0

I am developing a website like Heroku. I confused what should I do with the Github OAuth part? when you wanna register in Heroku and login you can not use OAuth ways (login/register using Github).

enter image description here

but after login you can create App. now one of your options to upload your codes in the Heroku is to connect your Heroku account to your Github account.

My problem

When the user is logged in how could I redirect the user to another page and after authentication (Github OAuth) how could I detect that this user previously logged in and the user does not need re-login?

Exactly what the Heroku did.

I can not understand how can I send another data to the Github OAuth login page and retrieve it back in callback url to detect which user is logged in now and save his/her access_token & refresh_token in database.

Not that I use expressjs express-session sequelize and ejs.

Frenchcooc
  • 910
  • 6
  • 20
Kasir Barati
  • 606
  • 13
  • 24

1 Answers1

2

GitHub, like all OAuth based APIs, requires that each request to the API made on behalf of a user is authenticated with an access_token. If you don't pass an access_token alongside your request, the request will fail with a 401 Unauthorized status code.

There's no way to ask GitHub if a random user has accepted your app. It's not something implemented in the OAuth framework - as it could lead to a security flaw. So it's your responsibility as the application's owner to record which user has authorized your app.

With this in mind, let's try to sum up the differents steps that Heroku had to achieve to display this "Connected" status under the GitHub logo.

  1. When you've signed-up on Heroku, the status of the GitHub integration was "not_connected". If you visit the settings page, you would see a "Connect to GitHub" button.
  2. At some point, in the Heroku dashboard, you have clicked on the "Connect to GitHub" button and have authorized Heroku's app for GitHub. This is where you've been redirected to the callback_url
  3. At this particular time, while you were on the callback_url page, Heroku has recorded in its database the new status of the GitHub integration for your account. It was set to "connected". Heroku has probably saved alongside the access_token and refresh_token.
  4. Every time that you visit the settings page of your app, Heroku can render that you are connected because it has the status in its database.
  5. (optional) When Heroku performs requests to the GitHub API using your access_token it can confirm that the connection is still live. If ever the request failed with a 401 Unauthorized, Heroku can update its database and reset your GitHub integration status to "not_connected".

This work like this for the GitHub API, as well as with any other OAuth based APIs. If you plan to integrate with several APIs, I highly recommend you to use an API Integrations Manager, such as Pizzly. It will help you focus on the business logic ("is my user connected or not?") and totally handle the OAuth process for you.

Frenchcooc
  • 910
  • 6
  • 20
  • thanks a lot, @frenchcooc. I understand what you said. but I don't know how to recognize the user in the 4th step (`access_token` belongs to who)? – Kasir Barati Jul 23 '20 at 18:23
  • 1
    In your database, you would add a `user_id` column alongside the `access_token` column. So internally, you know who the `access_token` belongs to. – Frenchcooc Jul 30 '20 at 13:46