Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Real user Auth/ Access Scopes - now we add some access control to our api #25

Open
rosenstrauch opened this issue Oct 20, 2016 · 1 comment
Milestone

Comments

@rosenstrauch
Copy link
Contributor

rosenstrauch commented Oct 20, 2016

in order to ensure not everyone can read and increment the value of the counter
as admin
i want apiusers to have to send some keypassword to authenticate

i also need to be able to configure who can do what and have the ability to revoke access treat user 1 (admin) in a different way than users

Counter related actions require api key or access token

  1. there should be a scope for reading
  2. just because i can read doesnt mean i can increment.
  3. authenticate individual counter
  4. ability to set display to public but only increment with 'password/apikey'

Auth related actions

  • Change admin Password
  • Register generated api key (representing a user)
  • Reset API Key (which is authenticating a user)
  • Revoke api key (representing a user)
  • Reset Access token (for a specific ressource and client)
  • Create Access token (for a specific ressource and client)
  • basic auth
    • [[http://stackoverflow.com/a/36839171]]
    • [[http://www.appelsiini.net/projects/slim-basic-auth]]
  • jwt auth
    • [[https://github.com/tuupola/slim-jwt-auth]]
    • [[https://github.com/tuupola/slim-api-skeleton/blob/master/routes/token.php]]
  • oauth2
    • [[https://github.com/pabloroca/slim3-simple-rest-skeleton]]
    • [[https://packagist.org/packages/slimphp-api/slim-oauth]]
    • [[https://github.com/chadicus/slim-oauth2-middleware]]
    • [[https://oauth2.thephpleague.com/resource-server/securing-your-api/]]
  • Sessions for users?
  • Counter password considerations - if the counter can be configured individually as public or to require a password/apikey to access what would that mean for locking and other actions?
  • Counter routes authentication using oauth 2
    api keys and scopes will be maintained in db tables.
    keys are our closest approximation to users
    scopes represent permissions/roles.
    we may also maintain access tokens that can be created by users so they can keep their api key protected.
  • Admin ui routes authentication
    add a route i can query if i know the Adminsupersecret to get a adminToken
    adminToken will be required to be passed via header, cookie or querystring in order to access admin paths
    [[http://www.appelsiini.net/projects/slim-jwt-auth]]
  • adjust swagger auth definitions
    [[https://github.com/OAI/OpenAPI-Specification/blob/master/versions/2.0.md]]
    [[https://github.com/Implement OAuth2 password flow swagger-api/swagger-ui#2397]]
    [[https://github.com/How to integrate with jwt based authentication? swagger-api/swagger-ui#818#issuecomment-228700751]]
    [[https://github.com/OAI/OpenAPI-Specification/blob/master/versions/2.0.md#security-scheme-object-example]]
    [[http://apihandyman.io/writing-openapi-swagger-specification-tutorial-part-6-defining-security/]]
@rosenstrauch rosenstrauch added this to the 0.2.x milestone Dec 6, 2016
@rosenstrauch
Copy link
Contributor Author

rosenstrauch commented Jan 20, 2017

mvp is:

  • protected admin routes (password via htaccess is ok for now)
  • every counter needs a token for incrementing/resetting
  • counter access token can be reset by admin
  • viewing counters is public

@rosenstrauch rosenstrauch modified the milestones: 0.2.x, 1.1.x Mar 21, 2017
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

1 participant