Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Call before/after_successful_authorization callbacks on create as well as new #1075

Merged
merged 1 commit into from
Apr 11, 2018
Merged

Call before/after_successful_authorization callbacks on create as well as new #1075

merged 1 commit into from
Apr 11, 2018

Conversation

mdeutsch
Copy link

@mdeutsch mdeutsch commented Apr 6, 2018

Summary

The before/after_successful_authorization callbacks added in #1064 are only called on the new action. I think they should also be called on create to cover situations where the user must explicitly authorize the client.

Other Information

I also found that the callbacks can be run when authorization is not successful. I added some more tests and modified the existing code a bit.

This PR has some conflicts with my other PR, #1072. I'll resolve them but wanted to put this up for review.

cc @nattfodd

@nbulaj
Copy link
Member

nbulaj commented Apr 6, 2018

So the callback will be invoked twice? Looks strange from my point of view...

Moreover, maybe it will be better to move the hooks under the Authorization class instead of controller? It will DRY the code at least

@nattfodd
Copy link
Contributor

nattfodd commented Apr 7, 2018

So the callback will be invoked twice? Looks strange from my point of view...

+1. I would rather rename callback in create(or both?) into something different, so it would be 2 different callbacks.

Moreover, maybe it will be better to move the hooks under the Authorization class instead of controller? It will DRY the code at least

As I mentioned in previous PR, we need controller's scope in that callback (i.e. for interacting with cookies/sessions).

@nbulaj
Copy link
Member

nbulaj commented Apr 7, 2018

We can use existing callbacks, but add an extra argument - action ('new' or 'create'). Controller ais already passed with the context argument, so you already has an access to cookies or request.

@mdeutsch
Copy link
Author

mdeutsch commented Apr 7, 2018

I think the new vs. create question depends on the purpose of these callbacks. Are they intended to be invoked when an authorization code or access token is returned? If so, that can happen in either the new or create action, but they'll only be invoked once during any given authorization flow:

  • If the user is required to explicitly authorize the client, then:
    • new just presents a prompt to the user and doesn't invoke the callbacks
    • create generates the auth code/token and does invoke them
  • If the skip_authorization callback returned true or the user previously granted permission, then:
    • new generates the auth code/token and invokes the callbacks
    • create is never hit

The duplicated code (before + authorize + after) could easily be extracted into a new method, perhaps into #authorize_response from my other PR.

I looked at moving the hooks into the request objects like the before/after_successful_response hooks in BaseRequest. That's possible -- we could pass the server into the request, which would provide the necessary controller context -- but it would change the signature of Code/TokenRequest#initialize and impact anyone using those classes. If you're ok with that (I see these PRs are targeting version 5.0), I can try making that change.

@nbulaj nbulaj added this to the 5.0 milestone Apr 9, 2018
@mdeutsch mdeutsch force-pushed the call_authz_callbacks_on_create branch from 9e76d9e to 68165b5 Compare April 10, 2018 13:00
@mdeutsch
Copy link
Author

I've rebased onto master and extracted some of the duplicated code. Now the callbacks are closer to the Authorization class and I think the intent is clearer: that the callbacks are invoked when the request is successfully authorized.

nbulaj
nbulaj reviewed Apr 11, 2018
View reviewed changes
app/controllers/doorkeeper/authorizations_controller.rb Outdated
@@ -84,7 +80,13 @@ def strategy
end

def authorize_response
@authorize_response ||= strategy.authorize
@authorize_response ||= begin
valid = pre_auth.authorizable?
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Let's rename it to authorizable to be closer to implementation and the essentials of this method. What do you think?

Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Good call -- I'll change it.

@nbulaj
Copy link
Member

nbulaj commented Apr 11, 2018

Look better now. Don't forget to add a changelog entry to NEWS.md and squash the commits :) Thanks!

@nbulaj nbulaj self-assigned this Apr 11, 2018
@mdeutsch mdeutsch force-pushed the call_authz_callbacks_on_create branch from 68165b5 to dd42847 Compare April 11, 2018 14:22
@mdeutsch
Copy link
Author

OK, I renamed the variable, added a changelog entry, and squashed/rebased.

@nbulaj nbulaj merged commit f9eaf83 into doorkeeper-gem:master Apr 11, 2018
@nbulaj
Copy link
Member

nbulaj commented Apr 11, 2018

Got it, thank you for your work! 👍

@mdeutsch mdeutsch deleted the call_authz_callbacks_on_create branch April 13, 2018 18:18
@fotos fotos mentioned this pull request May 31, 2019
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@nbulaj nbulaj nbulaj left review comments

Assignees

@nbulaj nbulaj

Labels
enhancement
Projects
None yet
Milestone
5.0
Development

Successfully merging this pull request may close these issues.
3 participants
@mdeutsch @nbulaj @nattfodd