Add app-content-pages dev server with devcert

[mcbouslog]

Package

• app-content-pages

Why and Context

• when working on app-content-pages locally, I can't login to Panoptes
• this PR is similar to Add devcert to deal with SSL in browsers for local dev (particularly Chrome) #2310
• creates a local certificate authority to generate self-signed SSL certificates (more info on how this works: https://github.com/davewasmer/devcert#how-it-works)
• adding this will enable us to use https://local.zooniverse.org:3000/about/team or https://localhost.zooniverse.org:3000/about/team with working auth with Panoptes

Describe your changes

• adds dev server with devcert, dev server ran with yarn dev
• update README accordingly ^

How to Review

Helpful explanations that will make your reviewer happy:

• in app-content-pages, run yarn dev
• go to https://local.zooniverse.org:3000/about/team or https://localhost.zooniverse.org:3000/about/team
• try authentication with a staging user, you should be able to authenticate

Checklist

PR Creator - Please cater the checklist to fit the review needed for your code changes.
PR Reviewer - Use the checklist during your review. Each point should be checkmarked or discussed before PR approval.

General

• Tests are passing locally and on Github
• Documentation is up to date and changelog has been updated if appropriate
• You can yarn panic && yarn bootstrap or docker-compose up --build and FEM works as expected
• FEM works in all major desktop browsers: Firefox, Chrome, Edge, Safari (Use Browserstack account as needed)
• FEM works in a mobile browser

New Feature

• The PR creator has listed user actions to use when testing the new feature

Refactoring

• The PR creator has described the reason for refactoring
• The refactored component(s) continue to work as expected

[mcbouslog]

Noticed the app-project package.json has "devcert": "1.2.2" (no tilda). I'm not sure if that's intentional and why preferred to how this adds devcert with "devcert": "~1.2.2" (with tilda).

[coveralls]

Coverage: 82.409% (+0.007%) from 82.402% when pulling fc72686 on app-content-pages-dev-server into 5944a17 on master.

[eatyourgreens]

Devcert isn't well maintained nowadays, so I'm not sure how much to trust it.

If you do use it to generate a local certificate, I'd personally recommend removing the local CA that it installs, just for the peace of mind of knowing that your browser isn't using an untrusted CA to validate certifcates.

[eatyourgreens]

devcert was pinned to a specific version in #3118, to avoid a bug in 1.2.1, and never changed back.

[mcbouslog]

Dependabot bumped it to 1.2.2 in #3297

[goplayoutside3]

Looks good! I'm able to login with my account for staging while running app-content-pages locally. Noting that this will not work if running locally on a mobile device (and it's not expected to) due to the CORS error noted in the Readme.

[eatyourgreens]

I'd vote for removing devcert completely, since it isn't well maintained any more and it bypasses the browser's untrusted certificate warning (unless you remove the CA that it installs.)

[goplayoutside3]

@eatyourgreens if devcert is removed from both app-project and app-content-pages, what is your suggested solution to enabling sign-in while developing locally?

[mcbouslog]

I'd vote for removing devcert completely, since it isn't well maintained any more and it bypasses the browser's untrusted certificate warning (unless you remove the CA that it installs.)

@eatyourgreens - is there an alternative to devcert or a different way to run the FEM apps locally with Panoptes authentication?
I understand and agree with your preference not to use devcert, but I’m not aware of a different way to run the apps locally with auth, which I think is a requirement for certain dev efforts, though please let me know if I'm missing or misunderstanding something.

I'll create an issue to remove devcert so we can document, further discuss, and prioritize accordingly.

[eatyourgreens]

At the moment I use the certificate for local.zooniverse.org that it generated for the project app, but I've removed the CA from my MacBook.

[eatyourgreens]

Thinking about it, a better solution would be for us to generate a real certificate for local.zooniverse.org and use that.

[eatyourgreens]

I'm also assuming that the certificate for the project app can be re-used with the content pages app, since they run on the same domain locally.

[mcbouslog]

I've opened #4103 to help document and discuss a way forward towards not using devcert. Thank you @eatyourgreens for highlighting the issues with devcert and the importance of removing the related CA cert.

I'll likely merge this PR later today to continue progress on notifications in app-content-pages (update #4010 ).