Create security for communication between FE and BE

[jendakol]

Using HTTPS is sure thing but that's not enough - we need to prevent unauthorized people from calling the API.
Please think about some solution and create PR with its implementation.
It's related to #12 .

[zdendahak]

BE controller is secured on the role. For example user, manager. To the role user are assigned technical users. To the role manager are assigned manager users.

FE can call BE through login_name and password(BCrypt) - http basic

In the DB table are : USER(id, login_name, password, role_id) Role(id,name)

Password is stored as BCrypt.

BE zabezpečit na roli. Té roli přiřadit technického uživatele. V DB mít tabulku user se sloupečky id, login_name, password, role_id. Vazba na tabulku role. Můžu mít více rolí - rozšiřitelnost na různé funkce. Heslo generovat pomocí BCrypt na FE a ověřovat ho proti DB user.password. Z FE posílám tedy login_name a password v BCrypt. BE by měl vrátit vygenerovaný X_AUTH_TOKEN, kterým se můžu v dalších requestech prokazovat.

[zdendahak]

Example of communication from FE to BE: $ curl -v http://localhost:8080/ -u user:password(BCrypt generated)

from BE to FE : HTTP/1.1 200 OK ... X-Auth-Token: 0dc1f6e1-c7f1-41ac-8ce2-32b6b3e57aa3

{"username":"user"}

Next request you can use :

$ curl -v http://localhost:8080/ -H "X-Auth-Token: 0dc1f6e1-c7f1-41ac-8ce2-32b6b3e57aa3"

[zdendahak]

Jinak to kluci celé řeší Java - Spring boot - microservices - několika anotacema. Včetně validace Auth-Token a ukládání si všeho potřebného do DB. V Pythonu bohužel nevím.

[jendakol]

This will be solved in terms of #12 - basic auth. @Kobzol please take this over.