Major API restructuring

[byewokko]

:rotating_light: This seriously breaks Auth UI and Admin UI functionality without backward compatibility. :rotating_light:

:exclamation: This MR will likely be split into smaller MRs. :exclamation:

Sync merge with

• TeskaLabs/seacat-auth-webui/pull/42
• http://gitlab.teskalabs.int/ateska/webui-microfrontends-poc/-/merge_requests/131

Summary

• Public container must not contain any auth-protected endpoints. They must be placed in the private container.
• All endpoints contained in the public container are also included in the private container (with the same authorization).
• All endpoints have been sorted into broad API categories and had a respective prefix added to their URL path (e.g. Seacat account management endpoints have been prefixed with /account).
• Dots and underscores in path names have been replaced with a dash - (e.g. /public/login-prologue instead of /public/login.prologue).

Complete table of endpoint path changes

seacat-auth-endpoints-rev-2024-02.ods

APIs

Public web container (default port 3081)

• /.well-known/ - standard well-known locations (OIDC)
• /openidconnect/ - OAuth 2.0 and OIDC API
• /public/ - core authentication API (login, logout, registration, lost password, cookie entry...)

Private web container (default port 8900)

• /account/ - Seacat Account API (change password, change email, configure login options...)
  • authentication required
• /admin/ - Seacat Admin API (manage tenants, roles, credentials...)
  • authentication + seacat:access authorization required
• /nginx/ - internal nginx utilities (introspection)
  • no authentication
• /asab/ - ASAB API
  • authentication required
• /doc, /oauth2-redirect.html and /asab/v1/openapi - Swagger docs and OpenAPI
  • no authentication
• plus /.well-known/, /openidconnect/ and /public/ as in the public container

TODO

• [x] Ensure all endpoints are adequately protected
• [x] Verify that no ASAB service relies on the public GET /tenant endpoint anymore
• [x] Invite user to tenant - /account/{tenant}/invite?
• [ ] Move impersonation to Account API
• [ ] Update Nginx configs
• [ ] Update ASAB maestro descriptors
• [x] Prepare Auth UI - TeskaLabs/seacat-auth-webui/pull/42
• [x] Prepare Admin UI - http://gitlab.teskalabs.int/ateska/webui-microfrontends-poc/-/merge_requests/131

[ateska]

@byewokko I'm assigned? ;-)

[ateska]

Please also publish:

• the table of how API endpoints will be structured after this is done
• a procedure how to adopt this change

@byewokko