-
-
Notifications
You must be signed in to change notification settings - Fork 725
Authentication
Most shop managers and customers on OFN only ever authenticate this way. OFN uses Devise for authentication and CanCanCan for authorization.
Being logged in to OFN also means that you can make API v0 requests (or the front end code can make them on your behalf). For example, if you're on the admin products page, the page loads and then does a GET to /api/v0/products/bulk_products.json
to load the products.
For API v0 endpoints that require auth, we check the request's X-Spree-Token
header. Each user record in the database has an associated API key in the spree_api_key
field. If the token passed in the header matches a user's key, we authenticate the request as coming from that user.
A user who has permissions to edit users on the instance (a superadmin) is able to view API keys for all users on the admin/users/edit page. Alternatively, a user can contact the instance manager of the corresponding instance to be granted an API key. The best way to do this is via our Slack. It is also possible to find the API for a user while logged in by viewing page source.
Some API v0 endpoints do not require any auth. If a request is made to an endpoint without an API key, we create a new Spree::User
(but don't persist it) with no authorization roles attached to it and use that as the current_api_user
. If the endpoint requires auth, the request will fail, otherwise it returns the requested data.
OFN is set up as an OAuth client of Stripe; when a shop owner wants to authorize OFN to take payments through Stripe, we use the OAuth flow (included with the Stripe gem) to do so.
Development environment setup
- Pipeline development process
- Bug severity
- Feature template (epic)
- Internationalisation (i18n)
- Dependency updates
Development
- Developer Guidelines
- The process of review, test, merge and deploy
- Making a great commit
- Making a great pull request
- Code Conventions
- Database migrations
- Testing and Rspec Tips
- Automated Testing Gotchas
- Rubocop
- Angular and OFN
- Feature toggles
- Stimulus and Turbo
Testing
- Testing process
- OFN Testing Documentation (Handbooks)
- Continuous Integration
- Parallelized test suite with knapsack
- Karma
Releasing
Specific features
Data and APIs
Instance-specific configuration
External services
Design