Improvements to Talawa

[varshith257]

Current Goals:

• Implementing modern web frameworks for talawa-api as backend framework such as fastify or hono.
• Migration of Apollo Server to graphql-yoga
• Implementing strict and standard authentication system for talawa using passport.js
• Implementing standard and industry best practice authorization using casl/oso/casbin to control access to resources based on the user's identity and permissions (admin, super-admin, user)

Moving our backend framework from express to modern frameworks like fastify or hano adheres to current industry practices and adapting new technologies and tools to our project. Let's go step by step implementing the features you suggested, the above suggestions are really amazing for incorporating the latest technologies into our project.

1. Let's go with Fastify for the backend framework as its main aim is to support Typescript community and which lacks the same in hano. Fastify has LTS and has shown to be significantly faster than Express in terms of request throughput and response time and has same features as Express support
2. I think we can use the passport.js which is widely using the library to offload this authentication work instead of relying on third-party providers.
3. For authorization let's go with Casl as it provides the flexibility of implementing in frontend and backend, we can use casl in Talawa-Api and use the packRules and unpackRules function in @casl/ability/extra to transfer the necessary rules to Talawa-Admin. We can go with standard authorization logic that also supports security features and is currently the most used in the industry.OSO integration makes a larger learning curve and learning polar and makes difficult in integration.

@xoldyckk What's your thoughts on this

Plan of Approach :

Here's a breakdown of the major steps and sequencing for the above tasks :

Fastify Integration:

• Major Steps:

1. Setup Fastify as our backend framework instead of express server as it is a modern web framework and has LTS for TypeScript Community and a widely used framework and also has an integrated logging feature
2. It will require major changes in setup files like index.ts, app.ts etc... Will require Incremental migration from Express to Fastify to restore functionality as same as the express and to ensure compatibility.

References:
https://fastify.dev/docs/latest/Reference/TypeScript/
https://blog.appsignal.com/2023/06/28/migrate-your-express-application-to-fastify.html

GraphQL-Yoga Integration:

• Major Steps:

1. Once fastify is restored as the backend framework, we can easily integrate graphql-yoga as @xoldyckk mentioned with related changes of graphql-yoga with the current Apollo Server and with fastify integration of graphql-yoga.
2. Remove all functionalities and packages of express. If needed we can use modern alternative packages

References:
https://the-guild.dev/graphql/yoga-server/docs/integrations/integration-with-fastify

While authentication and authorization are logically separate concerns, they often depend on each other. Authentication is a prerequisite for effective authorization. Coordination between the authentication and authorization aspects is crucial.

Authentication

Passport.js is a great choice for our project because it is easy to use and provides a lot of flexibility. It is also well-maintained and has a large community of users. Passport.js supports a variety of authentication strategies, including local username and password authentication, OAuth, and JWTs.

1. Improve authentication logic in auth.ts using Passport.js node middleware for standard authentication as we currently using JWTs.
2. Integrate Passport.js middleware into API routes to handle authentication.

Authorization:

• Major Steps:

1. Remove scattered imperative authorization logic and replace it with calls to the centralized Casl abilities.
2. Centralize and enhance authorization logic using Casl for handling authorization logic on the API side.
3. Define rules and policies using Casl to control access to resources based on the user's identity and permissions (admin, super-admin, user)
4. We can use casl in Talawa-Api and use the packRules and unpackRules functions in @casl/ability/extra to transfer the necessary rules to Talawa-Admin. We can go with standard authorization logic that also supports security features and is currently the most used in the industry.
5. Document the defined authorization rules, roles, and permissions.
6. Though Oso is suitable for complex authorization logic has a longer learning curve and takes integration difficulties to implement polar rules.

@palisadoes @xoldyckk @disha1202 Here's the discussion for our ongoing discussions for improvements for Talawa.

[pranshugupta54]

Discussion reference - here

[pranshugupta54]

Authorization

Since we're revamping the structure and upgrading the Authorization:
We should focus on another feature here itself of roles. It's crucial for the platform, especially considering the future need for user roles within Organizations, whether they're custom or default. Currently, our userType field is causing issues, particularly with Organizations. To address this, I propose embedding an role-based Org schema within the User schema.

Example:

Sample:

const PermissionSchema = new Schema({
  canView: { type: Boolean, default: false },
  canEdit: { type: Boolean, default: false },
  // Add more permissions as necessary
});

const RoleSchema = new Schema({
  name: String,
  color: String,
  permissions: PermissionSchema
});

const OrganizationRoleSchema = new Schema({
  isApproved: Boolean,
  isBlocked: Boolean,
  organization: { type: Schema.Types.ObjectId, ref: 'Organization' },
  role: { type: Schema.Types.ObjectId, ref: 'Role' }
});

const UserSchema = new Schema({
  username: String,
  email: String,
  organizations: [OrganizationRoleSchema]
});

So, for every feature on the platform, we'll check if they have the permission to access it. Just bcuz we are implementing Casl, along with it we can have custom/default roles too. We can use those roles along with API calls to check the access using casl.

Example:
Orgs:

  const techInc = await Organization.create({ name: 'Tech Inc.' });
  const marketingCo = await Organization.create({ name: 'Marketing Co.' });

Roles:

const adminRole = await Role.create({
    name: 'Admin',
    permissions: { canView: true, canEdit: true }
  });
  const memberRole = await Role.create({
    name: 'Member',
    permissions: { canView: true, canEdit: false } // maybe createEvents, attendEvents
  });

Users:

const user1 = await User.create({
    username: 'user1',
    email: '[[email protected]](mailto:[email protected])',
    organizations: [
      { organization: techInc._id, role: adminRole._id },
      { organization: marketingCo._id, role: memberRole._id }
    ]
  }); 

[xoldd]

Custom roles and permissions? I don't think right now is the appropriate time for this. This is a very complex feature to implement correctly.

[pranshugupta54]

I agree it's very complex but thats the base of the platform. For future we'll surely need roles and permissions but it won't be possible for us to implement later. Since we're implementing Authorization now, permissions and roles can be handled together.

[palisadoes]

1. We need to focus on getting the core features working. Just getting the existing roles working and reintegrated into develop will be a big task in the next week or two.
2. What guarantees will there be that it will actually be implemented? We need to have projects with a reasonable chance of success by having a reasonable scope. It's better to stage the changes with a credible plan than just creating code snippets. The develop branch is constantly under modification, so there is the need to coordinate. Upgrading mongoose from v5 to v8 took 2 months and a 2 day merge freeze.

It has taken use 3 years to finally figure out how to implement the existing roles properly, mostly due to an oversight in the schema that took some time to get the rectification kickstarted

I'm not saying no, but there needs to be a plan that has a high chance of success.

[DMills27]

I only see higher and higher levels of technical debt happening from an implementation such as this. At the end of the day, what we need is a functioning application that also makes it easy for any individual that interested in making open source contributions to it. We need to get down to brass tacks.

[xoldd]

Fastify and graphql-yoga are already discussed.

For authentication lucia auth should be used, passport.js seems abandoned. Some considerations:-

1. It should be session based. Jwt token based authentication is very hard to implement correctly and maintain. Since talawa api is a monolith, for now sessions will work just fine. Session cookie in browser and session token in mobile. If cookies are possible to implement in the mobile app that should be preferred and tokens should be ditched all together. Lucia auth only supports session based authentication.
2. Session should have a generous expiration duration, 1 week at the very least. This session expiration time would be configurable by superadmins. This is not something to be stored in database btw, this information is provided at the time of deployment of the application.
3. An endpoint for refreshing/extending the session should be exposed. Both the admin and mobile applications will call this endpoint on first boot to refresh/extend their sessions. A frequent user would get their session refreshed and wouldn't have to authenticate themselves manually. A user that hasn't opened the application in a long time(more than session expiration time) would have to sign in again. A situation in which a user has left their application open for more than the expiration duration(more than the session expiration time) is an anomaly that could occur in both desktop and mobile apps in rare cases. In this case for simplicity the user would have to sign in again.
4. Sessions for recently accessed users should be cached on server using smart caching and eviction strategy for user sessions. Though the original source of truth for sessions will always be the database. This means that mutations to entities would have to handle corresponding cached session data.

Again since talawa api is a monolith, for authorization something like casl could work just fine. One issue is that authorization isn't simply about roles and attributes, it's also about relationships and inheritance(direct or indirect) which oso is really good modeling at(but overkill for talawa api). In those cases more data from the database would be required to make authorization decisions. Once again, this would need smart caching and eviction strategies so that authorization data that is accessed frequently doesn't have to be fetched from database each time the same decision has to be made. Mutations to entities would have to handle corresponding cached authorization data.

The final crutch is mongoose and mongodb and mongoose, the latter in particular.

Mongodb has no strict schema and a bad relational model. It leads to contributers making horrendous database designs without much thought put into it which just leads to technical debt. Anyway I don't want to go on a rant here so I'll stop. Mongodb can be made less painful with a proper ORM on top of it. One thing to realize is that using an ORM makes any database less performant, and since mongodb is already so slow at resolving data across many collections there are noticeable runtime costs, something to be aware of.

Coming to mongoose, I don't think the codebase can be seamlessly type safe and error free with it. I recently noticed that it doesn't even complain if we try to populate(similar to joins in SQL) an invalid field that doesn't exist in the mongoose schema. This error can't be caught by typescript and it lets bad code enter the codebase without proper inspection. Typescript is a tool developed to ease the work of catching bugs at compile time, using non type safe tools like mongoose is anti typescript. It returns the any keyword for everything which is the bane of all typescript developers. any is the same as having no type at all. Mongoose should be replaced with a better alternative like prisma or microorm.

[pranshugupta54]

How about Supabase? I think it has Authentication + Authorization so we can have both in one

[xoldd]

Yeah once again, it's the talk about owning all data or offloading it to third party providers. Let's wait to see what the others have to say.

[pranshugupta54]

We can self-host Supabase:

https://supabase.com/docs/guides/self-hosting

[xoldd]

@pranshugupta54 as @palisadoes mentioned here #1997 (comment) the point is to not have dependency on many third party providers if it is doable without them.

[xoldd]

#1997 (comment)

[palisadoes]

From @DMills27

From my understanding, Fastify seems to have a much steeper learning curve than Express due to its plugin architecture and support for async/await. It's marketed as "faster" but in what sense? Rather than risking increasing the level of technical debt in the API, we should first verify if Fastify is indeed suitable for our use case. I suggest to code a simple mock-up of the aspects which you believe it will surpass Express in and then benchmark the stress tests for these aspects. In order words, I want to see the results of comparing Fastify vs Express. It may not be worth it in the long or short run to rewrite so much of the codebase just to shave off a couple of milliseconds.

#952 (comment)

[varshith257]

,

[xoldd]

#1997 (comment)

[palisadoes]

@varshith257

We are going too fast making assumptions with fastify without verification.

[varshith257]

@palisadoes As @DMills27 mentioned i am working on benchmark and stress tests of fastify. Currently we are in planning phase. I will update it on.

[xoldd]

#1997 (comment)

[palisadoes]

We have tried using cloud services in the past for various services and it is too much of a headache for our developers, end users and the Foundation.

1. Firebase configuration required us to hard code credentials into the mobile app. That's fine for a cloud service that can pass through the cost to the end user or advertisers. For an open source project it's not that easy. Questions that come up are:
   1. Who's credentials should be used?
   2. How will they get reimbursed?
   3. Will open source users want to pay to use open source software to cover the costs?
   4. Can we easily add the service to our configuration setup scripts for the end user?
   5. How will we provide support for the cloud service features as an open source project?
2. We have had similar issue with reCAPTCHA configuration and testing.

[xoldd]

#1997 (comment)

[palisadoes]

@DMills27 This was the rationale for selecting fastify

• Refactoring the Image file utilities  #952 (comment)

[DMills27]

Expressjs and related packages are also mostly useless and a liability

I don't really understand this line of thought. How is it a liability? Care to elaborate @xoldyckk

[xoldd]

#1997 (comment)

[rishav-jha-mech]

Unpopular opinion, why are we even using Express JS ?,

For everything we need to install a package which becomes deprecated after sometime and then again we search for a newer package and the cycle goes on and on.

What if we use Django ?

1. File uploads - Supported, no need to install another package for it, and again easily configurable to support file uploads to AWS S3
2. GraphQL - We can use GraphQL with Django with the help of graphene_django package
3. User Permissions - Django has an inbuilt user permissions feature which is much advanced and customisable
4. Rest API, Authentication, O Auth Integraton - Supported
5. Admin UI - Already in built Customisable Admin UI
6. Inbuilt ORM - Recently I saw there were discussions going on about the usage of PostgreSQL in our project, with Django's inbuilt ORM, it can easily integrate with these databases like PostgreSQL, MariaDB, MySQL, Oracle, SQLite

Also by default it supports SQLite database, so no need to setup MongoDB, also if we really want to use MongoDB, it can do that as well. SQLite3 is a file system based database, so no need to host it somewhere separately on cloud.

7. Inbuilt security features - against SQL injection, cross-site scripting (XSS), cross-site request forgery (CSRF), clickjacking, etc .
8. AI and ML: Since Django is a Python framework, we can easily integrate its ML libraries with our backend.
9. Community support - It is there since approx. 20 years, the community support is great, It is there even before Node JS was first released.
10. Excellent Documentation - With code snippets and examples for almost every use case

While Django supports every use case of ours, there are some important considerations also,

1. It's written in Python, although its easier to learn and debug, it will have its own learning curve, also it isn't type safe.
2. Migrating our entire backend to Django will not be an easy task, there will be a lot of things we will need to do, and it will take time

TLDR; If we really want to change our backend framework, we can think of Django, despite the initial efforts, it will really be fruitful in the longer run.

[xoldd]

@rishav-jha-mech because having the same language for the whole project means less friction and better maintainability. Though for some reason flutter was chosen instead of react native for the mobile application.

[rishav-jha-mech]

I totally agree with this, yes we should have used React Native instead of flutter for our mobile application.

The reason why i suggested Django is because it is complying with all our use cases and ends the debate about this or that package because of the batteries it includes, but there's a con as well, then language problem which you mentioned will cause friction.

[palisadoes]

I know there is concern about the framework. Is there agreement on this?

1. lucia - for authentication
2. casl - for authorization

[pranshugupta54]

lucia - comment

[xoldd]

#1997 (comment)

[varshith257]

@DMills27 Thanks for your careful consideration of the potential challenges associated with migrating to Fastify. I acknowledge for this considerations

But our migration goal is not just to save milliseconds about response and latency but to enhance the overall efficiency and maintainability of our codebase in the long run. The migration decision is being approached with a focus on the long-term value and benefits that Fastify can bring to the Talawa API and to get rid of the third-party packages utilized to support the express.

Here's why Fastify over Express:

1. Express has been the standard choice for building REST APIs with JavaScript or TypeScript. But Express hasn’t seen any major updates or new features in years, with its website last being updated in 2017. It misses out on years of performance enhancing updates and concepts.
2. Express wasn’t designed with TypeScript in mind and requires a separate types package to work with it. Despite this, you will still encounter lots of any errors and currently it's a pain point in Talawa-Api and has a long wait to resolve this issue in our codebase.

• API: GitHub Action Required: Fail on detection of eslint-ignore statements #1726

3. Express does not provide built-in support for features such as request validation, serialization, and deserialization.

Why Fastify?

Fastify is a modern alternative to Express. It shares a similar syntax with Express, so most of our Express knowledge will still apply to Fastify. With @fastify/express package, we can even use any express middleware module with fastify. Fastify is the most similar to express out of the alternatives and It’s the easiest to switch to and can use to get instant performance and DX improvements.

Support to TypeScript Community
Fastify aims primarily to support the TypeScript community and has active LTS as our codebase is in TS. Fastify has built-in support for modern JavaScript /Typescript features

Faster Performance

Fastify was designed to be fast from the ground up and use fewer system resources, so it handles more requests per second compared to Express. In the future when we go to auth requests etc.. It will show an impact on performance and scalability Although Express is a more mature framework with a larger community and a more comprehensive ecosystem of third-party packages, we are trying to eliminate dependency on this packages in our codebase for better maintainability.

Plugin Architecture

Fastify also provides a powerful plugin system that can easily add custom functionality. Many official plugins handle things like authentication, validation, security, database connections, rate-limiting, etc. There's also a growing ecosystem of third-party plugins that can be integrated and we can easily create our own plugins. Express is extensible through middleware functions injected into the request/response processing pipeline to modify its behavior. Still, they are tightly coupled into the framework and less flexible or modular than Fastify's approach. Plugins in Fastify are also encapsulated by default, so we don't experience issues caused by cross-dependencies.

Security:
Safer by Default
Security is a critical consideration when building web applications, and Fastify provides several built-in security features, such as:

1. automatically escaping output
2. input validation
3. preventing content sniffing attacks
4. protecting against malicious header injection

Its plugin system also makes it easy to apply additional security measures to our Talawa. On the other hand, Express relies more heavily on middleware to handle security concerns. It does not have built-in validation or schema-based request handling, although several third-party packages can be utilized for this purpose making more fluffy the codebase

Built-in JSON Schema Validation

In Fastify, JSON schema validation is a built-in feature that allows to validate the payload of incoming requests before the handler function is executed. This ensures that incoming data is in the expected format. In contrast, Express does not provide built-in support for JSON schema validation and relies on third party packages this requires additional setup and configuration.

A Built-in Logger

Fastify provides a built-in logging mechanism based on Pino that allows to capture various events in API. Once enabled, Fastify logs all incoming requests to the server and errors that occur while processing requests. It also provides a convenient way to log custom messages through the log() method on the Fastify instance or the request object.

As we can see, Fastify offers numerous advantages over Express, making it a compelling option for modern web applications. I doesn't oppose the Express but why can't we grasp this features of Fastify into our Talawa and make improvements to go for modern frameworks of worth exploring and go for industry opinions

Note
Using the @fastify/express plugin is the quickest way to get existing Express working with Fastify. The plugin adds full Express compatibility to Fastify so that we can easily use any Express middleware with Fastify instance, and it will just work with no changes required.

I agree with your emphasis on fastify has a steeper learning curve due to its plugin architecture and support for async/await. However, once we get familiar with Fastify's API, it can be just as easy to use as Express and documenting them can be easily understandable by our contributors who has an understanding in what express do.

@palisadoes @xoldyckk @DMills27 @rishav-jha-mech @SiddheshKukade @EshaanAgg @noman2002
Your suggestions and considerations are greatly appreciated

[varshith257]

The obvious choice could be Prisma , It presents a type-safe and user-friendly approach

[adi790uu]

This is not my area of expertise, so keep that in mind with this question.

Over the years Mongo has been criticized about its lack of RDBMS features for Talawa's needs. Is there a Typescript framework that can handle both noSQL and SQL databases to ease the transition if a migration becomes necessary?

Prisma is a great option for this and it is easy to use as well.

[varshith257]

@palisadoes Same has been stated by @xoldyckk :

The final crutch is mongoose and mongodb and mongoose, the latter in particular.

Mongodb has no strict schema and a bad relational model. It leads to contributers making horrendous database designs without much thought put into it which just leads to technical debt. Anyway I don't want to go on a rant here so I'll stop. Mongodb can be made less painful with a proper ORM on top of it. One thing to realize is that using an ORM makes any database less performant, and since mongodb is already so slow at resolving data across many collections there are noticeable runtime costs, something to be aware of.

Coming to mongoose, I don't think the codebase can be seamlessly type safe and error free with it. I recently noticed that it doesn't even complain if we try to populate(similar to joins in SQL) an invalid field that doesn't exist in the mongoose schema. This error can't be caught by typescript and it lets bad code enter the codebase without proper inspection. Typescript is a tool developed to ease the work of catching bugs at compile time, using non type safe tools like mongoose is anti typescript. It returns the any keyword for everything which is the bane of all typescript developers. any is the same as having no type at all. Mongoose should be replaced with a better alternative like prisma or microorm.

[akhilender-bongirwar]

Prisma would be better option IMO for this.

[xoldd]

#1997 (comment)

[varshith257]

@DMills27 Here's the results of benchmark and the stress tests to compare Express server and Fastify server. I used benchmarking tool Autocannon to this.

I used two approaches to compare. One with simple test to fetch requests :

Hello World Scenario:

Fastify Results:

Express Results:

Let’s look at the average requests that Fastify has succeeded to serve it, It succeeded to serve about on average, 50,000 requests, which is a lot and I think, the speed is about two and a half times faster than what we had with Express.

Another Test with MongoDB

Fastify Results:

Express Results:

By comparison, Fastify delivered the 99th percentile in two milliseconds with an average of approximately 8800 requests per second and it served about 86K results.

Fastify claims that they’re the fastest framework around. I can say that currently, they’re right.

[DMills27]

Again, you're considering extremely simple interactions that give me no useful information on the merits of Fastify for the more complex and nuanced features that Talawa has. Doing a "Hello World" program tells me nothing. Why don't you create a mockup of what's in the actual Talawa code? This task should take you 2-3 days if done correctly.

[DMills27]

Additionally, I think you should do some research on what stress testing actually is. Having 10 concurrent connections is not useful for gaining any insights whatsoever. As I said before, take some time and actually look at the Talawa codebase and mock up some of what's already there to see if Fastify is indeed feasible.

[varshith257]

Additionally, I think you should do some research on what stress testing actually is. Having 10 concurrent connections is not useful for gaining any insights whatsoever. As I said before, take some time and actually look at the Talawa codebase and mock up some of what's already there to see if Fastify is indeed feasible.

@xoldyckk Any insights on this?

[varshith257]

@xoldyckk Any suggestions and considerations here

[xoldd]

#1997 (comment)

[varshith257]

Inbuilt ORM - Recently I saw there were discussions going on about the usage of PostgreSQL in our project

@palisadoes As @rishav-jha-mech mentioned are there any plans to using of PostgreSQL?

[palisadoes]

1. He was proposing Django and probably just listed all features mentioned on their website.
2. Before we consider migrating from Mongo we need to carefully evaluate the pros and cons with respect to any proposed replacement. Like @DMills27 said, we must not be seduced by the latest fad trend. We don't have any known production uses of Talawa, so now is the time to cement the architecture, but not without serious analysis.

Any open source system we propose to migrate towards needs be not just sufficiently speedy and feature rich, it must also have the backing of a consortium of corporations using it. We have suffered from using code that was quickly deprecated or abandoned. I'd greatly prefer to use a suite of libraries that are a little more boring but highly unlikely to fail for the previously mentioned reasons.

[xoldd]

#1997 (comment)

[palisadoes]

Though there may be faster packages than those we use now, most Talawa users will be small non-profits doing only a few dozen interactive transactions per minute for administration and a few hundred per minute across the API instance. Saving a few milliseconds per transaction that could be unnoticeable at the risk of adopting a risky framework needs to be considered.

[Anubhav-2003]

Respected sir,

Since the long term goal of Talawa is to be a social media platform for community organizations. I believe that we should focus more on the 'multimedia aspect of it with Real-time Communication' to increase our user engagement. And rather than limiting ourselves to small non-profit organizations, focus on being an open source alternative to regular social media in general, which can be used by just about any organization. I believe that improving the current mechanism of 'Posts', as well as adding new features for interactivity like short reels, and support for conference calls among members of the same organizations can help us go a long way to achieve the goal of being a social media of organizations.

This would definitely require low latency implementation of these features for which 'Typescript' is not optimal. We can use 'c++' or 'rust'. I am not saying we need to implement it right away, but we can think about it. Further, a lot of the features currently in our API are heavily interlaced and dependent on each other, with redundant code at the level of individual resolvers, which I think is not optimal, as the size the organization grows. Almost everything is handled by GraphQL, which is inherently not optimal to do a lot of things.

I believe that any new feature that we may integrate in the API, must be abstracted and encapsulated within a dedicated section of the API, which should just expose an interface to interact with, and should be a black box to the rest of the API. This would particularly be beneficial in an opensource setup, as any error that might occur in that particular feature, would be known to be isolated within that section. And debugging it for new contributors would be easier due to the known location.

Currently, even a simple change of name of a function leads to an unnecessary cascading effect of changes in dozens of files, further tracking down every file where a particular function might have been used is also a method of hit and trial, as everything is interdependent. We may not implement these right away, but we can start thinking in that direction.

Thank You.

[varshith257]

Further, a lot of the features currently in our API are heavily interlaced and dependent on each other, with redundant code at the level of individual resolvers, which I think is not optimal, as the size the organization grows. Almost everything is handled by GraphQL, which is inherently not optimal to do a lot of things.
I believe that any new feature that we may integrate in the API, must be abstracted and encapsulated within a dedicated section of the API, which should just expose an interface to interact with, and should be a black box to the rest of the API

This is where we can think of the fastify plugins feature for creating custom plugins. Plugins in Fastify are also encapsulated by default.
@xoldyckk Any thoughts on this?

[palisadoes]

As @xoldyckk stated before, this is out of scope of this discussion. Please create another discussion for this.

This discussion is focusing on improving the stability and maintainability of the code base.

[palisadoes]

The greater immediate risk looks like the inconsistent auth. That is where our efforts should be focused. A robust set of packages used or backed by Fortune 500 or Global 1000 type tech companies provides much greater comfort.

We need to select something that should only require point release upgrades in future versus a forklift replacement. We are a volunteer community with limited human capital to do the work.

[xoldd]

#1997 (comment)

[varshith257]

As I earlier mentioned, our migration goal is not just to save milliseconds about response and latency but to enhance the overall efficiency and maintainability of our codebase in the long run. The migration decision is being approached with a focus on the long-term value and benefits that Fastify can bring to the Talawa API and to get rid of the third-party packages utilized to support the express that packages may be deprecated or abandon and can safely eliminate them in our codebase. We can use fruitful plugins support of fastify instead, that has LTS for Typescript Community

[palisadoes]

Is the rationale for using fastify because it's what yoga supports, while express is what apollo supports? This isn't explicitly stated.

[varshith257]

Is the rationale for using fastify because it's what yoga supports, while express is what apollo supports? This isn't explicitly stated.

It isn't the case, yoga has support to all frameworks whether it is fastify or express or hono.

[palisadoes]

What about the my LTS and express package questions?

[varshith257]

Sorry, I didn't see it I viewed it from mobile.

1. Express has been the standard choice for building REST APIs with JavaScript or TypeScript. But Express hasn’t seen any major updates or new features in years, with its website last being updated in 2017. It misses out on years of performance-enhancing updates and concepts.
2. Express wasn’t designed with TypeScript in mind and requires a separate types package to work with it.
3. Despite this, we will still encounter lots of any errors and currently, it's a pain point in Talawa-Api and has a long wait to resolve this issue in our codebase.

Fastify stated their main aim is to support the Typescript community .

This is the rationale why @xoldyckk mentioned fastify and I also have done some research on this and agreed with him and why prefer fastify have stated clearly here #1997 (comment)

[xoldd]

#1997 (comment)

[xoldd]

Please don't make so many pointless threads for discussion, try keeping it to as few threads as possible so it's easier to track the conversations.

#1997 (comment)

Nobody's choosing fastify for its advertised speed(which is a real thing and not a hoax), it is just an added benefit. Here's the most reputed benchmarks for frameworks across programming languages if someone still wants to check.

Express doesn't work well with promises(async/await) which is the standard for concurrency in javascript. This is because it was written in an era when promises weren't standardized. It is based on callbacks instead of promises. Fastify has first class support for both promises and callbacks.

Express doesn't work well with esmodules which is the standard for modularising javascript code(splitting code between files). Esmodules are supported both on browsers and servers which makes the javascript code isomorphic and reusable across environments. Technically this isn't beneficiary because talawa api is seperated from any frontend code but still it needs to be done because all modern javascript tooling is written in esmodules syntax.

Express Isn't backed by any corporations or sponsors. It doesn't have active maintainers. Express.js v5 has been in a sad state since its proposal back in 2015. Fastify is backed by corporations and sponsors. It is actively maintained by people well known in the javascript ecosystem.

DefinitelyTyped is a github repository which hoards types for js packages that don't provide typescript support by themselves, all @types/ packages listed in package.json are downloaded from there. Express was written in vanilla javascript in an era when typescript wasn't the standard and as such it doesn't have first class typescript support. A seperate @types/express package is installed for express typescript compatibility and it too has compatibility issues.

I haven't provided sources for all these because most people active in the javascript ecosystem already know all this. Most javascript ecosystem has moved off to serverless platforms so backend javascript frameworks aren't as prevalent anymore. But since the requirement here is a good backend javascript framework, fastify and nest.js are the only mature alternatives. Nest.js under the hood itself uses express.js and fastify and provides option to use one or the other, it's only there to bring order to the codebase using class based components, which imo are just a fad. So, basically fastify is the only mature solution for developing a monolithic backend service in javascript while also being customizable.

#952 (comment)

@DMills27 talked about the big amount of disruption this would cause in the codebase. This is completely false. Most of the codebase is abstracted behind graphql which has nothing to do with what web framework is being used. Same goes for the the graphql engine as the graphql code is written in a way that makes it compatible with any graphql engine. Both the http framework and the graphql engine can be swapped out with alternatives quite easily.

Idk what he meant by async/await being complex as that is the standard way to do concurrent tasks in javascript, it is not additional complexity, it is already present in the codebase.

If fastify's plugin architecture is a problem then other frameworks like hono should be considered.

#1997 (comment)

Yes that is why I don't think third party providers for authentication make sense here. Mongodb is already a third party database provider here. The goal is to have as less third party providers as possible, so that the amount of extra costs someone hosting talawa api has to pay is lower.

#1997 (comment)

These companies either have their own solutions for this that they've built from scratch or they use some authentication as a service provider. A production level authentication system providing solution for all possible use cases while being easily to integrate in the business logic is not something that can be provided as a library. For this use case authentication has to be decoupled and ran as a seperate service.

#1997 (comment)

Yes, I do think lucia is the best option in javascript ecosystem right now to have a good authentication system that could be easily integrated in the codebase. It supports sign in using email/password, oauth openid connect(single sign on) and has plans to support webauthn(passkeys) in the future.

Casl is a decent choice and the only choice for a authorization library in javascript ecosystem as far I'm aware. Oso's polar language is one of the best ways for modeling authorization decisions that I've seen. But oso's open source library has been deprecated and right now it only offers a cloud based solution for authorization which is something that is to be avoided since the point is to have as less dependency on external cloud providers as possible.

#1997 (reply in thread)

Postgresql is the most advanced and most popular SQL database in the world and is completely open source. Most innovations in the SQL database space are first introduced in postgresql. It is backed by big coporations and used widely in the industry. You can check the stackoverflow developer survey.

#1997 (reply in thread)

For mongodb either prisma or microorm should be used. If the database implementation is to be migrated to postgresql drizzle orm should be used.

[varshith257]

@palisadoes As @xoldyckk mentioned we can safely use Prisma if we continue with MongoDB and what's your thoughts on using PostgreSQL instead MongoDB as stated above?

[palisadoes]

Thanks @xoldyckk, this is the type of analysis I was looking for to justify the proposed changes. I looked at the Express GitHub repo and it is moribund. I'm glad to see that fastify is used by Microsoft and presumably allowed the use of its logo on the website.

• https://fastify.dev/organisations/

I agree with @DMills27 that there will be disruption. It will be more organizational as we rally people to do any type of migration as opposed to the GraphQL interface. That is why I was insistent on asking about the steps in any proposed plan and how the work could be distributed. For fastify and yoga it seems manageable in a few weeks.

@xoldyckk, apart from the technical justification, why do you feel that casl and lucia will have longevity?

[varshith257]

@palisadoes Have agreement on this?

Fastify - backend framework
Graphql-yoga - Graphql Server
Lucia - Authentication #1997 (reply in thread)
Casl - Authorization

[krishna619]

Hi guys,

I’ve been reflecting on our discussions about the backend framework, and I wanted to share some thoughts on why NestJS with Fastify could be a strong choice for us. However, I also understand the concerns about the learning curve and suitability for our codebase as @DMills27 mentioned. As @varshith257 said fastify provides us with performance benefits and a well-structured framework that supports TypeScript.So I believe that this is where NestJS with Fastify Adapter can come in the picture.

One of the key advantages of NestJS is its modular architecture. This means we can create a separate dedicated module for authentication as we discussed and It would give us the flexibility to use decorators and validation pipes/guards that a vanilla fastify would lack.We could either choose Mercurius or GraphQL Yoga for high-speed execution.

Please Note: using NestJS with Fastify, we’re not locking ourselves into a single path. We have the option to switch to Express if that’s what’s best for Talawa. This approach gives us the chance to experiment with the benefits of Fastify while having a reliable fallback with Express. NestJS gives us the flexibility to revert to Express without a significant overhaul.

[varshith257]

@krishna619

But since the requirement here is a good backend javascript framework, fastify and nest.js are the only mature alternatives. Nest.js under the hood itself uses express.js and fastify and provides option to use one or the other, it's only there to bring order to the codebase using class based components, which imo are just a fad. So, basically fastify is the only mature solution for developing a monolithic backend service in javascript while also being customizable.

[palisadoes]

What's your opinion on this :

Auth0 by Okta https://auth0.com/nonprofits https://auth0.com/

As a hosted solution, it will require every Talawa organization to apply for the reduced fees. Most cloud organizations require you to submit scans of your articles of incorporation and governmental approvals for you to get free services. In some cases, you have to renew annually, though with less documentation. Third party services supporting Talawa end user operations have proven to be historically unsuitable for our needs.

[varshith257]

Yeah, analyzed it and had taken back this proposed one and let's go with Lucia

[varshith257]

@palisadoes What' your thoughts on this? #1997 (reply in thread)

[palisadoes]

I know we are going towards using libraries but what if we implement authentication from scratch? ,I know it would be a lot of work to roll out a production ready authentication but with this way we would have greater flexibilty

@AVtheking, though it's an interesting technical challenge, we should not be trying to reinvent the wheel with the limited volunteer resources we have. Auth* has been fixed by the coder community, we just need to select from the most robustly supported reputable options.

[palisadoes]

@palisadoes As @xoldyckk mentioned we can safely use Prisma if we continue with MongoDB and what's your thoughts on using PostgreSQL instead MongoDB as stated above?

I cannot speak with authority on the technical aspects of the various packages. Using mongoose has created numerous sections of code where our linting has had to be disabled because of the non typed any problem. If there is a better package that is robustly supported, then we should consider it. If it can be done in a few weeks with a credible plan then we should pursue it.

Regarding RDBMS options, yes they are more suitable for the relational aspects of the app, however Mongo has its advantages too. MySQL, MariaDB and Postgress all seem to have NoSQL features now which may or may not be suitable for our needs. There could be ways to use Mongo for some things and the historically tested RDBMS (MySQL etc.) options for others. Once again, this would require deeper analysis. This change would also need to be as transparent as possible to the Mobile and Admin clients. It may be a lot of work and could possibly be suitable for one or more of our GSoC ideas. If it's not a lot of work, then we can think about doing it in the coming weeks.

Whatever the solution, we need a scope that will be achievable in the proposed time frame. The two obvious options are within the next month, and over the summer.

[varshith257]

Noted! Will provide the necessary analysis for it soon. As of now we can uphold this

[palisadoes]

No one has answered this question:

Why do you feel that casl and lucia will have longevity?

The aim of this discussion is to ensure long term stability and maintainability. I've only read that these packages are good choices without the supporting non-technical rationale. The assertion that they are "industry best practice" without supporting evidence is insufficient justification.

[varshith257]

To support their non-technical rationale, while there may not be specific orgs or prominent projects publicly known to use Lucia but used by 1.8K projects, their LTS and maintainability can be supported with their active repo and contributions. They are constantly striving with updates and recently released v3.

Same for Casl with adopted among 68k+ projects and has financial support sponsors that we can easily trust for their LTS and maintainability

Let's also wait for @xoldyckk's answer

[palisadoes]

Looking at the packages that depend on casl. the most noticeable suite that uses it is strapi. It has > 50K GitHub stars and is backed by a cloud service company of the same name. This validates that decision.

lucia, however mostly has it's own packages that depend on it. It doesn't appear to be implicitly backed by a corporation as casl is. Is there another alternative that meets the sustainability goal?

[varshith257]

I didn't find any alternative that meets our auth goals. It seems Lucia is only a good option for now

[palisadoes]

Currently lucia has 7 issues and 1 PR, and limited use in other packages. That doesn't indicate a vibrant community. It may be new and interesting but there is a limited track record upon which to bet the sustainability of Talawa.

I find it hard to believe that there is only one suitable solution to authentication. There must be others.

[varshith257]

This isn't the case but we are looking for no-cost solutions hence we have the options of passport js and Lucia. As Talawa is monothlic the better suitability is session based authentication. So, Lucia seems to be the option as far as now which has session-based auth and no cost. These are just a few of the JavaScript frameworks that support session-based authentication

#1997 (comment)

There are many solutions that are cloud-based but again fall under limits and incur costs. The alternatives are discussed here #1997 (comment)

[varshith257]

@palisadoes A thing to discuss about File Uploads, @xoldyckk just suggested here his opinion about using gridFS, most of they stuck with this. It isn't only a solution for it. I have done detailed research on why can't be GridFS and what are alternatives to support our Talawa goals and sent it to [email protected]. Have a look at it :)

The rationale for selecting gridFS instead of S3 is due to its costs and cloud provider, IMO there are other alternatives solutions for this usecase

[palisadoes]

1. This discussion needs to be limited to improving existing features to get us to a goal of standardized auth.
2. This was the original scope
3. Please start a separate discussion to discuss this

[varshith257]

Is there agreement on this?

1. Fastify - backend framework
2. Graphql-yoga - Graphql Server
3. Lucia - Authentication Improvements to Talawa #1997 (reply in thread)
4. Casl - Authorization

@DMills27 @palisadoes @xoldyckk @rishav-jha-mech @SiddheshKukade

[varshith257]

@palisadoes IMO If we have no agreement for lucia yet, meanwhile we can start to work with agreed ones and will make sure the time frame over the summer implementing this all improvements integrated into our Talawa

Besides we can evaluate the the auth framework to be used until fastify is integrated

[xoldd]

There are no prominent alternatives for authentication in javascript that can be integrated directly into the main codebase of talawa api. The kind of support and guarantees you're looking for only exists with mature authentication solutions that are detached from the main application and are run seperately as a service along with their own storage and database, something like a black box. Examples include keycloak, supertokens etc. The detached authentication service would have to be managed seperate from talawa api's main codebase, database and other services.

What lucia auth is used for is kind of implementing authentication from scratch, but it provides primitives instead of a full blown solution. It lets us integrate authentication as a part of the main codebase in whatever way preferred instead of existing as a detached service. It doesn't cover all kinds of authentication patterns that exist in the world unlike the mature solutions like keycloak, supertokens etc.

There are no alternatives to casl in javascript that I know of. Same reasons are valid for casl as the ones for lucia.

[varshith257]

Is there agreement on this?
Fastify - backend framework
Graphql-yoga - Graphql Server
Lucia - Authentication #1997 (reply in thread)
Casl - Authorization

@palisadoes @xoldyckk Are we ready to go with this agreement?

[palisadoes]

For fastify and yoga to start

[varshith257]

Sure, Can reopen the issue?

[palisadoes]

Supabase was mentioned as a possibility for the self hosted chat and notifications GSoC idea.

I did some research and discovered that it also handles auth.

• https://supabase.com/docs/guides/auth

Supabase is backed by a company

[varshith257]

Okay, I agree with you. Let's research on it

[krishna619]

@palisadoes
for Supabase, there are some downsides.

1. There have been cases where people were getting logged out at random times.
2. We can't set the session lifetime.
3. there is no 2FA option.

[palisadoes]

That's why more research is required so all options can be evaluated and the best one selected. This includes what we can get off the shelf, and the possible modifications needed to get what we want. If modifications are not feasible, then other options should be considered. No solution is going to be perfect, each will have their pros and cons. What we don't want is a choice of one, which is what was proposed before. A choice of two isn't much better. Having 3-4 strong candidates would be best as its a manageable number.

Supabase claims to support MFA

• https://supabase.com/docs/guides/auth/auth-mfa

Supabase claims to support configurable session timeouts

• https://supabase.com/docs/guides/auth/sessions

[krishna619]

Definitely, Having 3-4 prospects would be great.
We could do more research on

1. Ory https://www.ory.sh/
2. if pricing is not an issue, Clerk (its free up to 10k MAU's) https://clerk.com/

[palisadoes]

Nothing hosted, it must be open source