search

thevahidal / soul

🕉 A SQLite REST and realtime server
https://thevahidal.github.io/soul/
MIT License
1.51k stars 51 forks source link

Add permissions and user groups #4

Closed thevahidal closed 6 months ago

IanMayo commented 1 year ago

It could be useful for us to think about the business requirements around permissions and user groups.

Here are some initial thoughts:

I wonder if there are any online sources with best practices for securing REST APIs?

thevahidal commented 1 year ago

We can look for any good practices but there are two things that we must consider, Authentication (Which basically means if the user has access), and Authorization (Which means the level of access that the user has). I think the something like PocketBase implemented it is really neat, maybe we can adopt their way of doing it.

IanMayo commented 1 year ago

For old-skool web-applications, the hard work was done on the server, including making calls to other backend systems. CORS protection is valid in this context, since we can say Soul should only accept requests from the local server: image

But, with modern single-page applications, it's code in the user's browser that is making the REST call. This means we have to open CORS for all addresses: image

Sorry if I'm mistaken in the above @thevahidal , but it does seem that for modern SPAs we can only protect Soul in production via authentication and authorisation.

IanMayo commented 1 year ago

Hello @thevahidal - if you're able to put any more high-level thoughts into here, we'll try to move forward on the further detail, and subsequent implementation.

thevahidal commented 1 year ago

For the CORS thing we only have to tell Soul to trust the frontend web apps origin, so the browsers can't complain about it. But you're right that for true protection we need authentication and authorization. But as you know it's a heavy feature and we need a good design for it.

IanMayo commented 1 year ago

Here is the approach taken to auth in a similar app (PostGrest) - but it pushes most responsibilities to the database, but we don't have role-based table access in SQLite.

IanMayo commented 1 year ago

I've just thought of another approach to security. We could introduce a property whereby the API is only available to be called from a Soul Extension. So, users can create a static front-end-only site, host it as an extension, and the REST API is only available from that static site.

In this mode, Soul would not expose any REST routes at all.

That seems pretty bomb-proof :-)

What do you think, @AbegaM ?

AbegaM commented 1 year ago

@IanMayo That seems like a great idea. I will see how we can make the API only accessible from Soul.

IanMayo commented 1 year ago

I've just thought of another approach to security. We could introduce a property whereby the API is only available to be called from a Soul Extension. So, users can create a static front-end-only site, host it as an extension, and the REST API is only available from that static site.

In this mode, Soul would not expose any REST routes at all.

That seems pretty bomb-proof :-)

What do you think, @AbegaM ?

FYI @thevahidal , @AbegaM and I are going to try to progress the above in coming weeks. We'll be sure to share design thoughts/plans before we start writing code.

thevahidal commented 1 year ago

@IanMayo That's awesome, man. I can't wait to see your designs!