-
-
Notifications
You must be signed in to change notification settings - Fork 132
Roadmap
Anton Bachin edited this page May 11, 2023
·
36 revisions
Lists needed improvements to Dream and the OCaml ecosystem for OCaml to be practically useful for Web programming.
Today's websites use password login, social login, and two-factor authentication.
-
β Password login.
- π Currently, people have to roll their own solutions.
- βοΈ Argon2 is the recommended hash function for password storage these days. ocaml-argon2 binds to its C implementation.
- β ocaml-argon2 recently failed to build on Mac, required porting, and just needs a look.
- β We need all the helpers around Argon2, such as the actual login flow, registration, recovery, etc.
-
β Social login.
- π Is basically not ever done by people in OCaml.
- βοΈ ocaml-oidc implements OpenID Connect, used by most social logins, such as Gmail.
- β We need to test actually connecting to the various social login providers and work out all the quirks.
- β Providers such as GitHub implement a bare OAuth2 login process. We need to factor OAuth2 out of ocaml-oidc.
- See Map of OAuth 2.0 Specs.
- Wikipedia List of OAuth providers.
- β Facebook has its own Facebook Connect. We need to implement this.
-
β Two-factor authentication.
- π Does not exist in OCaml in the form most commonly found on the Web.
- βοΈ u2f implements U2F, which requires specialized devices.
- βοΈ qrc implements QR code generation.
- β Implement TOTP, the most common 2FA method besides SMS.
- Appears to be done in https://github.com/marcoonroad/twostep. Evaluate it.
- β Make sure the implementation has an API that matches an expected API for SMS and U2F 2FA.
- β Integrate TOTP with QR code generation, as commonly used on the Web.
- π Does not exist in OCaml in the form most commonly found on the Web.
-
Other auth methods.
- WebAuthn?
-
References
- βοΈ HTTPS itself is well-supported in OCaml.
- βοΈ Practical use of HTTPS by small-to-medium groups requires Let's Encrypt, implemented by ocaml-letsencrypt.
- β ocaml-letencrypt needs to be adapted to Dream and made easy to use. This should use the ALPN challenge method.
- π OCaml is really awkward at handling "just data," unlike Python and JS.
- β Study existing solutions in OCaml, F#, ReScript, Rust, Go.
- β Create a library with types that match JSON exactly, has a fast parser, and short combinators or custom operators.
- β Port one of the Deriving PPXs to it.
- β What should be done for form data?
- β Dynamically tagged data is very nice for automatically putting into SQL prepared statements. Look into this.
- β Consider implementing JSON5 as an option.
- βοΈ Caqti is a common interface for accessing SQLite, PostgreSQL, and MariaDB.
- β There is no ready migration option. People on Discord are using gomigrate.
- β Caqti does not report detailed errors from database drivers.
- β Caqti appears to lack a transaction wrapper.
- β Caqti does not have a published manual, or neat API. It is necessary to convoluted functors spread across several
.mlifiles. - β We need to find a link to how to write portable SQL (for those who want to do that).
- β Direct use of Caqti involves a lot of boilerplate. Is there a way to reduce that without PPX?
- β If a PPX can help with removing some lingering boilerplate, consider a non-intrustive optional PPX.
- βοΈ There is ppx_rapper β study it.
- β The Caqti Dream integration creates its own connection pool. Allow taking a connection pool created by the user.
- β Study PG'OCaml and F#'s Npgsql.
- β Consider some kind of schema checker to run at startup, perhaps part of the migration library.
- β Consider Ecto.
- β What does Caqti 1.7.0 offer?
- β What will Dream look like with effects in the language?
- β A lower combinator layer allowing partial validation during routing, perhaps even allowing composing handlers using a monad. See #122.
- β Optimizations, such as a trie. Possible solution: art
- β Generate JSON schema from handlers/routes.
- β A cache to skip an explicit compilation step.
- β Unicode support.
- β Pick a favorite syntax (PCRE2).
- β End-to-end testing.
- β See React Testing Library.
- β WebSocket testing.
- β ETags.
- β Aid for Cache-control, asset hashing.
- β There are js_of_ocaml, Rescript, and Melange.
- β All the vendored dependencies need to be upstreamed and/or released.
- βοΈ Library for sending emails via SMTP letters
- βοΈ Library for composing email mrmime
- βοΈ Library for validating email address (don't even try to do it with regex, it's really complex): emile
- β Special handlers for common providers like Mailgun or Amazon SES, sending emails via http protocol.
- β API access to email-sending services will benefit greatly from Dream having a Dream-friendly client library.
- β Message queue back ends:
- β In-memory.
- β Local broker-less persistent.
- β RabbitMQ (can already be accessed by amqp-client).
- β Amazon SQS (aws-sqs).
- β Optionally Redis.
- β Improved syntax highlighting of eml (being worked on at Tarides).
- β Full IntelliSense support in eml.
- β Experiment with log-anything. https://discuss.ocaml.org/t/overview-of-libraries-for-showing-ocaml-values/12076
- β Look at ezlogs.
- βοΈ Very clearly figure out, for both streaming bodies and WebSockets, exactly where allocations are done on each write, where buffering occurs, etc.
- βοΈ Exactly how and to whom are errors reported?
- βοΈ Implement proper flow control to avoid filling internal buffers server-side or client-side.
- β Improve async detection of closed WebSockets.