We currently have a usecase in two coops where we’d like to configure an SSO via Foodsoft to a webshop of a potential supplier. The supplier wants our members to order directly in their system. I thought their developer could create a “login via Foodsoft” option, so our members don’t have to create another account there manually.
The supplier webshop should be able to read:
full user name
user e-mail
user ID
ordergroup name
ordergroup ID
I’d need to send the Foodsoft API spec to their developer.
Or perhaps @mortbauer could you tell me where I can find the code used for the Discourse SSO (login via Foodsoft) so I can forward it as an example? I can’t find it on Github.
root@01fc097ce1fd:/app# RAILS_ENV=test bundle exec rails rswag
/usr/local/bin/ruby -I/usr/local/bundle/ruby/2.7.0/gems/rspec-core-3.12.2/lib:/usr/local/bundle/ruby/2.7.0/gems/rspec-support-3.12.1/lib /usr/local/bundle/ruby/2.7.0/gems/rspec-core-3.12.2/exe/rspec --pattern spec/requests/\*\*/\*_spec.rb,\ spec/api/\*\*/\*_spec.rb,\ spec/integration/\*\*/\*_spec.rb --format Rswag::Specs::SwaggerFormatter --dry-run --order defined
DEPRECATION WARNING: swagger_root= is deprecated and will be removed from rswag-api 3.0 (use openapi_root= instead) (called from block in <main> at /app/config/initializers/rswag_api.rb:6)
DEPRECATION WARNING: Rswag::Ui: WARNING: The method will be renamed to "openapi_endpoint" in v3.0 (called from block in <main> at /app/config/initializers/rswag_ui.rb:10)
DEPRECATION WARNING: swagger_root= is deprecated and will be removed from rswag-specs 3.0 (use openapi_root= instead) (called from block in <top (required)> at /app/spec/swagger_helper.rb:9)
DEPRECATION WARNING: swagger_docs= is deprecated and will be removed from rswag-specs 3.0 (use openapi_specs= instead) (called from block in <top (required)> at /app/spec/swagger_helper.rb:17)
DEPRECATION WARNING: swagger_format= is deprecated and will be removed from rswag-specs 3.0 (use openapi_format= instead) (called from block in <top (required)> at /app/spec/swagger_helper.rb:514)
Generating Swagger docs ...
Swagger doc generated at /app/swagger/v1/swagger.yaml
Finished in 0.01514 seconds (files took 2.26 seconds to load)
141 examples, 0 failures
with docker cp foodsoft_foodsoft_1:/app/swagger/v1/swagger.yaml . I copied from the dev container to my local environment.
swagger.yaml.txt (39.0 KB)
(remove the .txt, as discourse doesn’t allow .yaml files )
foodsoft-shop does indeed use OAuth. As a client-side app, it does not expose the token to any server-side component. I think Doorkeeper (the component handling the auth at the Foodsoft side) should support various authentication flows / grant types, though I don’t know by head what is configured by default.
That one is certainly for logging in to Foodsoft via Discourse. Allegedly also the other way around, but I don’t understand in the code which is for what direction.
Yeah, that’s not applicable in our usecase.
I’m not sure what you mean. Are you talking about authentication via Foodsoft to Foodsoft-Shop using OAuth?
foodsoft-shop is a client-side application talking to the Foodsoft API. It needs a token to be able to work with the Foodsoft REST API. For that, it uses OAuth to let the user login with Foodsoft (redirect to Foodsoft login, then redirect back to foodsoft-shop while supplying a token, this is part of OAuth). You could use this approach to give the supplier access to the user endpoint, so it can get details about the user (you specify scopes to limit access to the read-user related endpoints).
So this is authentication by Foodsoft, with foodsoft-shop getting access to the APIs.
(regarding the swagger)
You can download the swagger file, and modify the endpoint. This needs to include the foodcoop id, so each foodcoop basically has its own swagger file (that might be a reason that the currently server swagger UI doesn’t work, but I haven’t looked into it).
You could host this modified swagger file yourself somewhere, and reference the swagger URL e.g. in https://petstore.swagger.io/ to play with it.
I’m really having trouble doing that. I tried to host it on NextCloud, Dropbox, and WordPress, but it always gives me a CORS error. I tried two WP plugins to enable CORS, but it persists.
#### Fetch error
NetworkError when attempting to fetch resource. https://foodcoops.at/wp-content/uploads/2024/09/Foodsoft API swagger documentation.yaml?_t=1727354301
#### Fetch error
Possible cross-origin (CORS) issue? The URL origin (https://foodcoops.at) does not match the page (https://petstore.swagger.io). Check the server returns the correct 'Access-Control-Allow-*' headers.
I looked at the scopes on localhost and don’t see any way to get the ordergroup ID/name of the logged-in user. So that’s not implemented yet?!
Regarding CORS, yes, it needs to have CORS enabled to be able to be read. Sorry to hear that is such a hassle. What if you use a proxy that enables CORS for you? E.g. you could try
And using it in the petstore, I see that there are server variables now, so we could make this work with a statically hosted version as well, making the foodcoop id (and server) a variable. Yay!
I looked at the scopes on localhost and don’t see any way to get the ordergroup ID/name of the logged-in user. So that’s not implemented yet?!
So no, I think the transition to rswag really helped us to upgrade Rails and friends, but I think that serving the swagger file became broken.
I’m sorry ho hear that the there’s now problems with the swagger file. Maybe we can aggregate all the findings in #998 and I’ll try to find a fix in the near future™