Readonly trigger for _Session hook #5155

georgesjamous · 2018-10-29T16:41:13Z

Allowing a ReadOnly trigger on the session targetting this workflow:

beforeSave: triggered whenever a session is created.
Thrown errors during signup are ignored; to cancel signup a hook on _User can be used.
Thrown errors during login prevent the user from login in, a session will no be created.
Any edits to the session object will be discarded.

beforeDelete: thrown errors are discarded.

no restrictions on afterSave or afterDelete.

beforeFind and afterFind are not allowed on _Session. (not changed from before)

@flovilmart does this seem okay?

georgesjamous · 2018-10-29T16:43:41Z

src/RestWrite.js

 };

 // Returns an updated copy of the object
 RestWrite.prototype.buildUpdatedObject = function(extraData) {
-  const updatedObject = triggers.inflate(extraData, this.originalData);
+  let updatedObject = triggers.inflate(extraData, this.originalData);
  Object.keys(this.data).reduce(function(data, key) {


I did not really understand what is the purpose of this reduce.
Didn't touch it, but RestWrite.prototype.buildUpdatedObject = function(extraData) { could be fixed to have less duplicated code (like inflating twice in the case of session)

Please revert to const

codecov · 2018-10-29T16:47:47Z

Codecov Report

Merging #5155 into master will decrease coverage by 0.12%.
The diff coverage is 86.66%.

@@            Coverage Diff             @@
##           master    #5155      +/-   ##
==========================================
- Coverage   93.93%   93.81%   -0.13%     
==========================================
  Files         123      123              
  Lines        8975     8954      -21     
==========================================
- Hits         8431     8400      -31     
- Misses        544      554      +10

Impacted Files	Coverage Δ
src/triggers.js	`93.15% <83.33%> (-1.17%)`	⬇️
src/RestWrite.js	`92.79% <91.66%> (-0.46%)`	⬇️
src/LiveQuery/Client.js	`97.43% <0%> (-2.57%)`	⬇️
src/Adapters/Storage/Mongo/MongoStorageAdapter.js	`91.48% <0%> (-0.73%)`	⬇️
src/Adapters/Storage/Mongo/MongoCollection.js	`97.29% <0%> (-0.14%)`	⬇️
src/LiveQuery/ParseLiveQueryServer.js	`87.46% <0%> (-0.12%)`	⬇️
...dapters/Storage/Postgres/PostgresStorageAdapter.js	`97.08% <0%> (-0.08%)`	⬇️

Continue to review full report at Codecov.

Legend - Click here to learn more
Δ = absolute <relative> (impact), ø = not affected, ? = missing data
Powered by Codecov. Last update 2d7b992...999ac90. Read the comment docs.

flovilmart

Why do we treat session creation differently when singing up than in logging in?

flovilmart · 2018-10-29T16:51:20Z

src/RestWrite.js

@@ -1482,20 +1482,25 @@ RestWrite.prototype.objectId = function() {
 };

 // Returns a copy of the data and delete bad keys (_auth_data, _hashed_password...)
-RestWrite.prototype.sanitizedData = function() {
+RestWrite.prototype.sanitizedData = function(decodeData = true) {


I don’t recommend passing default paramètres as truths, as different implementations with bottom values will produce different results (undefined, null,false)

i will set it to false by default, but didn't know if its being used somewhere else. Was afraid from breaking something. Tests will show anyhow.

False / undefined /null should be the default behavior. If true is passed, then we should use the new code path

flovilmart · 2018-10-29T16:52:09Z

src/RestWrite.js

 };

 // Returns an updated copy of the object
 RestWrite.prototype.buildUpdatedObject = function(extraData) {
-  const updatedObject = triggers.inflate(extraData, this.originalData);
+  let updatedObject = triggers.inflate(extraData, this.originalData);
  Object.keys(this.data).reduce(function(data, key) {


Please revert to const

flovilmart · 2018-10-29T16:52:41Z

src/RestWrite.js

+    // This is okay, since sessions are mostly never updated, only created or destroyed.
+    // Additionally sanitizedData should be kept in json, not decoded.
+    // because '.inflate' internally uses '.fromJSON' so it expects data to be JSON to work properly.
+    updatedObject = triggers.inflate(extraData, this.sanitizedData(false));


Please do an early return instead

flovilmart · 2018-10-29T16:53:38Z

src/triggers.js

@@ -31,7 +37,7 @@ const baseStore = function() {
 };

 function validateClassNameForTriggers(className, type) {
-  const restrictedClassNames = ['_Session'];
+  const restrictedClassNames = [];
  if (restrictedClassNames.indexOf(className) != -1) {


What’s the point of keeping that? Perphas use ‘readOnlyClassNames’ instead

no point, will remove it

flovilmart · 2018-10-29T16:56:20Z

src/triggers.js

+      // handle special readOnlyTriggers cases
+      if (isReadOnlyTrigger) {
+        // Ignore thrown errors in beforeDelete & during login.
+        // We should prevent login from breaking if an error is thrown during the process,


If it’s a readOnlyTrigger, why would we perform additional checks?

If the trigger is a simple event based one errors should simply get ignored. So it should resolved always.

I want to give the possibility to reject a login, rejecting all readOnlyTrigger events would get in the way of that.
I am thinking now of refactoring the name to sessionTrigger rather than readonlyTrigger, it seems more appropriate.

georgesjamous · 2018-10-29T17:21:54Z

Why do we treat session creation differently when singing up than in logging in?

Rejecting a session during signup will not prevent the RestWrite from creating the user, it will require a bit more refactoring to achieve this, since a user is created before the session.
We would need to roll back and delete the created user.

Rejecting a signup can be done on user triggers, while a session could be used to track logins and reject them for existing users, and maybe later on use them for 2fa capability.

Once a user is signed up (and an account is created _User) there seems to be no point in rejecting a session.

flovilmart · 2018-10-29T17:27:20Z

But still creating a user is one thing, creating a session is another thing. Either it is fully ignore or it isn’t.

flovilmart · 2018-10-29T17:57:57Z

Once a user is signed up (and an account is created _User) there seems to be no point in rejecting a session.

Preventing a logIn? Ensuring users have gone through a verification step before actually have credentials etc... lots of reasons actually to prevent session creation. Whicj is exactly the point no?

georgesjamous · 2018-10-29T18:08:49Z

So you think both should be independent ?

Rejecting a session during signup should not rollback and delete the user,
just prevent the session from being created. Let the user be created normally.
Rejecting a session during login should prevent the user from being logged in.

flovilmart · 2018-10-29T18:19:42Z

What do you think?

flovilmart · 2018-10-29T18:20:40Z

And what are you trying to achieve with the PR, because if it’s simply having hooks in session, I believe there is an ulterior motive

georgesjamous · 2018-10-29T18:55:10Z

I think its good, i will look into it.

_{Sent with GitHawk}

georgesjamous · 2018-10-29T18:55:46Z

Yea, just that i need to cancel some logins easily. There are other ways though, but a session hook is the most direct way.

_{Sent with GitHawk}

georgesjamous · 2018-10-30T09:53:26Z

How about something like this ?
session hooks should now be following the workflow you suggested.

The only error that gets ignored is in beforeDelete.
On signup, the user will be created normally just without a session token.

flovilmart · 2018-11-10T14:56:43Z

Sorry for the late response! Sounds good then.

If errors are thrown in session’s before Delete, then we should probably indicate by a log that it will continue and proceed

flovilmart

Overall we’re very close. Just a few nits and we’ll be great!