refactor: Replace Addict with Guardian

[pmrukot]

Summary
Replaces Addict with Guardian. Basically changes whole authentication model.

Related issues
#39

Test plan
Manual + additional unit tests. Register and login are not integrated in Elm as a part of single page app.

TODO

• Delete Addict (libraries + templates)
• Setup Guardian
• Add login page
• Add registration page
• Add logout
• Persist token in local storage
• Add token while making request for resources
• Update channel token

NOTE(mrapacz|12-10-2017):

What still needs to be done before merging:

• A proper review
• Backend unit tests for registration and all the other stuff that appeared
• Moving the keys to envs and replacing the hardcoded values with System.get_env

[mrapacz]

😆

[pmrukot]

Thats super experimental PR, please do not laugh 😠

[pmrukot]

Added TODO section for easier tracking of a PR

[mrapacz]

Note that this PR's main goal is to swap the libraries.

• Adding logout is not an essential part of this PR, it may actually be easier to push it as a separate change (we were able to do without it so far, which means we should be able to do without it in this PR too).
• Adding login/registration page is not essential (at least not both of them at the same time). So far we were able to use only registration page to log in and test that everything works correctly and that may be enough to verify that PR changes are alright. In a separate PR we could extend the registration page with the login feature. If you introduce two different pages right now then it will be much more complex to merge them into one that would offer both registration and login later.

[pmrukot]

I'll make login/register page as one view. Idea of this PR is to make it work just as it was before. I agree that logout is not necessary but our users need to be able to register/login just as before.

[mrapacz]

This PR should contain whatever changes are needed to prove that addict was removed totally and guardian was successfully introduced. From that point we can begin to work paralelly on issues connected to that - logout for example (users didn't have an option to do that so far).

[pmrukot]

Everything is done, I think this is enough for first version. Im not sure about the case when the token expires but lets leave this case for now. Branch is also synchronised with master.

But I have another issues that are more important:

• need to verify if config is fine / add configuration for production
• need help with dialyzer
• mix.test is screaming something like:

== Compilation error on file lib/aion/endpoint.ex ==
** (UndefinedFunctionError) function Aion.Router.init/1 is undefined (module Aion.Router is not available)
    Aion.Router.init([])
    (plug) lib/plug/builder.ex:193: Plug.Builder.init_module_plug/3
    (plug) lib/plug/builder.ex:181: anonymous fn/4 in Plug.Builder.compile/3
    (elixir) lib/enum.ex:1755: Enum."-reduce/3-lists^foldl/2-0-"/3
    (plug) lib/plug/builder.ex:181: Plug.Builder.compile/3
    (phoenix) expanding macro: Phoenix.Endpoint.__before_compile__/1
    lib/aion/endpoint.ex:1: Aion.Endpoint (module)

So 2 important checks wont pass on CI (tests wont run and dialyzer also screams)

[pmrukot]

New login change:

New register page:

The rest is working as before. Can't wait to actually split this into two apps/repositories.

[pmrukot]

Start with manual tests, let's fix the CI and then start reviewing the code. Please checkout to this branch and if everything works for you as before.

[mrapacz]

Some of them are to-do-now issues, some of them are to be discussed. Fantastic job in general 👏 🔥 🎆 ✨

Too bad the PR is so big and the review takes so long 😆

[mrapacz]

There should be one Guardian config only in config.exs, it should import a proper key from the environment (which will vary depending on the environment).

[mrapacz]

Move the bracket to a new line.

[mrapacz]

There should be no spaces after { and before }

[mrapacz]

{ x }

[mrapacz]

{ samehere }

[mrapacz]

How about

getToken maybeToken = 
    case maybeToken of
        Just token -> token
        Nothing -> ""

[mrapacz]

This will get hugely simplified when we introduce setters, so I'm not going to ask you to fix it now.

[mrapacz]

🥇

[mrapacz]

Seriously, though, any idea for a better naming here? 😄

[mrapacz]

Plus if y and z are not needed then I suppose you could do \betterName _ _ -> betterName

[mrapacz]

We could move constants like this to a separate module or just out of this function and not hardcode them. (especially the latter one shouldn't be a lot of work, you could deal with that using the module @attributes which are conventional way of dealing with module constants in Elixir.

[pmrukot]

This is out of scope of this PR.

[mrapacz]

True

[mrapacz]

I'm still not sure about conventional way of dealing with nils, but this answer and Jose's answer suggest some solutions. I think the second one could actually be better (but it's just my personal opinion because I'm not a die hard fan of multiple function clauses). Here's how the first one could work:

def render("user.json", %user: user}) when is_nil user, do: %{}
def render("user.json", %user: user}), do: Map.fetch(user, [:id, :name, :email])

Similarly to my suggestion ^ in the second one you should definitely use Map.fetch/2

[pmrukot]

Would this work?

def render("user.json", %{user: nil}), do: %{}
def render("user.json", %{user: user}), do: Map.fetch(user, [:id, :name, :email])

[pmrukot]

Map.take/2*

[mrapacz]

yeah right, was looking at the docs and eventually used the wrong one
lgtm

[mrapacz]

successfully

[jtkpiotr]

this piece of code repeats many times ;) How about extracting it somewhere ;)

[jtkpiotr]

I agree but I would prefer to put it in authorization related module

[pmrukot]

I extracted unauthenticated function to errors.ex in views. Test setup is also extracted. As for making a generic request function I would need to put a little more effort into it. Apart from that most of the changes are applied, let me know what you think.

[mrapacz]

Move the rest of the common errors to the error file. As for the rest of the issues, if something is not to be fixed during this PR just make sure there is an existing issue for that, so that we don't forget to fix it in the future (like the request stuff in Elm) 😃

[mrapacz]

I guess the conventional way is to put it in the support/ and name it with _case:

[mrapacz]

Okay, let's leave it this way then

[mrapacz]

I thought this would also end up in errors.ex

[mrapacz]

Bump

[mrapacz]

@pmrukot if it doesn't get fixed now, it should be added as a follow-up issue (you can add it to changes listed in #56)

[mrapacz]

The jwt cannot be changed to token cause it would require a change in Guardian's implementation, right?

[mrapacz]

The tab here is redundant

[mrapacz]

I think it would be easier if the module names resembled the file names, just like they did so far (e.g. RoomChannel -> room_channel.ex, UserRecord -> user_record.ex)

It would be even better if their whole name would represent the filepath, but it's not doable so easily with Phoenix 1.2 architecture. But the file names can mirror the module names at least, it's easier to search through the repo then.

Also, this is part of a controller, not of a view. I think putting it in the same directory as all the controllers would be alright (the code wouldn't move that far in the whole project directory). You could name it then like Aion.ControllerErrors or something similar

[mrapacz]

I've moved the errors stuff to a separate module in controllers directory. I think it looks better now. Also, the imports used in all of the controllers can be stored in the web.ex to avoid repeating stuff.

One last thing that needs to be done is moving Guardian logic to conn_case.ex

We've moved to a lib that is widely used so you shouldn't have any problems finding resources in this area like this or this

[pmrukot]

@mrapacz Issue with conn_case is resolved by adding another test helper since one of our tests need to have different headers to work properly.

I've also added tests for Aion.Auth module.

I think we are ready to merge if all issues are resolved.

[mrapacz]

So if I understand right the AuthConnCase sets up a logged in conn for the tests and ConnCase doesn't? Just small nits, looks good to me apart from that, good job 👍

[mrapacz]

Just for the future, I think in general we could match the exact results (if it's possible), cause just checking for list's/tuple's length may not be the most accurate thing.

This is what we've been doing so far, so no need to fix it, just suggesting that we could take another approach in the future.

[pmrukot]

I wanted to do it but it was not possible since authenticated conn contains things that depend on time (I think some kind of timestamp).

Second thing is that the result is a tuple that is {:ok, login(conn, user)} and login method was tested above. Also its the only result that provides tuple that has length 2 so I think its fine (although not that scalable).

[mrapacz]

I guess this file is not needed anymore?

[pmrukot]

It is

19:52:22.599 [error] Task #PID<0.314.0> started from #PID<0.73.0> terminating
** (stop) exited in: GenServer.call(ExUnit.Server, {:take_async_cases, 16}, 60000)
    ** (EXIT) no process: the process is not alive or there's no process currently associated with the given name, possibly because its application isn't started

[mrapacz]

Also, make sure you update the description of PR and its title/commit message. As for the latter one - pro tip:
github browser extensions
especially refined github which will set the commit message automatically as the PR title + issue number

[pmrukot]

AuthConnCase is used used in all controllers tests apart from PageControllerTest - it uses old ConnCase since it requires different headers to pass and renders html, not json as other controllers.