feat(maevsi_stack#90): postgraphile in library mode

[goatfryed]

📚 Description

This PR introduces postgraphile in library mode together with revisited authentication logic. Both concepts are closely coupled.

contains #1512

🦾 ToDos short

• csp form-action and provider linking to http instead of https
• auth user database adapter
• update frontend to use new user model instead of store variables
• update frontend to actually use the own graphql endpoint
• figure out whatever this means for frontend only development

👀 what's working?

0. old login broken atm
1. user clicks on sign in
2. user clicks on a fugly github button
3. user is redirected to github and can authorize & signin
4. user is in a logged in header state
5. user can navigate to /graphql
6. user can access the local graphql api. if logged in, the db works in context user.id = maevsiUserId from auth context
   • the postgraphile part is finished. the id itself in auth is hard coded atm

💬 Discussion

I'd have liked to keep it a bit smaller.

about postgraphile

v4.18 requires grapql 15 or below, while other project dependencies already require graphql 16. Therefore, i decided to give postgraphile 5 a shot. Note that it comes with quite some differences and is only beta at the moment. The ruru graphiql is cool though. 😄

about auth library

I decided to go forward with authjs-nuxt, since lucia is quite low level. Also, lucia dropped jwt support completely and I disagree a bit with their reasoning.

Reg. authjs & authjs-nuxt: Damn, this is all so work in progress. But I guess you're used to it (nuxt3 migration 👀). At least, it brings support for what we want (credentials, maigc link, oauth), although the user model and api around it feels kind of dirty.

• ❓ authjs comes with a build in pg adapter that requires a certain table structure. Should we write a custom adapter with the available api or migrate the db to follow the new layout (Session can be ignored, since we're using jwt)? Atm the implementation is dummy.

about frontend only development

We need to figure out what this means for (frontend only?) development. A bundled postgraphile library and authentication means that you can't connect so easily from local to production maevsi anymore, because we don't want to expose the actual database.
Also, oauth2 requires secrets that we also don't want to expose.

I think, we could create a setup where the graphql endpoint and the auth endpoints are proxied to the actual production maevsi and only other routes are handled locally. Together with a stateless jwt session this should solve our issues (for now?), unless our local backend starts to require secrets that are not to be exposed in an unencrypted jwt. I doubt that tbh.

And if we see issues with that approach, we could still introduce a dedicated api backend on top of postgraphile.

about jwt storage

Just a side note. I'm actually a bit confused why jwt tokens are stored in database. Isn't the purpose of them to work stateless without db lookups? Doesn't really matter to the PR, but i was wondering 🤔 If you think that's worth a discussion, let's make a issue for it

📝 Checklist

• All commits follow the Conventional Commit format
• The PR's title follows the Conventional Commit format

Example github config for reference

[goatfryed]

Happy new year and happy for some early feedback. 😄

[dargmuesli]

Ok, so here we are, it's Hacktober! 🥳

I've looked into this and collected some more experience with setting up OAuth in Nuxt with lucia for a @ninjaneers/nearbuy demo.

So, regarding JWTs: in general, I'd like to implement some session logic. Users should be able to log out of sessions started on devices they may not control anymore and admins should be able to lock users out in case of misbehavior. maevsi currently checks JWTs server side exactly for this reason, to be able to quit sessions server-side. It's apparent that this is a wyld combo which likely shouldn't be around for too long any more.

By now, https://github.com/Hebilicious/authjs-nuxt is not maintained anymore. AuthJs has a native Nuxt integration coming, but I don't really see their seemingly preset database schema fit the existing schema for maevsi. Also it isn't merged yet, atinux/nuxt-auth-utils is a little too custom still for production, not too many eyes verifying security on it, I think.

So, just by an incremental addition without a major rewrite, even being able to keep postgraphile as-is, the following should be working:

• use Arctic (formerly part of lucia, now extracted for separation of concerns) to get the user's email and verification state e.g. from GitHub
• follow lucia's account linking guide to persist the OAuth login for a user's account
• let a Nuxt api route set a JWT with the same signed scheme as postgraphile would return it, then we can use this JWT for all following requests just as we're used to

This should be fairly straight-forward. Sounds good? Am I missing something? Let's talk about it in this Hacktober 😁

[CLAassistant]

All committers have signed the CLA.