Configurable Authentication for Leaderboard

Question

Configurable Authentication for Leaderboard

Closed this issue a month ago · 8 comments

UdaySagar-Git commented 7 months ago

Authentication using NextAuth with various providers (Google and GitHub for now).
Login page or a modal pop-up for login.
Enable or disable authentication feature.
Configurable providers.
Role-based configurable routes.

Answer 1 · 2024-04-10T17:04:56.000Z

@rithviknishad can you please assign this to me !

Answer 2 · 2024-04-10T17:23:32.000Z

This may be an opt-in feature. To be disabled by default and would be disabled for this org's deployment too.

How would you validate a user is allowed to access the deployment?

Answer 3 · 2024-04-10T17:38:26.000Z

How would you validate a user is allowed to access the deployment?

The feature will be disabled by default, and all routes related to authentication (/api/auth) will redirect to the home page if it's disabled.
The user needs to manually change a flag like (ENABLE_AUTHENTICATION=true) in the environment variables to enable authentication.
If a user has enabled this flag, they need to provide a client ID and secret from their own OAuth.

Answer 4 · 2024-04-11T04:07:35.000Z

Let's say an organization A that has private repositories and their leaderboard is set to include those information, how would you validate if a person is from org. A?

Answer 5 · 2024-04-11T08:50:34.000Z

That might be a bit tricky!

One thing we can do is domain specific validation (email@organization.com).
Only the users present in the data repository will be validated or allowed.
We can add something like a request for access, which creates a PR similar to what we have for updating profiles. If and only if the pr gets merged, then the user will get access.

Answer 6 · 2024-04-12T12:20:23.000Z

I have one suggestion,
Instead of implementing register/login functionality, let's consider adding a toggle on the homepage to switch between private and public repositories. When a visitor toggles to view private repositories, we'll then validate whether the visitor is allowed access.
It is less complicated i guess.

Answer 7 · 2024-04-13T20:16:29.000Z

@rithviknishad , can we have a separate endpoint that is only accessible to the owner? The owner's email will be placed in the env , and the user with that email can access a route where the owner can add users' emails to allow them access to the website. I think we can somehow have write access permissions for the data repository directly using GitHub's new fine-grained PAT and update the data repository using Octokit.

, Also, we can directly update a specific file, such as allowedUsers, from the web using Octokit.

Answer 8 · 2024-04-13T20:21:47.000Z

@dgparmar14 we need authentication to verify the users who will have access to private repositories, right?
The problem here is how we're going to allow which users will have access to private repositories
Let me know if you have any ideas on how this can be achieved