-
Notifications
You must be signed in to change notification settings - Fork 0
/
process.txt
47 lines (33 loc) · 3.02 KB
/
process.txt
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
Alright, let's build a secure and user-friendly flow that maximizes the use of the backend, yet keeps the UI experience smooth:
### Flow:
1. **Start Discord Authentication**:
- UI: The user clicks a "Connect with Discord" button.
- API: Redirects to the Discord OAuth URL.
2. **Discord OAuth Callback**:
- API: Discord redirects the user to your API's OAuth callback with a code.
- API: Exchange this code for an access token.
- API: Fetch necessary Discord user information and store it in the session or a temporary data store (e.g., Redis).
- API: Redirect to a UI endpoint to prompt the user to connect with GitHub.
3. **Start GitHub Authentication**:
- UI: User is prompted to "Connect with GitHub". Upon clicking, it redirects to the GitHub OAuth URL through the API.
- API: Handles the redirect to GitHub.
4. **GitHub OAuth Callback**:
- API: GitHub redirects back to your API's OAuth callback with a code.
- API: Exchange this code for an access token.
- API: Fetch the list of repositories (consider paginated fetching if there are a lot).
- API: Store this list temporarily (in the session or a temporary store like Redis) and redirect the user to the UI endpoint where they can select a repo.
5. **Repository Selection**:
- UI: User is shown a list of their repositories to select from. This data is fetched via an API endpoint which retrieves it from the temporary store.
- UI: After selection, the UI sends the repo's ID (or some unique identifier) to the API.
- API: Fetches necessary information about the repository, combines it with the Discord data, and saves everything needed to your database.
6. **Complete Authentication**:
- API: Clears any temporary data used during the process.
- API: Optionally generate a JWT or some session token for the user to use for further authenticated requests.
- UI: Redirects user to the dashboard or main application page.
### Notes:
- **No Secrets on the Client**: With the above flow, secret keys and access tokens remain only on the server-side. The frontend is abstracted from these details and only deals with user experience interactions.
- **Temporary Data**: Data like the list of repos is stored temporarily to aid the flow without persisting sensitive data longer than necessary.
- **Smooth UI Experience**: The user essentially sees a sequence of: Login with Discord -> Login with GitHub -> Select Repository, which is logical and minimal in terms of steps.
- **Securing Tokens**: Any tokens or temporary data should have expiration times, ensuring that even if there were a data leak, the data would be useless after a short period.
- **Direct Interaction**: The UI only interacts directly with third-party services (like Discord or GitHub) in the sense of redirecting the user to their OAuth pages. All other interactions are proxied through your API, preserving encapsulation and security.
Implementing the flow in this manner ensures that user experience remains smooth, security is prioritized, and logic is largely encapsulated within the backend.