Add Discord login #106
No reviewers
Labels
No Label
admins only
bug
design
duplicate
gimme feedback
good first issue
hmmmm
invalid
reference
wontfix
No Milestone
No Assignees
1 Participants
Notifications
Due Date
No due date set.
Dependencies
No dependencies set.
Reference: hmn/hmn#106
Loading…
Reference in New Issue
No description provided.
Delete Branch "login-with-discord"
Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?
This leverages our existing Discord OAuth implementation. Any users with a linked Discord account will be able to log in immediately. When logging in, we request the
email
scope in addition toidentity
, so existing users will be prompted one time to accept the new permissions. On subsequent logins, Discord will skip the prompt.When linking your Discord account to an existing HMN account, we continue to only request the
identity
scope, so we do not receive the user's Discord email.Both login and linking go through the same Discord OAuth callback. All flows through the callback try to achieve the same end goal: a logged-in HMN user with a linked Discord account.
Linking works the same as it ever has. Login, however, is different because we do not have a session ID to use as the OAuth state. To account for this, I have added a
pending_login
table that stores a secure unique ID and the eventual destination URL. These pending logins expire after 10 minutes. When we receive the OAuth callback, we look up the pending login by the OAuthstate
and immediately delete it. The destination URL will be used to redirect the user to the right place.If we have a
discord_user
entry for the OAuth'd Discord user, we immediately log the user into the associated HMN account. This is the typical login case. If we do not have adiscord_user
, but there is exactly one HMN user with the same email address as the Discord user, we will link the two accounts and log into the HMN account.(It is possible for multiple HMN accounts to have the same email, because we don't have a uniqueness constraint there. We fail the login in this case rather than link to the wrong account.)
Finally, if no associated HMN user exists, a new one will be created. It will use the Discord user's username, email, and avatar. This user will have no password, but they can set or reset a password through the usual flows. Right now it also disables the showcase integration; I figured that automatically sharing showcase stuff publicly might be an unwelcome surprise. I don't really like that decision since I think it will probably cause confusion when people try to use tags in showcase...we'll have to discuss whether we can leave this setting on by default or in some other way help people find it.
Add Discord loginto WIP: Add Discord loginWIP: Add Discord loginto Add Discord loginAsaf points out that stuff crashes if the Discord user is not in the HMN server, since we try to apply the role. He also points out that, if the user is in the HMN server on account creation, we can swipe their display name. Gonna do that before merging.