Separate Authentication Module #26
Conversation
There was a problem hiding this comment.
- move verifyUserMail to the backend, i.e., check that once the request is sent to the backend and send the appropriate error msg as a response if it fails. Anyone can overwrite the frontend check. You don't need to make a separate function in utils for the same, simply verify the domain before sending the top email.
- the API route validate-jwt is logically incorrect:
i) access cookies using cookieStore and not req.headers.
ii) you should know what cookie to look for and not simply anything and everything that exists. Also, your current code breaks down if multiple cookies are received, which will mostly be the case. An approach to solve both your issues involves sending the instiCode as a param, like in the generate-otp route. Hence, you will know which cookie to look for and verify. - Store the route path and not the full URL for authLink and verifyAuthLink in the insti db. Modify the code (Axios) to work accordingly. It should detect if the link is external or internal route and treat them accordingly.
- Handle the errors you might get while Axios.get(verifyAuthLink) in /register route. This might not be an 'error' error but the response may not be 200 OK or might simply return a text like 'No JWT session token found.' (in case of Heimdall). So it must not try to extract an email field and fail uncontrollably.
- Find a way to redirect to the register page after successful authentication.
- Add the instructions to add the necessary env variables in readme. Maybe make a sample env file.
There was a problem hiding this comment.
i) check if instituteCode exists and is provided as a pram in genrate otp page. Also, display the chosen college name while asking for email
ii) display a successful otp sent message and to check inbox.
iii) dont use loader on full page on form submissions - show loading animation or something like "Submitting..." in the button iself and disable it when the form is submitted, until response is received. (ex - in otp submitting page)
iv) in otp submitting page, redirect to /authenticate when otpData not present, as genrate otp page without knowing instituteCode should be a problem
v) use headers or req.url (origin key) to find the hosted url while making verifyrouteURL in /register route for internal routes, instead of fixing it to be https://travel.metakgp.org. Do something similiar for redirect_url in register page, while going to auth link.
vi) remove the leftover console logs if any, apart from when catching errors in backend.
There was a problem hiding this comment.
You haven't implemented the logic for showing the relevant locations based on the user's college instead of the hardcoded data.json ones 😐.
Also, while doing this, I hope you realise why the current format of storing the locations in the insti model as a simple string array will not be sufficient. Have a look at data.json for reference.
There was a problem hiding this comment.
i) Unhandled error at http://localhost:3000/authenticate/generate-otp?instituteCode=A13 for insti not found. Simply doing this:
if (!selectInstitute) {
alert('Institute not found.');
router.push("/authenticate");
}
will not help as the code has already thrown an error before that.
ii) Currently showing "Error during email domain validation." while entering email if someone adds a invalid domain email. Change this msg to something more helpful - "Invalid email. Choose the correct institute." and hence, add a button to go back to the authenticate screen.
iii) Change button to Verfiy instead of Submit when entering OTP.
iv) "OTP is valid, Verification successful!" - Change to a user-friendly and helpful message, like "OTP verified successfully!".
v) genuinely use the redirect_url feature on every redirect to /authenticate or /register or other authentication pages and actually redirect back to the correct site where the user was redirected out of (for authentication or registration), instead of the homepage everytime.
vi) If otpData is invalid or does not exist when user goes to /verify-otp, you are redirecting to "/authenticate/generate-otp", which obviously will cause an error in the absence of the institute code, which again, is uncaught and causes a nextjs error before correctly redirecting to /authenticate. We may redirect it to /authenticate instead.
Closes #22