Generate resume tokens, even though they cannot be used for login.

[dwrensha]

This commit to Wekan caused attachment uploads to break when the app is run in Sandstorm. The problem is that CollectionFS relies on resume tokens, and meteor-accounts-sandstorm v0.2 stopped providing resume tokens for Sandstorm users.

With this patch, we generate a resume token upon each login so that libraries like CollectionFS can use them. Highlander Mode prevents them from actually being used to successfully log in.

[kentonv]

Hmm, in theory the "right thing" to do here is to have CollectionFS look at X-Sandstorm-User-Id or X-Sandstorm-Permissions rather than rely on resume tokens. Does CollectionFS provide any hooks for this?

[dwrensha]

CollectionFS needs to map PUT requests to users, so that Wekan's attachment authorization logic can work. At the point in the code where CollectionFS does this mapping, there is no enclosing Meteor method and hence no connection on which sandstormUser() could be called.

The request handlers are registered through HTTP.methods(), which does allow specifying a custom "auth" callback. If there were a way to modify already-registered handlers, then maybe we could modify CollectionFS's request handler to use our own "auth" callback. Unfortunately, there does not actually appear to be a way to do that.

[kentonv]

CollectionFS needs to map PUT requests to users,

And those PUT requests have the Sandstorm headers, right? So you shouldn't need sandstormUser()...

[dwrensha]

Right, in theory the app can use those headers. In practice, it looks like doing so will involve some intrusive modifications.

[dwrensha]

Hm. I suppose one issue with generating resume tokens like this is that they will tend to accumulate. For each new session, a user will get a new entry in services.resume.loginTokens, and that entry won't expire for months.

[dwrensha]

Update: if I apply the folowing monkey patch, then Wekan seems to work correctly without the need for resume tokens:

  const _httpMethods = HTTP.methods;
  HTTP.methods = (newMethods) => {
    Object.keys(newMethods).forEach((key) =>  {
      if (newMethods[key].auth) {
        newMethods[key].auth = function() {
          const sandstormID = this.req.headers['x-sandstorm-user-id'];
          const user = Meteor.users.findOne({"services.sandstorm.id": sandstormID});
          return user && user._id;
        };
      }
    });
    _httpMethods(newMethods);
  };

This also requires adding the "http" package to Wekan's .meteor/packages.

It's still unclear to me whether it would be better to require apps to include this monkey patch or whether it would be better to do the resume token thing as proposed in this pull request.

Or perhaps it might work to include this monkey patch as part of meteor-accounts-sandstorm. For the monkey patch to succeed, we would need to make sure that the meteor-http-methods package loads before we apply it.