Authentication using RC OAuth2 Module and RC Apps Scheduler

Authentication in GitHub RC App

• Most of the essential features of GitHub can only only be accessed by an authenticated user and hence we need a mechanism to authenticate the Rocket.Chat users to GitHub.
• We used OAth2 mechanism with Rocket.Chat Apps Engine OAuth2 module and GitHub OAuth App.
• Rocket.Chat Apps Scheduler API is used to logout the user after a week.

Authentication User Flow

Adding OAuth2 to Rocket.Chat App

• The First Step is to setup the OAuth2 client in the Rocket.Chat App - Example.
• Create a GitHub OAuth App as shown over here and note down the Client ID and Client Secret of the OAuth2 app.
• The OAuthClient Setup will enable 2 setting which are needed by our Rocket.Chat App to login to GitHub using GitHub OAuth App. Enter the OAuth Apps Client ID and Client Secret of the GitHub App.

• We need to make a get request to the Github Api using client id and client secret to login using the GitHub OAuth.
• A Slash Command like /github login can be used to send a message to the user which contains the login url. This Url can be seen created by using getUserAuthorizationUrl(user:IUser) provided by the OAuthClientInstance of the app as seen in the authorize method of the GitHub App.
• As soon as the Url is clicked, the user is logged in to GitHub and the internal call-back function of the OAuth Client Module is called and the users token is saved in the apps persistent storage.
• We can introduce our own call-back function which is called after the user had been logged in and after the OAuth client's call-back.

Logout User using Scheduler Api

• Storing users token forever in Rocket.Chat Apps persistent storage can be a challenge while scaling server to millions of users.
• As soon as the user is authenticated we need to schedule a process which will delete the stored token from the server and logout the user.
• We register a processor in the apps configuration using a unique ID. This processer will run deleteOAuthToken method to delete the token.
• We use modify.getScheduler().scheduleOnce(deleteTokenTask) inside our custom authorizationCallback() method to schedule the processer to logout the user and delete the token exactly 7 days after login.
• Some method required to get the access token or delete the access token need to be declared separately in auth.js as we cannot access the OAthClientInstance inside processers and other method. The Implementation for these can be seen over here