6
92
Fork
You've already forked gamja
30

Implement OAuth state passing; PKCE; and pushed authentication requests #210

Open
irenes wants to merge 5 commits from irenes/gamja:oauth into master
pull from: irenes/gamja:oauth
merge into: emersion:master
emersion:master
emersion:typescript
emersion:unnecessary-const
emersion:eslint-extra
First-time contributor
Copy link

These are three standard OAuth features which are mandatory in many common configurations. I did my best to separate these out into individual commits, for ease of reviewing. I believe these each work individually. I've tested these against Authelia, configured with its recommended strict settings, having gamja act as a "public" oauth client (since it runs in the browser, it has no way to protect a client secret). I did my best to stick to the RFCs, and I expect it will work in other configurations and with other software, but I haven't tested it.

There's also a commit in here that adds a version number to package.json. I did that because my infrastructure uses nix and the nix build tooling for JavaScript prefers to have a version number there. I don't have strong feelings about that one, I'm happy to exclude it from the PR if you prefer.

These are three standard OAuth features which are mandatory in many common configurations. I did my best to separate these out into individual commits, for ease of reviewing. I believe these each work individually. I've tested these against Authelia, configured with its recommended strict settings, having gamja act as a "public" oauth client (since it runs in the browser, it has no way to protect a client secret). I did my best to stick to the RFCs, and I expect it will work in other configurations and with other software, but I haven't tested it. There's also a commit in here that adds a version number to package.json. I did that because my infrastructure uses nix and the nix build tooling for JavaScript prefers to have a version number there. I don't have strong feelings about that one, I'm happy to exclude it from the PR if you prefer.
I was unable to find a standard specifically requiring this, but Authelia does, and it seems like that's a good choice security-wise. it is required for the token endpoint (and gamja already implements that requirement), and all the same considerations apply to the introspection
endpoint.
add a version number to package.json
Some checks reported errors
builds.sr.ht Job failed
43f715ee79
this is nominally required by the format, and it reduces how fiddly it is to build gamja under nix
Author
First-time contributor
Copy link

I see that there's lint failures, but I'll wait for feedback before addressing that.

I see that there's lint failures, but I'll wait for feedback before addressing that.
Author
First-time contributor
Copy link

it looks like this was closed by an automated system; I would like to reaffirm that I still think it would be awesome for this to be merged. I realize there's a lint failure, and the reason I haven't addressed that is that I also wanted feedback on the overall approach to be sure it's what upstream wants before I worry about formatting.

from looking at the history of PR discussion on here, it kind of looks like nothing big ever really gets merged. so I've diverted my own efforts to maintaining a private fork, which has additional features, not just this PR. I have been grappling with whether it would be rude of me to make it a public fork; thoughts on that topic are welcome.

I think gamja is a cool project that I enjoy using! that's why I'm attempting to contribute to it. I'm just making the call that there's no point in trying to do that unless there's some form of communication about it. I wish you all the best, whatever you decide.

it looks like this was closed by an automated system; I would like to reaffirm that I still think it would be awesome for this to be merged. I realize there's a lint failure, and the reason I haven't addressed that is that I also wanted feedback on the overall approach to be sure it's what upstream wants before I worry about formatting. from looking at the history of PR discussion on here, it kind of looks like nothing big ever really gets merged. so I've diverted my own efforts to maintaining a private fork, which has additional features, not just this PR. I have been grappling with whether it would be rude of me to make it a public fork; thoughts on that topic are welcome. I think gamja is a cool project that I enjoy using! that's why I'm attempting to contribute to it. I'm just making the call that there's no point in trying to do that unless there's some form of communication about it. I wish you all the best, whatever you decide.

Not sure what would trigger PRs to be closed automatically, nothing should.

My attention is spread across many projects, so it may take me time to get to this one. I'm definitely interested in reviewing. Feel free to ping me every two weeks or so for feedback.

Please have a look at other PRs, some have some overlap with this one. If you want to make your PR easier to review for me, guidelines in CONTRIBUTING.md could help.

Not sure what would trigger PRs to be closed automatically, nothing should. My attention is spread across many projects, so it may take me time to get to this one. I'm definitely interested in reviewing. Feel free to ping me every two weeks or so for feedback. Please have a look at other PRs, some have some overlap with this one. If you want to make your PR easier to review for me, guidelines in [CONTRIBUTING.md](https://github.com/emersion/.github/blob/main/CONTRIBUTING.md) could help.
Some checks reported errors
builds.sr.ht Job failed
This pull request can be merged automatically.
This branch is out-of-date with the base branch
You are not authorized to merge this pull request.
View command line instructions

Checkout

From your project repository, check out a new branch and test the changes.
git fetch -u oauth:irenes-oauth
git switch irenes-oauth

Merge

Merge the changes and update on Forgejo.

Warning: The "Autodetect manual merge" setting is not enabled for this repository, you will have to mark this pull request as manually merged afterwards.

git switch master
git merge --no-ff irenes-oauth
git switch irenes-oauth
git rebase master
git switch master
git merge --ff-only irenes-oauth
git switch irenes-oauth
git rebase master
git switch master
git merge --no-ff irenes-oauth
git switch master
git merge --squash irenes-oauth
git switch master
git merge --ff-only irenes-oauth
git switch master
git merge irenes-oauth
git push origin master
Sign in to join this conversation.
No reviewers
No labels
bug
enhancement
Milestone
Clear milestone
No items
No milestone
Projects
Clear projects
No items
No project
Assignees
Clear assignees
No assignees
2 participants
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference
emersion/gamja!210
Reference in a new issue
emersion/gamja
No description provided.
Delete branch "irenes/gamja:oauth"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?