PACKAGES: mod-account Envoy Authz

[Winwisly100]

• Add an Envoy External Authorization server (authz) in mod-account.

[joe-getcouragenow]

Based on: https://medium.com/google-cloud/envoy-external-authorization-server-envoy-ext-authz-helloworld-82eedc7f8122

• https://github.com/salrashid123/envoy_external_authz

[joe-getcouragenow]

So how can we do sessions in a smart way ?

The SAAS golang layer is stateless, and hence why round robin LB is fine. The PASS layer ( minio, etc ) is stateful, and setup to do round robin from SAAS to PAAS also and its all fine.

• Concept: "non signed in" cookie & "signed in" cookie
  • a new users goes through the questions and answers and we have a cookie going back and forward between client and server via the headers.
  • As they save answers we store in minio against the "non signed in" users UUID.
  • this means that if they DONT finish and come back tomorrow they can pick up where the left off, and we have their data
• so when user finally signs up, we just have to swap the UUID at the storage level
  • MIGHT have to delete the "non signed in" some how.
• JWT seems to be the way.
  • likely some non native JWT dart libs out there to help us. We want non native.
    • For Flutter Desktop and Mobile the concept of cookies is not present, but shared storage is.
  • likely have to adjust the envoy config so the JWT headers pass through.
  • oAuth is complex and for later.

SO do we need redis etc for sessions ?

• Because everything is GRPC and Envoy in the middle, it can make sure the cookies are going back and forth i think, and so the SAAS golang layer does not have to concern itself with it.
• So there essentially is not need for a PASS REDIS Server.

DART JWT research: https://github.com/appsup-dart/jose

• used by: https://github.com/appsup-dart/openid_client
• corresponding golang: https://github.com/ory/hydra

[joe-getcouragenow]

notes from meeting:

0. DEV / ENV
   • Get OPS access for GCP for dev-getcouragenow.org
   • test kubeconfig

• boot new cluster. Use DEV environment
  • makefile
  • add git tagging to makefile and TRY it, and se if github workflow does it.
  • make a env-dev.sh, and set your cgp project and gcp user
  • tell Joe the public IP so he can map "https://maintemplate.dev.getcouragenow.org/"

AUTH

• global at maintemplate level
• enforcement, by checking header / cookie.

AUTHZ

• at mod level
• enforce, by asking mos-account

PASS

• minio

mod-accont

• manage of the users and roles
• users signing, change password
• cli
• GUi
• controls a minio bucket / namespace.
• check auth / cookies, headers

1. Add make files as needed

   • protoc
   • flutter and golang for local dev

2. Is this PASS or SASS layer ?

   • auth and authz is needed by everyone. Feels like its PASS
   • SAAS layer in maintemplate
   • whats needed ?
   • SAAS mod-* layer:
   • each one needs just grpc check and health, that envoy calls into
   • PASS
   • storage. minio with memory cache.