Skip to content
This repository has been archived by the owner on Apr 20, 2024. It is now read-only.

Remember me by default #416

Open
wants to merge 1 commit into
base: develop
Choose a base branch
from
Open

Remember me by default #416

wants to merge 1 commit into from

Conversation

aapeliv
Copy link
Member

@aapeliv aapeliv commented Apr 12, 2024

Web frontend checklist

  • Formatted my code with make format
  • There are no warnings from make lint
  • There are no console warnings when running the app
  • Added any new components to storybook
  • Added tests where relevant
  • All tests pass
  • Clicked around my changes running locally and it works
  • Checked Desktop, Mobile and Tablet screen sizes

darrenvong
darrenvong reviewed Apr 14, 2024
View reviewed changes
features/auth/login/LoginForm.tsx
@@ -129,7 +129,7 @@ export default function LoginForm() {
<div className={classes.loginOptions}>
<FormControlLabel
className={classes.rememberSwitch}
control={<Switch size="small" />}
control={<Switch size="small" checked={true} />}
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'm not sure this actually ever worked 🤔 did a bit of code digging and it looks like the frontend "forgot" to pass the value of this properly to the backend on the API call...

Copy link
Contributor

@bakeiro bakeiro Apr 14, 2024
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

what if the 'remember me' switch creates a cookie when enabled, and at the start of the page check if that cookie exists?
that way we don't need to send it to the server (unless it's something that we want...)

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

if the pseudo code it's clear I can implement it :)

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

If you look at the proto definition of the auth req, I believe it is important we send this back to the server/backend so the session remains valid for longer.

@aapeliv may have more details of what the session is valid from creation until expiry, with no need to be used in between means (e.g. I'm not sure how expiry is determined)

Copy link
Member

@darrenvong darrenvong Apr 14, 2024
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

High level outline of approach:

  • Make sure the switch has a name property as that's important for React hook Form to update the form state correctly
  • Update authActions.passwordLogin to accept the rememberMe boolean
  • Check that the underlying call in that function to the gRPC API also takes this value in - you may have to update some code in one of the functions in the service folder

Test that it works? Actually this is where I'm a bit confused 😅 , as even the state of it right now, you don't have to log in again anyway (since cookie stays valid for 7 days after last user action according to the comment in the proto definition)? So does "remember me" mean you don't have to type in your email/password again? If that is the case, that sounds more like a frontend concern to me than a backend one, but somehow the same terminologies are being used here which makes things confusing...

@aapeliv
Copy link
Member Author

aapeliv commented Apr 14, 2024

Actually this is where I'm a bit confused 😅 , as even the state of it right now, you don't have to log in again anyway (since cookie stays valid for 7 days after last user action according to the comment in the proto definition)? So does "remember me" mean you don't have to type in your email/password again? If that is the case, that sounds more like a frontend concern to me than a backend one, but somehow the same terminologies are being used here which makes things confusing...

The backend will set a session in the browser. That session has an expiry (by default 90 days) that matches what's stored in the database.

  • Without remember me: the cookie will be valid (and you don't need to log in) for up to 90 days, but you have to use it at least once per week (168 hours). So if you don't interact for 1 week, it logs you out. This probably means that the browser still has the cookie, but you get RPCs that return UNAUTHENTICATED because the backend kicked you out, and you get redirected to log in.
  • With remember me: the cookie will be valid for 90 days, regardless of activity.

I will increase the cookie expiry from 90 days to much longer soon (Couchers-org/couchers#4059).

@darrenvong
Copy link
Member

I see, thanks for the clarification! Isn't 90 days already quite a generous timeframe (since you mention you're planning to increase it)? Do people actually complain of needing to log in again once around every 3 months? 😅

@aapeliv
Copy link
Member Author

aapeliv commented Apr 16, 2024 via email

@aapeliv aapeliv added the web label Apr 20, 2024
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Reviewers

@darrenvong darrenvong darrenvong left review comments

@bakeiro bakeiro bakeiro left review comments

At least 1 approving review is required to merge this pull request.

Assignees
No one assigned
Labels
web
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@aapeliv @darrenvong @bakeiro