netlify / gotrue Goto Github PK

Create hidden instance admin per provisioned site in the API - Right now we use a global token. We should create a Netlify admin per service instance and prevent people from deleting them, via the UI and API.

- Do you want to request a feature or report a bug?

Feature request

- What is my proposal?

I'd like to have a OpenAPI spec for this service. Have you ever considered this?
Dredd can be used for automatic tests of the docs against the codebase.

If you'd favor this, I'd offer to write the spec.

This may also concern stuff like #167 and #165

- Do you want to request a feature or report a bug?
Bug

- What is the current behavior?
Reset password link is a Mandrill link, which in turn makes the reset password unsuccessful.
After tracking the link, the redirected path is wrong: example.com/#recovery_token=somenumbers
missing admin from the path.

- If the current behavior is a bug, please provide the steps to reproduce.
1.- create a netlifycms instance
2.- change to a theme that uses the simple Netlify Identity login (not the git identity)
3.- Create a user inside app.netlify.com
4.- Send password reset

- What is the expected behavior?
Link is a reset password

- Please mention your Go version, and operating system version.
OSX Sierra,
Go version unknown (command not found)

- Do you want to request a feature or report a bug?
info

- What is the current behavior?
package github.com/mattn/anko/builtins: cannot find package "github.com/mattn/anko/builtins" in any of:
/usr/local/go/src/github.com/mattn/anko/builtins (from $GOROOT)
/go/src/github.com/mattn/anko/builtins (from $GOPATH)

- If the current behavior is a bug, please provide the steps to reproduce.
docker build .

- Please mention your Go version, and operating system version.
golang:1.9.2 Ubuntu 16.04.1 LTS

- Do you want to request a feature or report a bug?

feature

- What is the current behavior?

When an authenticated user makes a request to /logout, all the refresh tokens for that user are deleted.

- What is the desired behavior?

When an authenticated user makes a request to /logout including a refresh token, delete only this refresh token, so the user can stay signed in on other devices.

We should have a testing site, or a way to boot a site that uses GoTrue to validate that we don't break current features and new features work as expected.

Similar feature to what we have in Netlify. We need to track events in a new table and offer a UI for Netlify Site owners to see activity log. This is related to #124, because that table should also use JSON to better indexing arbitrary data.

- Do you want to request a feature or report a bug?
feature

- What is the current behavior?
n/a

- What is the expected behavior?
When triggered one user (admin level) should be able to invite a new user. We would then send them an email with a signup link that would generate a JWT for them. It would be up to the client to then enforce things like setting up a password.

Dear Netlify team,
is there a way to delete a user account (by user itself or admin)?

If not, any ETA on this?

Thank you.

- Do you want to request a feature or report a bug?

feature

- What is the current behavior?

*currently there is no way to programatically tell after the signup widget has returned to the specified post-signup location, that there is a pending confirmation email, so the site code can prompt the site visitor to do something about it (e.g. go click a confirmation link)

- If the current behavior is a bug, please provide the steps to reproduce.

- What is the expected behavior?

*customers would like to see some status they can check easily via code that could run on their site + potentially a Lambda function call"

- Please mention your Go version, and operating system version.

netlify hosted gotrue for customer # 2 who uses it.

- Do you want to request a feature or report a bug?

Feature request

- What is the current behavior?

The docs state only mysql to be supported

- What is the expected behavior?

I'd really like to have postgres support.
What are the steps to get there?
pop should support postgres right?

- Do you want to request a feature or report a bug?

This is an improvement to the external providers

- What is the current behavior?

Currently, we only retrieve the user email.

- What is the expected behavior?

We should also store user names and avatars from the providers that supply that information. We need to set that into the UserMetadata field.

We need to change this call to return a structure with all the information we need:

A more ideal structure would have the email and the metadata field:

type UserProvidedData struct {
  Email string
  Metadata map[string]string
}

- Please mention your Go version, and operating system version.

We should support multiple audiences.

https://tools.ietf.org/html/rfc7519#section-4.1.3
https://auth0.com/forum/t/client-id-or-multiple-audiences-in-json-web-token/1289/2

It would be nice to document the audience parameter in more depth in order to communicate how multi-tenancy works.

Refresh tokens are not suitable for SPA. Is there a way to disable these or providing the ability to support "Implicity Grant" flow only.

- Do you want to request a feature or report a bug?
Feature

- What is the current behavior?
Not supported

- If the current behavior is a bug, please provide the steps to reproduce.
N/A

- What is the expected behavior?
Support goth auth providers

- Please mention your Go version, and operating system version.
N/A

goth currently offers support to 40 different providers, instead of/in addition to writing providers individually i.e. bitbucket, github, gitlab, and google I highly recommend developing a "bridge" so any of the providers offered by goth can be used with gotrue.

I am staring to use gotrue in some projects and it would make things a lot easier/more flexible if goth's providers were available in gotrue.

Here is a integration example I found: https://github.com/kataras/iris/blob/fc2cc6048113f1eea8f82cd9b442c736f60ed48d/_examples/authentication/oauth2/main.go

Maybe it could be used as a starting point.

Thanks,

Seb

It would be nice to have this in the docs.

Heroku dev guide here: https://devcenter.heroku.com/articles/heroku-button

Of course, other service deploy buttons would be cool, too!

- Do you want to request a feature or report a bug?
bug

- What is the current behavior?
Tests must be run in serial execution because they utilize the same database and tables.

- If the current behavior is a bug, please provide the steps to reproduce.
Run tests in parallel mode (without -p 1). You will get intermittent failures.

- What is the expected behavior?
Tests should be allowed to run in parallel. At a minimum each file should be able run in parallel. Ideally each test case could too. See code in 1ee853c for some ideas.

First opened up issue at decaporg/decap-cms#1141

I just did a one-click install of jekyll-cms, and immediately got the email inviting me to create a user. When I click on it I'm redirected to my 'amazing-nightingale' using http, rather than https. bug ?

Related to: #102

ie, in general for the CMS, it would make sense that the base path is "/admin" and that all URLs are generated based on that (both redirects after a social login and URLs in emails for confirmation, remember me, etc)
if we had that, I would check the return_to URL in the request for an external provider and verify it like this:

1. Is the domain/protocol the same as the SiteURL on file?
2. Is the path a child of the base path

- Do you want to request a feature or report a bug?

This is an addition to the list of supported providers

- What is the current behavior?

We only support GitHub, GitLab and Bitbucket as providers.

- What is the expected behavior?

We should also support Google to expand the user base to non developer centric providers.

This may be a feature request, if it doesn't already exist. How do I delete arbitrary user data that I've previously attached? I can overwrite it by submitting new data with matching keys, but submitting the value as undefined (similar to React state's method) didn't do anything and by design empty keys don't do anything.

- Do you want to request a feature or report a bug?

This is a feature request.

- What is the current behavior?

Currently, signing up with username and password cannot be disabled, even if you don't want to offer that functionality.

- What is the expected behavior?

The more I think about this, the more I believe that having two separated auth methods, external and internal, was a mistake. We should keep one single list of enabled auth methods and let instance admins manage them as they wish. All auth methods should expose a common interface to handle signup and login and deal internally with their own logic.

- Do you want to request a feature or report a bug?
Bug

- What is the current behavior?
Can't login using netlify ID

- If the current behavior is a bug, please provide the steps to reproduce.
Inside app.netlify, go to Identity tab
Go to /admin to login
Try to log in using Netlify ID
Get error message
Related to #113
Note: I signed up using Github, and noticed my Netlify account didn't have a password assigned.

- What is the expected behavior?
Login with Netlify ID works

- Please mention your Go version, and operating system version.
OSX Sierra

Audit log actions are categorized into four categories: account, team, token, and user (code here)

Because users might fill all sorts of roles, team is confusing, especially considering that this library is also used in the Netlify UI, and in that context, "Team" refers to a completely different group of users.

The team category refers to changes in the user list, so I suggest list, user_list, or maybe membership.

The endpoints that pertain to administrating users appear to be incorrect. The readme lists things like editing a user's data as PUT /user, but I had to send requests to PUT /admin/users to make things work.

- Do you want to request a feature or report a bug?
feature

- What is the current behavior?
Sending emails requires an email account / server but I would like to use use an external vendor like mailgun, mandrill, (...) that provide a REST API to do the transactional emailing.

- What is the expected behavior?
Instead of defining the host, port, user, pass (...) parameters, a simple webhook / post request would fill my requirements that another small service could do the work.

Maybe there are other options that I'm currently not aware of ;)

The JS library should be able to use all new features, like audience support and multiple auth providers:

https://github.com/netlify/gotrue-js

- Do you want to request a feature or report a bug?

This is an improvement for the /admin/users endpoint

- What is the current behavior?

When you send a request to the endpoint, you get the list of all users back.

- What is the expected behavior?

We should be able to paginate the list and optionally sort it by creation date, ascending or descending.

- Do you want to request a feature or report a bug?
feature

- What is the current behavior?
Mail template content is provided via configuration (file/env).

- What is the expected behavior?
Mail templates are fetched from the site. The URL folder to use in combination with the site_url is provided via configuration, with a good default.

- Do you want to request a feature or report a bug?
Feature

- What is the current behavior?
n/a

- What is the expected behavior?
The ability to set registration to be

• open - anyone can signup
• request - you can ask to signup
• invite only - only private links

For some sites (I can't find a way to replicate this, or any correlation between sites it happens on), .netlify/identity/settings returns {code":404,"msg":"Unable to locate site configuration"} instead of the identity settings that are supposed to be loaded. Deleting the identity instance and enabling it again does not reliably make the problem go away, however the problem can go away eventually. I just don't know what causes it or what fixes it. @bcomnes has experienced this, and a user also reported it:

https://app.intercom.io/a/apps/q245f50x/respond/inbox/1479299/conversations/12840437723

In that case above, the issue was no longer evident the next day, and there were no changes made to the site.

- Do you want to request a feature or report a bug?

This is a new feature.

- What is the current behavior?

There is no automatic way to manage users, tokens and roles.

- What is the expected behavior?

We want to have an API for machine users to manage users, tokens, roles and audiences.

This API should be able to:

• Create users for a given audience with a given role.
• Remove users from an audience.
• Modify a user's role in an audience.
• List users per audience.

Only machine users with a global "superadmin"(or something similar) role should be able to access this api.

Currently JWT tokens expire after 1 hour with Netlify Identity. Can we have the ability to adjust the expiration for identity JWT tokens?

- Do you want to request a feature or report a bug?

feature

- What is the current behavior?

using this code directly is nonintuitive to use for folks doing their own implementation.

- If the current behavior is a bug, please provide the steps to reproduce.

- What is the expected behavior?

it would be great if we had some best practices and gotchas listed here. Gerald knows :allthethings:

- Please mention your Go version, and operating system version.

Documentation of the /authorize endpoint, provider parameter, and response (URL fragment) are missing from the README.

- Do you want to request a feature or report a bug?

feature

- What is the current behavior?

login providers limited to google + git providers

- If the current behavior is a bug, please provide the steps to reproduce.

- What is the expected behavior?

login providers includes facebook

- Please mention your Go version, and operating system version.

n/a

Support Twitter and Facebook as auth providers - Facebook is already implemented and Twitter should be trivial, but we need to put them both in production and test that they work. They should also be added to the checkbox selection in Netlify’s UI.

- Do you want to request a feature or report a bug?
Bug

- What is the current behavior?

When running go run main.go:

I'm getting the following error:

dev@DevX:[~/go/src/bitbucket.org/project/micro/auth/vendor/github.com/netlify/gotrue]: go run main.go 
# bitbucket.org/project/micro/auth/vendor/github.com/netlify/gotrue/storage/sql
storage/sql/storage.go:115:35: cannot use pageParams.Offset() (type uint64) as type int in argument to q.Offset
storage/sql/storage.go:115:55: cannot use pageParams.PerPage (type uint64) as type int in argument to q.Offset(pageParams.Offset()).Limit

- If the current behavior is a bug, please provide the steps to reproduce.

• cd into my-path-to/github.com/netlify/gotrue
• go run main.go

- What is the expected behavior?
Microservice should start

- Please mention your Go version, and operating system version.
Go 1.9, Ubuntu 16.04

Thanks

In this case, we silently fail and don't tell the client that we are not going to send the email. I am thinking a 429 but def not an expert on right code.

- Do you want to request a feature or report a bug?

This is a new feature.

- What is the current behavior?

Currently, Gotrue only allows people to signup/logic via email / password.

- What is the expected behavior?

We should allow people to configure Gotrue with several authentication providers, like GitHub, GitLab and Bitbucket.

This should be configured globally, and it's probably related to #16.

Hello!

I didn't submit a PR for this in case I'm misunderstanding the docs. I'd link to the section but it doesn't have anchors :(

In PUT /user, the sample implies that to update a user with arbitrary data, one must set the data value. This is how gotrue-js works, which makes sense.

That is, submit something like this:

{
  data: {
    "foo": "bar"
  }
}

However, I found that to do this I actually needed to use user_metadata, like this:

{
  user_metadata: {
    "foo": "bar"
  }
}

Is this intentional, or should the documentation be updated?

- Do you want to request a feature or report a bug?

bug

- What is the current behavior?

Once git-gateway is successfully set up on a site using Identity, it seems to block login via google

- If the current behavior is a bug, please provide the steps to reproduce.

• setup git-gateway as a backend for netlify CMS
• observe that email login still works
• observe that previously working github login doesn't work (nor does google)

- What is the expected behavior?

• all account types could work for login

- Please mention your Go version, and operating system version.

Netlify's built-in identity service. More details for the Netlify team in https://app.intercom.io/a/apps/q245f50x/respond/inbox/conversation/11684625129

We need to make email confirmation optional.

The ideal way is to have a way to identify that a user hasn't verified their email yet, and then just have the confirmation mail as a verification step.

We can then make it a setting whether having a verified email is required or not.

The variable EXTERNAL_REDIRECT_URL should (unless I'm missing something) be added to the External Authentication Providers section of the README, as it's needed for setting the URL that receives the hash after authenticating with an external provider via /authorize.

- Do you want to request a feature or report a bug?
bug

- What is the current behavior?
Unable to go get

- If the current behavior is a bug, please provide the steps to reproduce.

dev@DevX:[~/go/src/bitbucket.org/project/micro/auth]: go get -u github.com/netlify/gotrue
# github.com/netlify/gocommerce/api
../../../../github.com/netlify/gocommerce/api/api.go:145: cannot use r (type *router) as type "context".Context in argument to chi.ServerBaseContext:
	*router does not implement "context".Context (missing Deadline method)
../../../../github.com/netlify/gocommerce/api/api.go:145: cannot use ctx (type "context".Context) as type http.Handler in argument to chi.ServerBaseContext:
	"context".Context does not implement http.Handler (missing ServeHTTP method)

- What is the expected behavior?
Should be able to install using go get

- Please mention your Go version, and operating system version.

• go version go1.8.3 linux/amd64
• ubuntu 16.04

Thanks

When we fail to login (e.g. no such user) we return a 400. The code will return an OAuth error appropriately, and then we map that to a 400. It should be a 403 in this case. I'm not sure that all of them are that way, but at least this instance.

- Do you want to request a feature or report a bug?

This is a bug.

- What is the current behavior?

After settings subjects or templates, there is no way to unset them.

- If the current behavior is a bug, please provide the steps to reproduce.

1. Create an instance with mailer settings
2. Try unsetting one of the subjects to use the default.

- What is the expected behavior?

We should remove the setting and use the default values.

- Do you want to request a feature or report a bug?
Bug
- What is the current behavior?
Added email manually, I even clicked the reset password from my email, got the "Email not confirmed" message
- If the current behavior is a bug, please provide the steps to reproduce.
Reset password,
Update password
Login
Logout
Login
Enter credentials

- What is the expected behavior?
Mail works
- Please mention your Go version, and operating system version.
OSX Sierra

- Do you want to request a feature or report a bug?

This is an enhancement to improve code quality.

- What is the current behavior?

Right now we're ignoring Go's linter rules.

- What is the expected behavior?

We should make sure the project passes the linter rules and enable make lint in Travis.

- Please mention your Go version, and operating system version.

Go 1.8 and up.