Open rikukissa opened 10 months ago
This task need to be prioritised as we frequently have mission-critical data exposed from different services. For example, the certificates are available without authorisation.
https://countryconfig.farajaland-qa.opencrvs.org/certificates
There's another auth related endpoint exposed. In some places it would also be easier from implementation point of view if we could have as many of these services hidden as we can
Benefits:
Services to consider:
We will be leaving all the webapps(login, client, kibana, metabase, minio-console) as is.
These are URLs that we sending to client from countryconfig currently:
As part of this ticket we would like to trim this down to this:
The
LOGIN_URL
still needs to stay because it's a totally separate webapp. While all the API's will be served fromAPI_GATEWAY_URL
Auth
/auth/*
calls from gateway to the auth microservice. But there's a downside to this that every endpoint defined in the auth microservice are exposed to the internet via gateway so there's no way of creating an internal endpoint. So the first task is to identify all the endpoints in auth that we want publicly available and proxy them individually from gateway behind/api/auth/
/api/auth/*
endpoints where applicable and remove any such checks from inside the auth microservice.AUTH_URL
in client & login apps and replace them withAPI_GATEWAY_URL/api/auth
AUTH_URL
from being sent to clinet/login from countryconfigConfig
/api/config
/api/config/*
endpoints where applicable and remove any such checks from inside the config microservice.CONFIG_API_URL
in client & login apps and replace them withAPI_GATEWAY_URL/api/config
CONFIG_API_URL
from being sent to clinet/login from countryconfigCountryConfig
From clinet/login's perspective, it doesn't need to know whether it's communicating with config or countryconfig microservice. So we will be proxy all relevant countryconfig public endpoints behind
/api/config/
/api/config
/api/config/*
endpoints where applicable and remove any such checks from inside the countryconfig microservice.COUNTRY_CONFIG_URL
in client & login apps and replace them withAPI_GATEWAY_URL/api/config
COUNTRY_CONFIG_URL
from being sent to clinet/login from countryconfigWebhooks
/api/webhooks
/api/webhooks/*
endpoints where applicable and remove any such checks from inside the webhooks microservice.Minio
We will be proxying all
/api/documents/*
endpoints from gateway to the minio service/api/documents/*
to the minio service. It should not be protected with JWTClient & Gateway
GATEWAY_API_URL
too. We will do that via NGINX proxy_pass to redirect all/api
calls togateway:7070/api
on the server & for local development use https://vitejs.dev/config/server-options#server-proxy to achieve the same