Skip to content

Blockstack as decentralised auth provider for Rocket.Chat#10462

Closed
timkinnane wants to merge 63 commits intoRocketChat:developfrom
Amazebot:master
Closed

Blockstack as decentralised auth provider for Rocket.Chat#10462
timkinnane wants to merge 63 commits intoRocketChat:developfrom
Amazebot:master

Conversation

@timkinnane
Copy link
Contributor

@timkinnane timkinnane commented Apr 16, 2018

The issues below outline current blockers, gotchas and todos related to merging my “Blockparty” fork of Rocket.Chat back inline with the core project.

Most of the diffs will come from packages/rocketchat-blockstack - with a handful of UX and logic changes made in other places.

Before you begin, the only feasible way to work on this project is to first register and download the Blockstack app.

Also, be sure to reference the blockstack.js documentation.

Versions out of sync

My last merge while the project was in active development was 0.62.0-rc.2.

I haven’t had time to work on the project lately, so the first task would be addressing any merge conflicts with current development branch.

Custom auth process

The Blockstack auth process requires some specifics that are unique from standard Oauth. I’ve completed the process in this fork by adding Meteor accounts handlers, which are similar in ways to the oauth providers, but have some key differences:

  • Auth requests are made to the local desktop app
  • It will not currently work in native apps, due to the requirement of the companion app
  • The server must provide a manifest.json - this is generated with the instance’s details
  • Response includes a unique structure for user token and meta
  • Blockstack user data does not contain email, I've used their ID @ blockstack.email as a stop-gap

I intend to publish a meteor package that consolidates these changes to be consumable by any Meteor app, but they should be acceptable in the meantime as is.

Admin / Service Settings

A number of admin settings are added for the package behaviour and auth request details.

The following are loaded through admin entered settings or manually populated defaults and provided as service configs through Meteor accounts helpers.

  • enable - I think is currently ignored, was intended as a toggle to disable the auth method
  • loginStyle - Also incomplete, would have allowed auth requests through a popup
  • generateUsername - If true, would suggest a username by converting first/last name, not ideal for privacy focused community
  • manifestURI - The location of the instance manifest
  • redirectURI - The location to redirect to for authentication
  • authDescription - Description provided in auth request screen within Blockstack

Server side routes

I added the Picker package to generate the manifest from current admin settings.

It also adds the instance’s icon file to auth requests displayed in the Blockstack app.

Avatars

Avatars are loaded directly from Blockstack.org. This included merging some work in progress from an existing Rocket.Chat branch to allow auth providers as an avatar source. The image is provided as stream, not a standard URI.

These changes might not comply with core methods without some tweaking.

The no email thing

Because Blockstack accounts do not contain an email address, yet Rocket.Chat fundamentally requires one, I've found a workaround by populating the email field with their ID @ blockstack.email.

I also modified the profile page to include some descriptive text to that effect. I think it's important to communicate what's going on here, or new users will be very confused about the format and requirements.

No other auth providers

I've customised login screens to remove other auth providers, including some hacks to disable password logins by default. The whole point of Blockstack is to decentralise a user's account and let them alone be the sole issuer.

To provide side-by-side auth from centralised providers, or even to keep their pass credentials on the server, goes against the primary principle of a decentralised app. If this is brought into core, that concern must be addressed with some considered configuration and UX changes.

I've added a user/pass login method as a subtle toggle that would only be used for admins or account recovery if some fault occurred with Blockstack authentication.

Settings defaults

Certain related settings should be forced if Blockstack auth is enabled.

  • Force SSL: true
  • Allow Users to Delete Own Account: true
  • Require Name for Signup: false

Any recent advances to OTR or E2E encryption should also be bundled with this release, as they would be highly value valued by the Blockstack community.

Verify tokens and whitelist fields

My project was an MVP. The auth process has lots of room for improvement and the Blockstack API has also improved recently.

Please investigate what more can be done to improve the security of token handling on returned requests, such as using the Blockstack API to verify tokens and the Meteor accounts methods to whitelist only the specific fields from the returned user data that are necessary.

e.g. see rocketchat-lib/server/oath/google.js

Added dependencies

Rocket.Chat required meteor-node-stubs package to support the crypto module in client. I think this is because the Node library bundled with Meteor/Rocket.Chat does not contain the full set up Node utilities, such as crypto.

There may be a lighter work around for this issue, such as explicitly building Node with the crypto module, instead of adding the entire meteor-node-stubs package.

Questions for Blockstack

In order to merge and create a community for Blockstack within Rocket.Chat, we need to establish some objectives with their input.

  • Can Blockstack assign resources (at least a direct contact), with the intention of overcoming current challenges of merging the Blockparty fork with Rocket.Chat core
  • Will Rocket.Chat Cloud provide and manage the infrastructure and what level of service do they require
  • Will the platform continue under the Blockparty identity, as a distinct product / app on their homescreen, or exist simply as the Blockstack community chat (similar to existing forums)
  • What is the timeline for the community migration
  • What’s the expected size and frequency of use for the larger community
  • Will a dedicated resource be required to manage the community, support contributions and collaborative development

geekgonecrazy and others added 30 commits December 7, 2017 20:46
@geekgonecrazy
add avatarUrl to /api/v1/me
d6a0db4
@geekgonecrazy
Allow custom oauth to define avatar field on service response
d326ac0
@geekgonecrazy
fix eslint issues
5d779bb
@geekgonecrazy
add object shorthand to satisfy eslint
bda7f50
@geekgonecrazy
Merge branch 'develop' into new/add-avatar-support-custom-oauth
ff901d8
@geekgonecrazy
Fix lint issue caused by using github to merge conflict :)
9d00e69
@geekgonecrazy
Merge branch 'develop' into new/add-avatar-support-custom-oauth
ddbe7a2
@geekgonecrazy
support avatarField with subproperties
42cadef
@geekgonecrazy
Merge branch 'develop' into new/add-avatar-support-custom-oauth
26d58ca
chore(git): Add Commitizen for standard commits and changelogs
2da343d
chore(blockstack): Add Blockstack node dependency
b998736
chore(npm): Dev script for use of persistent local mongo DB
0b5794e
build(packages): Add Blockstack (manifest only)
bd38bb1
refactor(login): Add Blockstack and deps, as only auth provider
a0b3e94 
WIP: Have added stub classes and login elements without functionality

BREAKING CHANGE: No other login or auth provider will function on this branch from now on.
feat(auth): Add Blockstack auth methods (incomplete)
6130120 
Redirects and request generation are triggered, but response not yet handled.
fix(auth): Login response passed to server (incomplete)
afbdcd0 
Now successfully processing auth request and getting user data back to server, just need to wire up
user login methods.
fix(auth): Login response processing successful (incomplete)
0587ae7 
Can log users in, but not out. Not much catching or logging.
fix(auth): Response handles user without issue and set proper resume …
764ef20 
…token.
docs(readme): Replace Rocket.Chat info with this forks details
5bace16
Merge branch 'master' into feature/blockstack_auth
c0efdc2 
# Conflicts:
#	README.md
#	package-lock.json
#	package.json
feat(auth): Generate Blockstack manifest dynamically
a78f955 
Allows deploying to production, will write manifest attributes on request from settings and
environment.
ci(Heroku): Overwrite default app configs
536334d
fix(blockstack): Remove auth path overlap
0edebc7
fix(blockstack): Force localhost auth usage
3781cf7
fix(temp): Use standard redirect in _blank
3410fbd
feat(logs): Verbose debugs and erros to debug auth
6dc693f
feat(blockstack): Allow disabling, revert login options
b45d4f5
fix(blockstack): Restore data on redirect
be1a370
fix(blockstack): Request user data if not in local storage
d28f1c7
fix(blockstack): Remove non-functional attempts to get profile
f99fa56
Tim Kinnane and others added 24 commits February 8, 2018 18:28
Revert "fix(account): Allow profile view without email"
2d7c5da 
This reverts commit c2cd7ce.
fix(blockstack): Tweaks to auth process
4aef9a6
revert(blockstack): Restore manual redirect
b04790d
build(heroku): Raise boot timeout
0f9cec0
revert(blockstack): Restore forced Blockstack host
a8fd396 
Encountered bugs using the autoredirect, which would lose the manifest settings when it came through to Blockstack
refactor(blockstack): Update package to match editor config
fa30170
fix(blockstack): Auth middleware cannot call next
d1f698c 
Throws errors using next() because headers already sent.
@timkinnane
Merge branch 'upstream'
8d9a8c7
@timkinnane
feat(theme): Update login and docs for GH page
430034f
@timkinnane
Set theme jekyll-theme-slate
104e69c
@timkinnane
fix(mobile): Use blockstack.org for mobile auth
23c4a27 
Added Cordova app links to Readme
@timkinnane
docs(readme): Update temp note on mobile apps
46700aa
@timkinnane
Merge branch 'upstream/master'
6ad3b64
@timkinnane
Merge branch 'feature/avatar-support-auth-service' into develop
f1fc359
@timkinnane
feat(avatar): Add blockstack as avatar service
4add601
@timkinnane
fix(docs): Update with current state
bd40264
@timkinnane
fix(docs): GH pages link
c642ad3
@timkinnane
docs(readme): Clarify mobile issues
bd4e511
@timkinnane
docs(readme): Add link re in-app auth support
c59e96d
@timkinnane
fix(auth): Revert to auto protocol detection
583c90e
@timkinnane
fix(users): Remove unique index on user emails (attempt)
ea59813 
Also reverted the manual auth redirect handling, just to keep things simple.

BREAKING CHANGE: Users can be added with the same empty email, but the unique index check is
re-applied on boot preventing startup. Needs resolution with RC team.
@timkinnane
fix(accounts): Replace empty email with generic ID based placeholder
86871be
@timkinnane
docs(profile): Add inline descriptions of email placeholder in profil…
3ab56b9 
…e view
@timkinnane
fix(login): Put Blockstack service config in reactive data
6665a29 
Found that service config was not always available in login template on render, moved to Template.currentdata() which is reactive and will update when the config query is returned.
@theorenck theorenck added this to the 0.65.0 milestone Apr 16, 2018
@theorenck theorenck modified the milestones: 0.65.0, Short-term Jul 31, 2018
@rodrigok rodrigok mentioned this pull request Sep 13, 2018
Merged
@theorenck theorenck removed this from the Short-term milestone Dec 12, 2018
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@timkinnane @theorenck @geekgonecrazy

Comments