Login page

[hbcarlos]

Added a new plugin that registers a new endpoint for the login page.

The login page has three ways of login, GitHub, token or anonymous.

The GitHub login throws a server error when redirecting, looks like the error comes from FastAPI Users when it tries to retrieve the user information from GitHub. I'll debug tomorrow.

Regarding the login with the token, I'm not sure how it works.

[welcome]

Thanks for submitting your first pull request! You are awesome! 🤗

If you haven't done so already, check out Jupyter's Code of Conduct. Also, please make sure you followed the pull request template, as this will help us review your contribution more quickly.

You can meet the other Jovyans by joining our Discourse forum. There is also a intro thread there where you can stop by and say Hi! 👋

Welcome to the Jupyter community! 🎉

[davidbrochart]

The GitHub login throws a server error when redirecting, looks like the error comes from FastAPI Users when it tries to retrieve the user information from GitHub. I'll debug tomorrow.

It works on my side. You need to pass your client_id and client_secret e.g. on the command line:

jupyverse --authenticator.client_id=my_client_id --authenticator.client_secret=my_client_secret

[hbcarlos]

Thanks, @davidbrochart! I was using the conf.toml as explained in the jupyverse-auth extension.

[davidbrochart]

Thanks, @davidbrochart! I was using the conf.toml as explained in the jupyverse-auth extension.

It should work too.

[hbcarlos]

How do the token works? How can I redirect the user to /lab adding the token provided by the user?

[davidbrochart]

It should work out of the box with FastAPI-Users, provided that you configured your GitHub OAuth App correctly:

[hbcarlos]

I have the correct callback URL, and it fails.
I think the error is because the app doesn't have enough permissions. When granting permission to Jupyverse to read my GitHub profile, it only asks for permission to read public information of my profile (my email is private). Then when logging in, there is an error when FastAPI_users tries to retrieve my email.

[hbcarlos]

Tests are failing because instead of returning 404 when the user doesn't have permissions, we redirect to the logging page, which returns a 200.

[hbcarlos]

Changed test to check if the server returns an HTML page instead of the 404.

[davidbrochart]

That looks great @hbcarlos !
On thing though, anonymous login doesn't seem to work for me (no effect when clicking), but maybe it's for a next PR?

[hbcarlos]

I can take a look at anonymous login on this PR too, should be an easy fix.

[hbcarlos]

Regarding the anonymous login, when using the flag --authenticator.mode=noauth automatically redirects to /lab without showing the login page. And if we use user or token, clicking in the anonymous link redirects to /lab in the login page, but we don't have permission, so we are redirected to the login page again.

[davidbrochart]

Regarding the anonymous login, when using the flag --authenticator.mode=noauth automatically redirects to /lab without showing the login page.

Yes, that's the expected behavior.

And if we use user or token, clicking in the anonymous link redirects to /lab in the login page, but we don't have permission, so we are redirected to the login page again.

That's because we first have to register the anonymous user.

[hbcarlos]

Oooh, got it. I'll implement it on this PR.

[hbcarlos]

I've been looking into the anonymous user, and I don't think it is the right approach to the problem.
With this solution, we don't have an anonymous user. We are just registering a new user with random values.
The proper solution would be to let users in and assign a cookie to identify them but not register them in the database.

[davidbrochart]

With this solution, we don't have an anonymous user. We are just registering a new user with random values.

Yes, the system is user-based, even if it's not a "real" user. The token user is also a user, with a token as his ID.

The proper solution would be to let users in and assign a cookie to identify them but not register them in the database.

But then other users won't be able to "see" anonymous users? For me, an anonymous user is just a regular user (maybe with less permissions) who didn't want to bother registering himself. There is no reason for him not to be in the database.

[hbcarlos]

Thanks, @davidbrochart. You are right.
We need to identify anonymous users somehow. Even if they don't have an identity, we need to know who is connected.

Can we merge this PR and open a new one to tackle the role-based access control? That would make it much easier to know what every user can do.

[davidbrochart]

Since there are quite a lot of changes in this last commit, could you explain a bit?

[hbcarlos]

Yes, yes. It would be best to chat and show you the code because I changed everything even though it was fine. Sorry for that.

[davidbrochart]

Sure, but it's also nice to have it written here, even a summary. At a high-level, what are you trying to achieve?

[hbcarlos]

Okay, I'll write it tomorrow. I need to do some more changes.

[davidbrochart]

IIUC both noauth and token authentication modes use the same "guest user"? I like that because it solves the settings persistence issue mentioned in #61 (comment).

[hbcarlos]

I'm not sure why the Check release is failing.

ERROR: Could not find a version that satisfies the requirement fps-login (from jupyverse) (from versions: none)
ERROR: No matching distribution found for fps-login

[hbcarlos]

The test in windows fails because we use termios doesn't work on Windows. How is it possible that the test didn't fail in other PRs?

https://stackoverflow.com/a/52063932

[davidbrochart]

How is it possible that the test didn't fail in other PRs?

We don't install fps-terminals in the main branch.

[hbcarlos]

Thanks, @davidbrochart!

It is still missing the check release test that I don't know why it is failing.

[davidbrochart]

I think we can ignore that, as fps-login has not been published on PyPI yet.

[hbcarlos]

What is missing to merge this PR and continue with Authorization?

[davidbrochart]

The CI failure is caused by FPS master, see jupyter-server/fps#49.
cc @adriendelsalle

[davidbrochart]

I think it would be better to return a 401 when no login plugin is installed.

[hbcarlos]

Yes, but that depends on auth_config.login_url if it exists, will always redirect.

[davidbrochart]

I would say that's the responsibility of the user, if they set a login_url without installing a login plugin, it's a 404, otherwise it's a 401?

[hbcarlos]

But the login_url is in fps_auth config and defaults to /login. Is there a way to default to None and then the fps_login plugin modifies the auth_config to set the desired URL?

[welcome]

Congrats on your first merged pull request in this project! 🎉

Thank you for contributing, we are very proud of you! ❤️

[davidbrochart]

Thanks @hbcarlos !