Authentication using RC OAuth2 Module and RC Apps Scheduler

Authentication in GitHub RC App

• Most of the essential features of GitHub can only only be accessed by an authenticated user and hence we need a mechanism to authenticate the Rocket.Chat users to GitHub.
• We used OAth2 mechanism with Rocket.Chat Apps Engine OAuth2 module and GitHub OAuth App.
• Rocket.Chat Apps Scheduler API is used to logout the user after a week.

Adding OAuth2 to Rocket.Chat App

• The First Step is to setup the OAuth2 client in the Rocket.Chat App - Example.
• Create a GitHub OAuth App as shown over [here]((https://docs.github.com/en/developers/apps/building-oauth-apps/creating-an-oauth-app) and note down the Client ID and Client Secret of the OAuth2 app.
• The OAuthClient Setup will enable 2 setting which are needed by our Rocket.Chat App to login to GitHub using GitHub OAuth App. Enter the OAuth Apps Client ID and Client Secret of the GitHub App.

• We need to make a get request to the Github Api using client id and client secret to login using the GitHub OAuth.
• A Slash Command like /github login can be used to send a message to the user which contains the login url. This Url can be seen created by using getUserAuthorizationUrl(user:IUser) provided by the OAuthClientInstance of the app as seen in the authorize method of the GitHub App.
• As soon as the Url is clicked, the user is logged in to GitHub and the internal call-back function of the OAuth Client Module is called and the users token is saved in the apps persistent storage.
• We can introduce our own call-back function which is called after the user had been logged in and after the OAuth client's call-back.

Logout User using Scheduler Api

• Storing users token forever in Rocket.Chat Apps persistent storage can be a challenge while scaling server to millions of users.
• As soon as the user is authenticated we need to schedule a process which will delete the stored token from the server and logout the user.
• We register a processor in the apps configuration using a unique ID. This processer will run deleteOAuthToken method to delete the token.
• We use modify.getScheduler().scheduleOnce(deleteTokenTask) inside our custom authorizationCallback() method to schedule the processer to logout the user and delete the token exactly 7 days after login.