user source is only partially configured, the login form is not displayed.
    • You can't select any field types for the email, username and password field anymore
    • You can see the application as any user source user by using the user selector in the preview navigation bar
    • You can switch back to an anonymous view from the same selector
    • Check that partially configured user source are not visible in user selector menu
    • Everything is updated after the user selection
    • When you change to another application the impersonnated user is reset
    • If you reload the page, the impersonnated user is reset
  • In the preview
    • You should be able to login with the users of the user account table
    • An error is displayed if the credentials are wrong
    • When logged, you can logoff by clicking on the button from the auth form element
    • If you reload the page the impersonnated user is reset
  • In the published version
    • You should be able to do pretty much the same as in the preview
    • If you reload the page the impersonnated user is kept as long as the refresh token is valid
    • Change the token life duration in the backend config to check the refresh token/access token are updated/expired as expected
    • You shouldn't be able to use a JWT token generated from one site to access another site
    • You shouldn't be able to use a JWT token generated for the preview to access a published site

Merge Request Checklist

  • changelog.md has been updated if required.
  • New/updated Premium/Enterprise features are separated correctly in the premium or enterprise folder
  • The latest Chrome and Firefox have been used to test any new frontend features
  • Documentation has been updated
  • Quality Standards are met
  • Performance: tables are still fast with 100k+ rows, 100+ field tables
  • The redoc API pages have been updated for any REST API changes
  • Our custom API docs are updated for changes to endpoints accessed via api tokens
  • The UI/UX has been updated following UI Style Guide

Closes #2062 (closed)

Edited by Jérémie Pardou

Merge request reports