search

ajency / cashflow-issue-tracker

Issue Tracker for issues
0 stars 1 forks source link

TASK - Introduce Authentication for all graphql endpoints and handle the access denied in UI #573

Open nutank opened 4 years ago

nutank commented 4 years ago

All APIs should be with authentication.

Only users of company setup with cash flow should have access to cash flow data

nutank commented 4 years ago

Also related to task #557

nutank commented 4 years ago

We need a common middleware for authentication that will be used for all graphql endpoints.

All

The logic for authentication for this would be as below:

  1. All graphql endpoints will now start accepting a JWT token in "Authorization" header
  headers: {
      Authorization: 'Bearer ' + token
    }

  1. This token is sent by the login API on successful login. All graphql endpoints need to now send this token in the authorization header.

  2. On the server side following will be the logic for authorization:

Response: (if token is valid)

{ "username": "demouser", "password": null, "companyId": "1", "userId": 1, "permissions": [ "cashflow-read", "cashflow-write" ] }



-  Once we know that the token is valid, check whether the user is present in cashflow's user's table matching the external_user_id and belonging to one of the company id sent in the response.
- Also check if the company id the API is requesting the data for is matching one of the companies associated with the user. If yes, then the API should allow access to that company's info else it should give "ACCESS DENIED"
nutank commented 4 years ago

@georgioajency / @HazelColaco19 - please provide UI for "No Access page" which would be shown when users dont have access to cashflow.

georgioajency commented 4 years ago

Need to ask the client as to what they need to show.

Possible text

  1. You do not have access to this page. Contact admin.
  2. Overlay with an option to request the feature. Contact Toppeq.
georgioajency commented 4 years ago

Show a blank page with the below text You do not have access to this page. Contact your account admin.

Can show an image also indicating no access

robiulpro commented 4 years ago

@legred21 there should be some provision where we can whitelist custom api endpoints (used for whatsapp, quickbook callback). Authentication URL is currently hardcoded, make it env variable or fetch it from default table. Cashflow permission not verified for logged in user, if user has no permission to access cashflow, return 401.