Authentication

[rushiagr]

Me and @ajayaa discussed auth in some detail. so I'm writing it down here, so that the development happens 'out in the open', and we gather important feedback.

We will use GMail OAuth for authentication. A user will be able to use only his IITH email ID to log in. We'll need to parse the email ID being used to log in into the website, and only allow the 'valid' email id. One special case is 2008 batch, who don't have email IDs by their roll numbers but by their names. But that's easy to solve too. We'll need to maintain a list of those IDs in the database and check against that.

Once this functionality is done, the next step should be to allow logging in using the person's 'personal' GMail ID and keep an association of this ID and the original IITH GMail email ID. This will allow convenience -- the user will not have to log in using IITH GMail email ID all the time. So potentially, one will need to log in via his IITH GMail email ID only once, and from later on he can use his personal GMail email ID.

[chirag200666]

The second part of authentication which is attaching a second Gmail id seems a bit tricky.
As it seems to me, for attaching two Google accounts we need to have separate pipelines in python-social-auth, because behaviour during both logins is different. So we can either have a totally new instance of plugin and then a new pipeline for it, or we will have to modify pipeline at multiple places for accounting of different behaviour.
putting @ajayaa in the loop as well.

[rushiagr]

I didn't get the pipeline thing completely, mostly because I'm not very well-versed with social auth/oauth stuff. But can't we maintain a mapping of both the email IDs in our database, and use this mapping to show same information to user whether he/she logs in from either of the email addresses?

[ajayaa]

@chirag200666 What we discussed over phone seemed quite possible to me. Let me have a crack at it over this weekend.

[chirag200666]

python-social-auth has a set of tasks to be done in a sequence e.g. forward for authentication -> get name, email etc. -> create account -> login. They call this sequence pipeline. At the end it attaches the google,fb account to a 'User' object of Django.

The problem is that in the pipeline we have mentioned to allow only IITH email ids, so a person cannot attach his/her personal google account, so if we modify the behaviour to accept other email id's during the email_allowed part of pipeline, then during the create_user part, after creation we will have to store the mapping of the two accounts, then in the last step we can specify to login with the original/primary 'User' account.
I have one doubt in this process, does python-social-auth allows a person to be already logged in during the social login process ?

Another hacky solution is possible during registration. When the user is filling his/her personal email, we can create a 'User' object with that email and store the mapping, now whenever the person tries to login with that gmail id, python-scoial-auth will map that account with the 'User' object we created, then we can forward him to his mapped account.