northeastprince
commented
10 months ago If there aren't going to be a ton of people logging in then I would avoid OAuth and just have an interface to add users by email.
Closed devramsean0 closed 10 months ago
northeastprince
commented
10 months ago If there aren't going to be a ton of people logging in then I would avoid OAuth and just have an interface to add users by email.
devramsean0
commented
10 months ago It's a lot of people annoyingly. The plan is for everbody in the school to have some kind of permission level
northeastprince
commented
10 months ago A ton of people updating scores or just viewing them? If that latter, couldn't those pages be public?
devramsean0
commented
10 months ago I believe the intention is to restrict them to members of the school, Although I could consider making those pages unauthenticated. As far as updating scores, An entire year group + staff members are going to have permissions (quite a few people lol)
mr-eggleton
commented
10 months ago The viewing can be public.
It doesn't need to be a lot of people who can edit, but as I had a MS Authentication proxy and a regex based authorisation system lying around on a server that I control thought we could use that and so there is less load on you.
I sent you sample code about that (and have now fixed the server) but the sample code also extracts info from the JWT and you don't need that you just need to know if the authenticated user has the "scorer" role by calling the roles endpoint
But Matt's suggestion is also completely fine for the small thing we are doing.
From: Sean Outram @.> Sent: Saturday, December 9, 2023 5:04 PM To: UTCSheffield/SportsDay-Scoreboard @.> Cc: Subscribed @.***> Subject: Re: [UTCSheffield/SportsDay-Scoreboard] Authentication (Issue #4)
It's a lot of people annoyingly. The plan is for everbody in the school to have some kind of permission level
— Reply to this email directly, view it on GitHubhttps://github.com/UTCSheffield/SportsDay-Scoreboard/issues/4#issuecomment-1848583077, or unsubscribehttps://github.com/notifications/unsubscribe-auth/ABNV3XQ43QCQXWXCWBMW3VDYISK2BAVCNFSM6AAAAABAMR6BISVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMYTQNBYGU4DGMBXG4. You are receiving this because you are subscribed to this thread.Message ID: @.***>
This e-mail and any attachments that accompany it are intended only for the use of the addressee(s), and may contain information that is privileged, confidential or exempt from disclosure. If the reader is not an intended recipient, any disclosure, distribution or other use of this e-mail is prohibited. If you have received this e-mail in error, please delete it from your system and notify the sender immediately. Any views or opinions presented do not necessarily represent those of The Sheffield UTC Academy Trust.
The Sheffield UTC Academy Trust, a charitable company limited by guarantee registered in England and Wales number 07652696. Registered office address: 111 Matilda St, Sheffield, S1 4QF. VAT number 143239036. The Sheffield UTC Academy Trust is an exempt charity.
devramsean0
commented
10 months ago I eventually decided on using the microsoft oauth proxy. because it's less code + allows for this service to be deployed in years to come without having to have extreme knowledge of what is happening with it. I'm also leaving the scoreboard page itself unauthenticated
We should authenticate all controllers except those required for auth.