feat(auth): implemented NextAuth with dummy provider

[connordoman]

Signed-off-by: Connor Doman connor@connordoman.dev

The current configuration uses a dummy provider that checks a plaintext password against hardcoded values. NextAuth is modular so this can be changed later on with custom database and Cognito providers. NextAuth also recommends using a prefabbed provider like these to avoid opening security holes from babysitting passwords manually.

Currently, the example login UI at app/page.tsx redirects to NextAuth's template form for a custom provider. We will override this behavior in #30 by passing credentials into signIn().

The README also contains updated info for what's required in your .env.local (located inside front-end).

[connordoman]

Resolves #29

[tthvo]

Rebase on top of develop pls and resolve conflicts pls :))

[nganphan123]

Seems like the user credential is not encrypted yet?

[connordoman]

@nganphan123 No, it is currently only comparing plaintext to plaintext. Encryption probably deserves its own branch

[tthvo]

Hey @connordoman, thanks for the awesome research and work done here.

Editted: See #33 (comment) for updates.

[tthvo]

@COSC-499-W2023/team-1 Hey team,

Have we considered exploring NextJS middleware with http://www.passportjs.org/? Then, we can break out of AuthNext requirements. Then, there can be 2 ways of authencation via HTTP Autho a rization Header

• Basic: use users.properties file.
• Beater: OAuth with Cognito. Supported only OpenShift (OCP).

This way, users on k8s can choose Basic Auth without having to find domain name. While on OCP, we can automatically grab that from Routes.

[connordoman]

Looking into passport from the Next.js docs: https://nextjs.org/docs/pages/building-your-application/routing/authenticating#authentication-providers

Next.js also lists iron-session as a "stateless session utility" so I will check that out too.

Worst case scenario for Week 9 we use the system as-is and update it afterwards

Opened #39

[tthvo]

Just editted my comment. I think when u set jwt in NextAuth configurations, that should use stateless session. However, it was not realyl clear tho haha.

[connordoman]

I'll continue to look into it to see if there's a solution to our .env issue from today. My only concern up front is a more challenging integration with Cognito

[tthvo]

@connordoman I think we can use this for cognito. https://www.npmjs.com/package/aws-jwt-verify. The web client can send a bearer token (taken from Cognito Auth) in all its request and the NextJS can just verify it on middleware.

[tthvo]

Let's bring the suggestions above about setting up users.properties to middleware implementation and close this for now. And let's put AuthJS in backlog and come back this later on when we have time.

If passport works well, we can just use that and don't have to touch NextAuth anymore. Wdu think?

[tthvo]

Close in favor of #39

[connordoman]

@COSC-499-W2023/team-1 can we merge this

[connordoman]

ping @nganphan123 @MyStackOverflows @tthvo

[tthvo]

Rebase on top of origin/develop first pls.

[tthvo]

Very nice indeed.

[MyStackOverflows]

overall looks great, awesome work Connor!