Add Discord login #106

bvisness · 2023-05-05T03:22:44Z

bvisness commented

2023-05-05 03:22:44 +00:00

This leverages our existing Discord OAuth implementation. Any users with a linked Discord account will be able to log in immediately. When logging in, we request the email scope in addition to identity, so existing users will be prompted one time to accept the new permissions. On subsequent logins, Discord will skip the prompt.

When linking your Discord account to an existing HMN account, we continue to only request the identity scope, so we do not receive the user's Discord email.

Both login and linking go through the same Discord OAuth callback. All flows through the callback try to achieve the same end goal: a logged-in HMN user with a linked Discord account.

Linking works the same as it ever has. Login, however, is different because we do not have a session ID to use as the OAuth state. To account for this, I have added a pending_login table that stores a secure unique ID and the eventual destination URL. These pending logins expire after 10 minutes. When we receive the OAuth callback, we look up the pending login by the OAuth state and immediately delete it. The destination URL will be used to redirect the user to the right place.

If we have a discord_user entry for the OAuth'd Discord user, we immediately log the user into the associated HMN account. This is the typical login case. If we do not have a discord_user, but there is exactly one HMN user with the same email address as the Discord user, we will link the two accounts and log into the HMN account.

(It is possible for multiple HMN accounts to have the same email, because we don't have a uniqueness constraint there. We fail the login in this case rather than link to the wrong account.)

Finally, if no associated HMN user exists, a new one will be created. It will use the Discord user's username, email, and avatar. This user will have no password, but they can set or reset a password through the usual flows. Right now it also disables the showcase integration; I figured that automatically sharing showcase stuff publicly might be an unwelcome surprise. I don't really like that decision since I think it will probably cause confusion when people try to use tags in showcase...we'll have to discuss whether we can leave this setting on by default or in some other way help people find it.

This leverages our existing Discord OAuth implementation. Any users with a linked Discord account will be able to log in immediately. When logging in, we request the `email` scope in addition to `identity`, so existing users will be prompted one time to accept the new permissions. On subsequent logins, Discord will skip the prompt. When linking your Discord account to an existing HMN account, we continue to only request the `identity` scope, so we do not receive the user's Discord email. Both login and linking go through the same Discord OAuth callback. All flows through the callback try to achieve the same end goal: a logged-in HMN user with a linked Discord account. Linking works the same as it ever has. Login, however, is different because we do not have a session ID to use as the OAuth state. To account for this, I have added a `pending_login` table that stores a secure unique ID and the eventual destination URL. These pending logins expire after 10 minutes. When we receive the OAuth callback, we look up the pending login by the OAuth `state` and immediately delete it. The destination URL will be used to redirect the user to the right place. If we have a `discord_user` entry for the OAuth'd Discord user, we immediately log the user into the associated HMN account. This is the typical login case. If we do not have a `discord_user`, but there is exactly one HMN user with the same email address as the Discord user, we will link the two accounts and log into the HMN account. (It is possible for multiple HMN accounts to have the same email, because we don't have a uniqueness constraint there. We fail the login in this case rather than link to the wrong account.) Finally, if no associated HMN user exists, a new one will be created. It will use the Discord user's username, email, and avatar. This user will have no password, but they can set or reset a password through the usual flows. Right now it also disables the showcase integration; I figured that automatically sharing showcase stuff publicly might be an unwelcome surprise. I don't really like that decision since I think it will probably cause confusion when people try to use tags in showcase...we'll have to discuss whether we can leave this setting on by default or in some other way help people find it.

bvisness added 3 commits 2023-05-05 03:22:44 +00:00

eb6cd6e89c Get login with Discord working

6b03c3760a Add UI for logging in with Discord

and clean up that god-awful login popup a little bit...just a little

9b441333a7 Delete expired pending logins

bvisness changed title from ~~Add Discord login~~ to WIP: Add Discord login

2023-05-05 03:36:59 +00:00

bvisness added 1 commit 2023-05-05 04:21:36 +00:00

2ba2fa4d7d Allow password changes when you don't have one yet

bvisness added 1 commit 2023-05-05 04:46:44 +00:00

a826f1918e Use Discord avatars as HMN avatars

bvisness changed title from ~~WIP: Add Discord login~~ to Add Discord login

2023-05-05 04:47:50 +00:00

bvisness commented

2023-05-06 00:19:27 +00:00

Asaf points out that stuff crashes if the Discord user is not in the HMN server, since we try to apply the role. He also points out that, if the user is in the HMN server on account creation, we can swipe their display name. Gonna do that before merging.

bvisness added 1 commit 2023-05-06 02:47:31 +00:00

a95bb8cfbe Grab info from the Discord user's HMN membership