Closed Ajeyakrishna-k closed 7 months ago
The middleware must correctly identify if a request is coming from a user or a service.
How are we planning to pass this service info to the other service? via headers or other way?
The middleware must be integrable with the existing backend system without causing disruptions or conflicts.
Now the flow should look like user calling the middleware and that middleware calling the backend right?
Should we also think of having few methods which can check if the user is a super user, say I use the same user data in skill tree and I wanted to understand if the user is a super user, then this middleware should help us.
How are we planning to pass this service info to the other service? via headers or other way?
Since we are using JWT to for authorisation. We can add the details of the service which sent the request in payload.
Now the flow should look like user calling the middleware and that middleware calling the backend right?
Middleware is just a function in our RDS backend.
Should we also think of having few methods which can check if the user is a super user, say I use the same user data in skill tree and I wanted to understand if the user is a super user, then this middleware should help us.
If we want to get user details then there is a separate API in our backend which provides all details along with roles.
We can also think of a new API which only does the roles validation, given a user and role validate if that exists. This will be a seperate ticket.
how are we going to authenticate a service? how will the public key be used when i make a request from my service to the rds backend?
Your service will need to generate a JWT token and sign it using the respective private key.
how are we going to authenticate a service? how will the public key be used when i make a request from my service to the rds backend?
Your service will need to generate a JWT token and sign it using the respective private key.
can we not have a auth service which takes care of authentication from multiple clients?
can we not have a auth service which takes care of authentication from multiple clients?
Yes, we definitely can! Since that is out of scope for this issue, not interested to discuss that here.
Note: Not addressing the issue of adding authentication to newly created services here. This is just a refactor which will consume around 1hr of development time.
how are we going to authenticate a service? how will the public key be used when i make a request from my service to the rds backend?
Your service will need to generate a JWT token and sign it using the respective private key.
can we not have a auth service which takes care of authentication from multiple clients?
Yes I think, if we are building this, we can reuse it over multiple places, can you ask Ankush / Tejas on this once
Problem:
Suppose we have a route which needs to be accessed by a super user and a service, currently we do not have any function to do that.
Issue Description:
We have growing services and we will need to authenticate each requests among these services. Currently our backend employ's a middleware which will either authorise a user based on their roles or can authenticate only a service.
To improve these authorisation flow's we need to create a common middleware to authorise both user and a service so that we can easily add conditions like either a super user or say cron-jobs service can have access to a certain API.
Code Link: website-backend
Proposed Solution:
Create a middleware with the following parameters:
Acceptance Criteria:
allowedUserRoles
array.allowedServices
array.allowedUserRoles
, the request proceeds to the next middleware or handler without interruption.allowedServices
, the request should be allowed to continue without interruption.allowedUserRoles
and the service name is not inallowedServices
, the middleware should reject the request and send a response with a 403 Forbidden status code.allowedServices
andallowedUserRoles
are empty arrays