API token - Security

[amadorjoaosilva]

• [ ] pass API request for every request

[bethgrace5]

Following: http://engineering.talis.com/articles/elegant-api-auth-angular-js/ I was able to use a factory to append "Authorization" field to header, and receive the value via @RequestHeader. Next, I will follow their example on how to intercept the response to deal with token invalidation or expiry. Then, I need to figure out token creation and how to generate new ones, and verify when they are received. Finally, then make these checks with every api request.

[bethgrace5]

API Token passing

• [x] go through and find TODO notes. They include checking the expiration date and removing the session for invalid tokens, as well as adding a logout method
• [x] make sure all requests are listed in mvc-dispatcher-servelet.xml, so they are all intercepted (except login)

User Permissions

• [x] embed user permissions within JWT as property scope. (this means making a join with the permissions table when getting the user id from the session table, and getting their permissions as a list to store in token)
• [x] protect every Java method (except login) with checks that they have the permission to continue. For example, updating an employee requires manage-employee permissions. If a user doesn't have that, it kicks them out with an error status code.