feat: API to login and get user username, name and email

[stephanegigandet]

This is to address #7361 so that the Flutter app can get the username and name of an user who authenticated with an email address.

but it could also be a step to have a more uniform handling of errors in the API (specifically errors related to users not identified or bad logins and passwords supplied).

I'm proposing that we extend the /cgi/auth.pl API which currently:

• checks if an user is identified (either through a session cookie on the *.openfoodfacts.org domain, or by passing user_id and password)
• returns a 200 status code if the user is logged in, or a 403 otherwise

The extension would be to add a JSON body:

• when the user is logged in:

{
    "status": 1,
    "status_verbose": "user signed-in",
    "user": {
        "email": "my email",
        "name": "Stéphane Gigandet"
    },
    "user_id": "test2"
}

• when the user is not logged in:

{
    "status": 0,
    "status_verbose": "user not signed-in"
}

With the proposed code, this behaviour would only apply to /cgi/auth.pl

But we could decide to extend it to all other API calls (e.g. product edit). If invalid userid / password are supplied, we return a JSON body to explain why (instead of returning an HTML content today).

I think we could keep the existing status: 0 that we have in most APIs I think (get and search product, product edit, auth), and maybe add an "error" id + and "error_message" in the language requested.

cc @VaiTon @M123-dev @monsieurtanuki @g123k

[sonarcloud]

Kudos, SonarCloud Quality Gate passed!   

0 Bugs
0 Vulnerabilities
0 Security Hotspots
0 Code Smells

No Coverage information
No Duplication information

[M123-dev]

I love the response body, as long as the Status Codes don't change and so break the older versions I really like this feature.

Same goes for the other api calls. It will be a relieve if we can just foreward a consistent error to the sdk user instead of manually parsing the html and extracting errors out of it. Especially if the messages are translated.

[alexgarel]

@stephanegigandet would you add it to the api.yml file ?

[stephanegigandet]

@stephanegigandet would you add it to the api.yml file ?

Yes, I wanted to discuss it a bit before writing the documentation.

[hangy]

What's the integration story for Ory's Hydra & Kratos? It seems like there might be some feature overlap with OIDC profile claims.

[alexgarel]

What's the integration story for Ory's Hydra & Kratos? It seems like there might be some feature overlap with OIDC profile claims.

We might take info from Ory Kratos when it's integrated, but it will take some times.

[alexgarel]

LGTM.

Maybe, if you can, document before merging :-) (or after then)

[monsieurtanuki]

Cool feature! Ready to implement it on off-dart when it's merged here.