Authentication and authorization

[eboileau]

Aims/objectives.

Add login (sign-in), logout, and sign-up to the application, secure API calls, route guards using Vue Router, etc.

A clear and concise description of todo items.

• What does login provide? Dataset upload via form (dataset can be made public or kept private/for user only), dataset management (e.g. tag dataset from Browse view, create "carts" or profiles, share dataset (public or private) via links, access to restricted vs. public data), ...
• Do we need full role-based authorization, e.g. admin for project creation. Currently this is done via the Flask CLI, and maybe this is enough...
• How? e.g. Cookie-based/JWT authentication (Flask -> Axios), there is also Pinia , a state management library that could be used for that (we may need it anyway to track a user session...), and other authentication-as-a-service solutions, e.g. open source alternatives to Auth0.

Notes/questions.

• I think the current setup with all routes going to / may not work when adding "secure routes". Besides, this does not currently allow to "go back/go forward", as it always returns to home/index.
• Do we need to add database tables to record user information?

[HaraldWilhelmi]

Few general ideas:

• May be we should first decide where our account database should live. The following options come to mind: A LDAP server (including AD, e.g. the AG Dieterich LDAP server), an external OAUTH2 provider (e.g. GitHub), the local database.
• JWT allows a stateless server. That is nice, but only helps if we don't need state on the server for other reasons. E.g. in Medex we decided to have a per-session server-side cached data in the database.