Needs to capture:
- The user Probo ID
- Human readable
{
"key": "coordinator-1",
"context": {
"actingUser": {
"id": "d0229483-18c5-4182-99ef-c38577f73961",
"slug": "github:tizzo",
"admin": true,
}
},
"permissions": {
"assetReceiver": {
"backup": true,
"read": {
"buckets": [
"3280f824-991d-4fb3-a48a-aed430a444f2"
],
}
},
"loom": {
"write": [
"stream-build-3280f824-991d-4fb3-a48a-aed430a444f2"
]
},
}
}
app.get('/api/streams/:streamId', jwtHandler.createMiddleware('permissions.loom.write', 'req.params.streamId'), function(req,res) { /* do stuff. */});
var jwtHandler = require('probo-jwt');
var app = require('express')();
jwtHandler.configure({
keys: {
"coordinator-1": fs.readFileSync('/some/path/to/coordinator-1.pub'),
},
});
app.use(jwtHandler.createMiddleware('permissions.assetReceiver.backup'));
// The above is short for:
app.use(function(req, res, next) {
var token = parseToken(req.headers.bearer);
var claims = jwt.verify(token)
if (claims.context.actingUser.admin) {
return next();
}
if (!claims.permissions || !claims.permissions.assetReceiver || !claims.permissions.assetReceiver.backup) {
res.writeHead(403);
res.end('Access denied');
return;
}
next();
});
@tizzo @lliss this JWT service is great overall. I think our processes would be simplified if the
actingUser
object also included the token & refreshToken of the service. Right now these service tokens are passed as parameters or post objects throughout the system, and adding them to the JWT would normalize and simplify the process. For example, imagine cases where the web UI needs to get info about a user from Github, or the container manager wants to know if a user is an admin of a Github organization. It's an easier task if the GH tokens are included!Lastly, the
slug
field will be very weird for stash. I recommend splitting into 2 fields. Additionally, "slug" the word means the provider's slug. We use the word "type" to differentiate "provider" (you can see this in the Repo model). I'm only recommending naming changes to normalize with the rest of the system.