Refactor: updated frontend auth to use cookies instead of localhost (#569)

* add 2024 sponsor logos

* add tailwind prettier plugin

* update eslint-plugin-prettier to compatible version

* format and lint code

* update eslint config

* feat: add 2024 sponsor logos (#488)

* remove grouped tailwind psuedo-classes

* refactor(frontend): remove MUI theme and CSS baseline

* format tailwind classes

* set prettier config options

* format according to prettier config

* format tw macros via Tailwind functions config

* AdminSideBar styles and width state rewritten

* feat(AdminSidebar): migrate admin sidebar from MUI to Radix UI Primitives

* feat(CampaignCreationPreview): migrate from MUI and remove bad CampaignForm preview

* feat(AdminSidebar): add borders between organisations

* refactor(BackgroundWrapper): delete unused component

* feat(ApplicationPreviewer): migrate ApplicationPreviewer away from MUI

* feat(CreateOrganisationForm): rewrite components using Tailwind

* feat(Dropdown): remove unused imports

* more migration

* feat(frontend): update login/signup buttons to Coming Soon (#499)

* feat(Signup): migrate to twin

* feat(frontend): Update ESLint and Prettier config (#490)

* add 2024 sponsor logos

* add tailwind prettier plugin

* update eslint-plugin-prettier to compatible version

* format and lint code

* update eslint config

* remove grouped tailwind psuedo-classes

* format tailwind classes

* set prettier config options

* format according to prettier config

* format tw macros via Tailwind functions config

* email sending

* fix "recipient" spelling

* cargo fmt

* fix errors with `template_subject` introduction

* cargo clippy fixes

* application role preferences and updating applied roles

* lock out user from application changes after submission

* lock application after submission and campaign close date

* fix uses of `LEFT JOIN` when `JOIN` was needed

* make unsubmitted application viewable after campaign end

* only submitted applications are viewable by reviewers

* added `Answer`-related schemas to api.yaml

* register new `ApplicationHandler` endpoints in app

* completed up to /organisation/slug_check

* `NewCampaign` model for campaign create request body

* block applications for ended campaigns

* `NewEmailTemplate` model for template request body

* fix `assert_campaign_is_open()` naming

* api.yaml up to `/organisation/{id}/logo`

* update `api.json` up to `/organisation/{id}/logo`

* rerouted application page to new backend and made prop error fixes for CampaignCard related components

* rerouted application page to new backend

* fixed all initial errors

* fixed all initial errors

* Move some `Rating` handler fn to `ApplicationHandler`

* update `api.json` up to `/rating/{id}`

* saving for now

* created user context

* created user context + preparing for work division

* feat: implemented cookie wrapped auth token

* fix: SQL sub query alias

* saving prompt updates

* more prompts

* fixed merge

* login working

* only comming fe changes

* saving state for now

* idk why this didnt merge

* idk why this didnt merge either

* got dashboard working kind of lol

* fixed frontend admin org route

* fixed frontend admin org route

* fixed readme conflict

---------

Co-authored-by: Josh <joshconstantinelim@gmail.com>
Co-authored-by: Kavika <kbpalletenne@gmail.com>
Co-authored-by: Alex_Miao_WSL <yuan_sen.miao@student.unsw.edu.au>
Co-authored-by: Kavika <kavika.palletenne@devsoc.app>

Author: 4 people

backend/.gitignore

@@ -3,4 +3,5 @@ target
 Cargo.lock
 prisma-cli/prisma/migrations
 /.idea
-**/.DS_Store
+**/.DS_Store
+.env.*

backend/README.md

@@ -61,4 +61,4 @@ Request -> Middleware (optional) -> Handler -> Service -> Middleware (Optional)
 - JWT
 
 ### Storage
-- Object storage
+- Object storage

backend/migrations/20240406023149_create_users.sql

@@ -14,4 +14,8 @@ CREATE TABLE users (
     updated_at TIMESTAMPTZ NOT NULL DEFAULT CURRENT_TIMESTAMP
 );
 
+-- Seed initial superuser
+INSERT INTO users (id, email, name, role)
+VALUES (10000, 'chaosdirectors@devsoc.app', 'Super Admin', 'SuperUser');
+
 CREATE UNIQUE INDEX IDX_users_email_lower on users((lower(email)));

backend/server/src/handler/auth.rs

@@ -11,11 +11,52 @@ use crate::service::auth::create_or_get_user_id;
 use crate::service::jwt::encode_auth_token;
 use axum::extract::{Query, State};
 use axum_extra::extract::cookie::{Cookie, CookieJar, Expiration};
-use axum::response::IntoResponse;
+use axum::response::{IntoResponse, Redirect};
 use oauth2::reqwest::async_http_client;
-use oauth2::{AuthorizationCode, TokenResponse};
+use oauth2::{AuthorizationCode, TokenResponse, Scope};
 use time::OffsetDateTime;
 
+/// Handles the Google OAuth2 callback.
+/// 
+/// This handler processes the OAuth2 code received from Google after user authorization.
+/// It exchanges the code for an access token, retrieves the user's profile information,
+/// creates or retrieves the user in the database, and generates a JWT token for authentication.
+/// 
+/// # Arguments
+/// 
+/// * `state` - The application state
+/// * `query` - The OAuth2 callback query parameters containing the authorization code
+/// * `oauth_client` - The OAuth2 client for Google authentication
+/// 
+/// # Returns
+/// 
+/// * `Result<impl IntoResponse, ChaosError>` - JWT token or error
+/// 
+/// Initiates the Google OAuth2 flow.
+/// 
+/// This handler redirects users to Google's OAuth2 authorization URL to begin
+/// the authentication process.
+/// 
+/// # Arguments
+/// 
+/// * `state` - The application state containing the OAuth2 client
+/// 
+/// # Returns
+/// 
+/// * `Result<impl IntoResponse, ChaosError>` - Redirect to Google OAuth or error
+pub async fn google_auth_init(
+    State(state): State<AppState>,
+) -> Result<impl IntoResponse, ChaosError> {
+    let (auth_url, _csrf_token) = state.oauth2_client
+        .authorize_url(|| oauth2::CsrfToken::new_random())
+        .add_scope(Scope::new("openid".to_string()))
+        .add_scope(Scope::new("email".to_string()))
+        .add_scope(Scope::new("profile".to_string()))
+        .url();
+
+    Ok(Redirect::to(auth_url.as_str()))
+}
+
 /// Handles the Google OAuth2 callback.
 /// 
 /// This handler processes the OAuth2 code received from Google after user authorization.
@@ -75,8 +116,16 @@ pub async fn google_callback(
         .expires(Expiration::DateTime(OffsetDateTime::now_utc() + time::Duration::days(5))) // Set an expiration time of 5 days, TODO: read from env?
         .secure(!state.is_dev_env)     // Send only over HTTPS, comment out for testing
         .path("/");       // Available for all paths
-    // Add the cookie to the response
-    Ok(jar.add(cookie))
+    
+    // Redirect to the frontend dashboard after successful authentication
+    let redirect_url = if state.is_dev_env {
+        "http://localhost:3000/dashboard"
+    } else {
+        "/dashboard" // In production, this would be the full URL
+    };
+    
+    // Add the cookie and redirect
+    Ok((jar.add(cookie), Redirect::to(redirect_url)))
 }
 
 pub struct DevLoginHandler;
@@ -104,8 +153,12 @@ impl DevLoginHandler {
             .http_only(true) // Prevent JavaScript access
             .expires(Expiration::DateTime(OffsetDateTime::now_utc() + time::Duration::days(5))) // Set an expiration time of 5 days, TODO: read from env?
             .path("/");       // Available for all paths
-        // Add the cookie to the response
-        Ok(jar.add(cookie))
+        
+        // Redirect to the frontend dashboard after successful authentication
+        let redirect_url = "http://localhost:3000/dashboard";
+        
+        // Add the cookie and redirect
+        Ok((jar.add(cookie), Redirect::to(redirect_url)))
     }
 
     pub async fn dev_org_admin_login(
@@ -130,8 +183,12 @@ impl DevLoginHandler {
             .http_only(true) // Prevent JavaScript access
             .expires(Expiration::DateTime(OffsetDateTime::now_utc() + time::Duration::days(5))) // Set an expiration time of 5 days, TODO: read from env?
             .path("/");       // Available for all paths
-        // Add the cookie to the response
-        Ok(jar.add(cookie))
+        
+        // Redirect to the frontend dashboard after successful authentication
+        let redirect_url = "http://localhost:3000/dashboard";
+        
+        // Add the cookie and redirect
+        Ok((jar.add(cookie), Redirect::to(redirect_url)))
     }
 
     pub async fn dev_user_login(
@@ -156,7 +213,11 @@ impl DevLoginHandler {
             .http_only(true) // Prevent JavaScript access
             .expires(Expiration::DateTime(OffsetDateTime::now_utc() + time::Duration::days(5))) // Set an expiration time of 5 days, TODO: read from env?
             .path("/");       // Available for all paths
-        // Add the cookie to the response
-        Ok(jar.add(cookie))
+        
+        // Redirect to the frontend dashboard after successful authentication
+        let redirect_url = "http://localhost:3000/dashboard";
+        
+        // Add the cookie and redirect
+        Ok((jar.add(cookie), Redirect::to(redirect_url)))
     }
 }

backend/server/src/main.rs

@@ -10,8 +10,8 @@ async fn main() -> Result<(), ChaosError> {
     dotenvy::dotenv()?;
 
     let app = app().await?;
-    let listener = tokio::net::TcpListener::bind("0.0.0.0:3000").await.unwrap();
+    let listener = tokio::net::TcpListener::bind("0.0.0.0:8080").await.unwrap();
     axum::serve(listener, app).await.unwrap();
 
     Ok(())
-}
+}

backend/server/src/models/app.rs

@@ -1,6 +1,6 @@
 use crate::handler::answer::AnswerHandler;
 use crate::handler::application::ApplicationHandler;
-use crate::handler::auth::{google_callback, DevLoginHandler};
+use crate::handler::auth::{google_callback, google_auth_init, DevLoginHandler};
 use crate::handler::campaign::CampaignHandler;
 use crate::handler::email_template::EmailTemplateHandler;
 use crate::handler::offer::OfferHandler;
@@ -123,6 +123,7 @@ pub async fn app() -> Result<Router, ChaosError> {
         .allow_credentials(true)
         .allow_origin([
             "http://localhost".parse().unwrap(),
+            "http://localhost:3000".parse().unwrap(),
             "https://chaos.devsoc.app".parse().unwrap(),
             "http://chaos.devsoc.app".parse().unwrap(),
             "https://chaosstaging.devsoc.app".parse().unwrap(),
@@ -131,6 +132,7 @@ pub async fn app() -> Result<Router, ChaosError> {
 
     Ok(Router::new()
         .route("/", get(|| async { "Join DevSoc! https://devsoc.app/" }))
+        .route("/auth/google", get(google_auth_init))
         .route("/api/auth/callback/google", get(google_callback))
         .route("/api/v1/dev/super_admin_login", get(DevLoginHandler::dev_super_admin_login))
         .route("/api/v1/dev/org_admin_login", get(DevLoginHandler::dev_org_admin_login))

backend/server/src/service/auth.rs

@@ -109,15 +109,28 @@ pub async fn extract_user_id_from_request(
 ) -> Result<i64, ChaosError> {
     let decoding_key = &state.decoding_key;
     let jwt_validator = &state.jwt_validator;
+    
+    
     let TypedHeader(cookies) = parts
         .extract::<TypedHeader<Cookie>>()
         .await
-        .map_err(|_| ChaosError::NotLoggedIn)?;
+        .map_err(|e| {
+            ChaosError::NotLoggedIn
+        })?;
 
-    let token = cookies.get("auth_token").ok_or(ChaosError::NotLoggedIn)?;
+    
+
+    let token = cookies.get("auth_token").ok_or_else(|| {
+        ChaosError::NotLoggedIn
+    })?;
+
+    
 
     let claims =
-        decode_auth_token(token, decoding_key, jwt_validator).ok_or(ChaosError::NotLoggedIn)?;
+        decode_auth_token(token, decoding_key, jwt_validator).ok_or_else(|| {
+            ChaosError::NotLoggedIn
+        })?;
 
+    
     Ok(claims.sub)
 }

frontend/.env.development

@@ -1,3 +1,3 @@
-VITE_OAUTH_CALLBACK_URL=https://accounts.google.com/o/oauth2/v2/auth?client_id=985448402284-al4vuqpokkhgv6h952lhu6iasg1lupug.apps.googleusercontent.com&redirect_uri=http://localhost:3000/auth/callback&response_type=code&scope=profile email&access_type=online
-VITE_API_BASE_URL=http://localhost:8000
+VITE_OAUTH_CALLBACK_URL=https://accounts.google.com/o/oauth2/v2/auth?client_id=731862014126-5b109p4v6b173910ib347gtfn0ecnacj.apps.googleusercontent.com&redirect_uri=http://localhost:8080/api/auth/callback/google&response_type=code&scope=https://www.googleapis.com/auth/userinfo.email https://www.googleapis.com/auth/userinfo.profile&access_type=offline
+VITE_API_BASE_URL=http://localhost:8080
 BROWSER=none

frontend/.eslintrc.json

@@ -25,7 +25,7 @@
   "parserOptions": {
     "ecmaVersion": 12,
     "sourceType": "module",
-    "project": "./tsconfig.json"
+    "project": "./frontend/tsconfig.json"
   },
   "plugins": ["react", "prettier"],
   "rules": {

frontend/.gitignore

@@ -23,3 +23,6 @@
 npm-debug.log*
 yarn-debug.log*
 yarn-error.log*
+
+.env.development
+.env