oauth guide

might be a pretty dumb question, however, is there any version of oauth guide that is just so plain, a mind like mine can comprehend? I just for some reason need an example to see how it should work, if there is any. Anything helps. Tried plugin-api's documentation but for some reason I can't make anything work.
Solution:
yes you're describing the basic principle of OAUTH2. Like I just said, it works in 1 and 1 way only.
Jump to solution
83 Replies
Favna
Favna4d ago
fraid to say what we have now is already as easy as it will get. OAUTH2 simply doesnt have the lowest learning curve
Shrewd 💫
Shrewd 💫OP4d ago
So I have added to my index.ts the auth with fields for the id, secret, scopes, cookie, and domain overwrite. But none of that wants to work. Am I supposed to build something more to it or how does it work? I just want to grasp of how to build it and check it out. I didn't yet plan to make any frontend or anything, just purely want to see how it is supposed to function For example, I've learned to expose api, but now I have a hard time figuring out the oauth one
Favna
Favna4d ago
oauth2 doesnt really do anything without a frontend. you need a browser to be directed to the discord.com oauth2 endpoint and then be redirected back to your website from where you then do a backend request with the code to get the user data. This frontend also has to run on an SSL website (https) as we use http-only cookies for authentication as opposed to LocalStorage stored JWTs
Favna
Favna4d ago
ByteByteGo
YouTube
OAuth 2 Explained In Simple Terms
Get a Free System Design PDF with 158 pages by subscribing to our weekly newsletter: https://bytebytego.ck.page/subscribe Animation tools: Adobe Illustrator and After Effects. Checkout our bestselling System Design Interview books: Volume 1: https://amzn.to/3Ou7gkd Volume 2: https://amzn.to/3HqGozy The digital version of System Design Interv...
Shrewd 💫
Shrewd 💫OP4d ago
so technically from my understanding, I still need to handle the redirection, correct?
Favna
Favna4d ago
yes the thumbnail above actually shows a great sequence diagram of oauth2 I recommend watching the video
Shrewd 💫
Shrewd 💫OP4d ago
yeah willing to in a sec So to make the redirection work, I should at least add a route in routes folder for testing purposes so it works? just trying to see if Im getting it right
Favna
Favna4d ago
no the plugin provides the routes required for oauth2 built in. You just need to call them from your frontend. with the right body, ofc
Favna
Favna4d ago
that's why we split the pages between backend and frontend and the backend page has barely any info, because you barely need to do anything https://www.sapphirejs.dev/docs/Guide/plugins/API/getting-started
Sapphire Framework
Getting Started | Sapphire
Introduction
Favna
Favna4d ago
there are many similar videos on the platform btw and likewise many written guides so looots of info to find and learn 😄
Shrewd 💫
Shrewd 💫OP4d ago
okay so oauth2 route (backend) explains how to set up the initial things to use it
Shrewd 💫
Shrewd 💫OP4d ago
this specifically
No description
Shrewd 💫
Shrewd 💫OP4d ago
and then once oauth url from discord redirects us to the website
Favna
Favna4d ago
I suppose you could say it that way yes
Shrewd 💫
Shrewd 💫OP4d ago
the website has to handle it is this correct or
Favna
Favna4d ago
if you want to see it in action you can login at https://skyra.pw which powers @Skyra
Skyra
Skyra Dashboard
Skyra is a multipurpose Discord bot designed to handle most tasks, helping users manage their servers easily.
Shrewd 💫
Shrewd 💫OP4d ago
hm? just trying to see if I got it right
Favna
Favna4d ago
yes
Shrewd 💫
Shrewd 💫OP4d ago
so I should code it straight in my website to handle it and then eventually make a get request to my bot if I want it for example to retreive roles of someone in a certain guild, correct? might be a little complicated to understand my point Let me present to you my point of view
Favna
Favna4d ago
it is honestly. OAUTH2 works in 1 way and 1 way only and it doesnt matter if that's "login with google/facebook/apple/twitter/etc" or login with discord. It's all the same. Surely you've logged in that way many many times throughout the years.
Shrewd 💫
Shrewd 💫OP4d ago
I want people to go through oauth to log into my website to see certain sections. To access those sections, you need to have specifically a role Level 4 or higher in a specific guild. Using oauth, Id fetch list of their guilds and if they are in this specific guild, I would send a get request to the bot and ask them to tell me if they do have this role in said guild. Role being L4 or higher. If they do then the rest of stuff happen so the way I have phrased it, does it make a sense Let me know
Solution
Favna
Favna4d ago
yes you're describing the basic principle of OAUTH2. Like I just said, it works in 1 and 1 way only.
Shrewd 💫
Shrewd 💫OP4d ago
okay guess I have gotten my solution? thank you so much, if I run into some trouble, Ill just make another message here or something
Favna
Favna4d ago
sure
Shrewd 💫
Shrewd 💫OP4d ago
Is there any open source bot with oauth done? I have worked on frontend a little but then again, redirect url still has a problem. Its as if the bot didnt want to handle it
Favna
Favna4d ago
GitHub
GitHub - skyra-project/skyra: A multipurpose Discord Bot designed t...
A multipurpose Discord Bot designed to carry out most of your server's needs with great performance and stability. - skyra-project/skyra
GitHub
GitHub - skyra-project/skyra.pw: Official Website for Skyra
Official Website for Skyra. Contribute to skyra-project/skyra.pw development by creating an account on GitHub.
Shrewd 💫
Shrewd 💫OP4d ago
Question. /callback should be for the port where the bot is hosted on or on the website port same goes to /authorize 2100 is for the bot 3000 for the website pretty sure /authorize would be for the website, right? revisiting the documentation currently
Shrewd 💫
Shrewd 💫OP4d ago
No description
Shrewd 💫
Shrewd 💫OP4d ago
ill redo it so it points to an actual domain because its a hell to work with it on ssh
Shrewd 💫
Shrewd 💫OP4d ago
actually is something wrong with this? I can't seem to get the website to work
No description
Shrewd 💫
Shrewd 💫OP4d ago
I can access any api endpoint, but oauth won't really work
Shrewd 💫
Shrewd 💫OP4d ago
@Boomeravna yes im pinging so much but there is a chance Ive got it right... update: yeah, no
No description
Favna
Favna4d ago
for starters it has to be https, do you have that? if you run it locally use https://127.0.0.1 as opposed to http://localhost anyway pretty much impossible to say like this because the code has to be very particular. Did you check the code skyra uses?
Shrewd 💫
Shrewd 💫OP4d ago
yeah but how am I supposed to check if if Im sshed into it
Favna
Favna4d ago
idk what you mean sshed into it. You dont ssh for OAUTH2
Shrewd 💫
Shrewd 💫OP4d ago
I am not running it locally so I cant really access 127.0.0.1 least I can do is get vscode to forward localhost:port, thats what will work
Favna
Favna4d ago
you're really on your own for setting up your own development environment properly. I cannot wave a magic wand and suddenly a fully set up environment pops up on your screen on your system in your network
Shrewd 💫
Shrewd 💫OP4d ago
okay question. do I need domainoverwrite or can I get rid of it I made sure caddy reverses port 2100 to my api subdomain
Favna
Favna4d ago
depends. The reason we use it for skyra is because we have api.skyra.pw for the api. If you host your API on the same subdomain, i.e. mydomain.com/api then no
Shrewd 💫
Shrewd 💫OP4d ago
no its api.clara-scpf.com
Favna
Favna4d ago
it's because SelfSame cookies are finicky with subdomains then you do
Shrewd 💫
Shrewd 💫OP4d ago
so its supposed to remain in tact? as is
Favna
Favna4d ago
I think that looks okay yes
Shrewd 💫
Shrewd 💫OP4d ago
uno momentum let me grab a picture
Shrewd 💫
Shrewd 💫OP4d ago
No description
Shrewd 💫
Shrewd 💫OP4d ago
would this, be correct? 3000 is the nextjs website in dev mode
Favna
Favna4d ago
actually I was wrong s!ev client.options.api --depth=3
Skyra
Skyra4d ago
Output: ⏱ 270.83μs
{
auth: {
id: '266624760782258186',
secret: '「redacted」',
cookie: 'SKYRA_AUTH',
redirect: 'https://skyra.pw/oauth/callback',
scopes: [ 'identify', 'guilds' ],
transformers: [ [AsyncFunction: transformOauthGuildsAndUser] ],
domainOverwrite: '.skyra.pw'
},
prefix: '/',
origin: 'https://skyra.pw',
listenOptions: { port: 8282 }
}
{
auth: {
id: '266624760782258186',
secret: '「redacted」',
cookie: 'SKYRA_AUTH',
redirect: 'https://skyra.pw/oauth/callback',
scopes: [ 'identify', 'guilds' ],
transformers: [ [AsyncFunction: transformOauthGuildsAndUser] ],
domainOverwrite: '.skyra.pw'
},
prefix: '/',
origin: 'https://skyra.pw',
listenOptions: { port: 8282 }
}
Favna
Favna4d ago
that's what it is for @Skyra so drop the api part from the overwrite
Shrewd 💫
Shrewd 💫OP4d ago
interesting
Favna
Favna4d ago
sorry im also playing FFXIV and from time to time im pulled into boss battles
Shrewd 💫
Shrewd 💫OP4d ago
yes and I am about to cry sitting in vscode for no clue how long
Favna
Favna4d ago
as for the routes on the discord dashboard
No description
Shrewd 💫
Shrewd 💫OP4d ago
what does guild do again?
Favna
Favna4d ago
you can ignore that that's just for skyra stuff
Shrewd 💫
Shrewd 💫OP4d ago
so skyra doesn't use .api.?
Favna
Favna4d ago
the api runs on api.skyra.pw and the frontend on skyra.pw looks good and I deleted it coz you leaked your secret there
Shrewd 💫
Shrewd 💫OP4d ago
Of course, who else would do that if not me oh wait since Im just so confused.. so all the routes that are exposed, are exposed to api.skyra.pw, while auth is specifically doing the skyra.pw? according to the index.ts or skyra.ts, whatever its named yes Im beginning to loose myself hence why im asking
Favna
Favna4d ago
skyra.pw is React frontend code api.skyra.pw is the API plugin from sapphire
Shrewd 💫
Shrewd 💫OP4d ago
does listenOptions affect auth or just the api okay just replaced hardcoded values with env
Favna
Favna4d ago
jut the api it goes to the http server
Shrewd 💫
Shrewd 💫OP4d ago
okay so tell me real quick
Favna
Favna4d ago
we just use node:http
Shrewd 💫
Shrewd 💫OP4d ago
how is auth handled then the whole oauth thing and yes, I am trying to piece again everything
Shrewd 💫
Shrewd 💫OP4d ago
there we go
No description
Shrewd 💫
Shrewd 💫OP4d ago
but yes at least I understood the api one so Im not going to be confused with it Just to make it simple: how does the bot handle oauth when we are to have a website technically responding to it just trying to get myself around to understanding it
Favna
Favna4d ago
1. on the frontend you click a button, link, etc that goes to
https://discord.com/oauth2/authorize?redirect_uri=https%3A%2F%2Fclara-scpf.com%2Foauth%2Fcallback&response_type=code&scope=identify+guilds&client_id=YOUR_CLIENT_ID_HERE
https://discord.com/oauth2/authorize?redirect_uri=https%3A%2F%2Fclara-scpf.com%2Foauth%2Fcallback&response_type=code&scope=identify+guilds&client_id=YOUR_CLIENT_ID_HERE
(I recommend using building it dynamically so you dont hard code a url encoded string: https://github.com/skyra-project/skyra.pw/blob/6e10f6eebc28fdb9b15f28383366b63d3bde08ae/src/utils/constants.ts#L9-L14) 2. The user logs in with Discord 3. Discord sends back the user to https://clara-scpf.com/oauth/callback (a frontend route!! technically this can be anything you want on the frontend, just make sure if you change it you also adjust it in step 1 and the discord dev dashboard) 4. When Discord sends the user back there will be a code in the URL Search params so retrieve it somehow, i.e. https://github.com/skyra-project/skyra.pw/blob/6e10f6eebc28fdb9b15f28383366b63d3bde08ae/src/pages/oauth/callback.tsx#L51-L55 5. Send a POST request to your API with the code value: https://github.com/skyra-project/skyra.pw/blob/6e10f6eebc28fdb9b15f28383366b63d3bde08ae/src/pages/oauth/callback.tsx#L24-L31 6. Store the data somehow in the frontend, that's the users data.
Shrewd 💫
Shrewd 💫OP4d ago
and to understand it: why would we send a post request? is the POST request made so then we can actually receive the identify / guilds information? the bot would fetch those? seeing if I got it right
Favna
Favna4d ago
the POST request gets the user data when discord redirects back you only hav ehte code value nothing else
Shrewd 💫
Shrewd 💫OP4d ago
so as I have said we receive on the front end the code, and the code is later used to send a post request to the bot, and the oauth thing we wrote in index.ts, will handle getting the data that people authorized us to get, thats what the code is for, right? if im again incorrect, then ive got no comment left
Favna
Favna4d ago
you're skipping a step mentally you POST the code to the bot, the bot POSTS the code to discord, discord sends the user data to the bot, the bot responds with user data to the frontend the code is essentially a token you go wrong in forgetthing the bot api is just an intermediately intermediary
Shrewd 💫
Shrewd 💫OP4d ago
and posting the code to the bot.. My API is reversed to api.clara-scpf.com, so we are supposed to send a post call there?
Favna
Favna4d ago
yes
Shrewd 💫
Shrewd 💫OP4d ago
okay then one one one last thing before i die out of exhaustion we can only allow port 2100 to be exposed on localhost, right? so we dont need to expose it to the internet just so our website can use it website is on the same ip
Favna
Favna4d ago
I find it really hard to explain it any other / easier way because I think it really shouldnt be that hard to comprehend "click button redirect send REST request send REST request send response done" how you handle hosting and firewall is on you to handle. That's way too specific to your own hosting and infrastructure.
Shrewd 💫
Shrewd 💫OP4d ago
yeah but we have no reason to share the port with the internet
Favna
Favna4d ago
but you should expose port 80 and 443 as well since they are used by http and https
Shrewd 💫
Shrewd 💫OP4d ago
given the fact only website requires to send a post request yup that is exposed so if nobody needs to see api.clara-scpf.com i can just lock it to localhost correct?
Favna
Favna4d ago
yes
Shrewd 💫
Shrewd 💫OP4d ago
only the website has to use it, thats about it amazing love you @Boomeravna thank you so much i shouldnt come back.... unless i mess it up again but i have understood everything
Favna
Favna4d ago
mind that's not related to OAUTH2 in specific but just REST/infastructure in general
Shrewd 💫
Shrewd 💫OP4d ago
thank you once again @Boomeravna So yes, I am making the code exchange and receiving the data. Thank youuu soooo much. Guess this is the simplest guide someone can ever find. Just need to actually make use of this data, but that will be done later. Thank you again
Favna
Favna4d ago
np

Did you find this page helpful?