Auth

[howamith]

Add some level of authentication to the system, allowing not just users but also teams.

Suggested options here are to either implement this ourselves using HTTP Basic auth, or spend a little more time in this area and use something like Keycloak. Advantage to basic auth is that it's simple but we'll have to manage users and teams ourselves, whereas if we use Keycloak it's more complicated, but much more secure and we don't need to worry about users or teams as that'll all be handled by Keycloak.

[howamith]

For Keycloak, this Medium article could be of interest.

One thing to bear in mind with Keycloak, is that while it'll be more secure for users, it'll reduce the developer experience to a degree - unless we can come up with an elegant solution for getting JWTs without compromising security.

Might be simpler to go for basic auth initially.

Edit to add: the above is one true if we set a short lifetime on access tokens and require them to be refreshed while still in use. We could negate this by using a lifetime of 24+ hours (or even making them last indefinitely, if Keycloak lets us do that)

[howamith]

For Multitenancy in Keycloak, this article will be of interest.

Note we'll need an automated way of setting up a Keycloak instance, both for local dev within Docker compose, but also for anyone wishing to run Cron Mon themselves (we'll probably want to document this setup too, so they can configure their Keycloak instance themselves in whatever way they want to do it.

Also need to figure out where we get these custom fields from. Using the email domain is simple but it means you can only belong to a tennant based on your email, which could be quite limiting outside of corporate and professional environments.

Maybe signup requires invitation from a tenant? Then do we need a tenant signup flow?

[howamith]

For getting started with Keycloak (via Docker): https://www.keycloak.org/getting-started/getting-started-docker

For Keycloak integration in the web app: https://github.com/baloise/vue-keycloak