auth/README.md

# Mobicoop V3 - Auth Service

Authentication (AuthN) and Authorization (AuthZ) data management.

## Requirements

You need [Docker](https://docs.docker.com/engine/) and its [compose](https://docs.docker.com/compose/) plugin.

You also need NodeJS installed locally : we **strongly** advise to install [Node Version Manager](https://github.com/nvm-sh/nvm) and use the latest LTS version of Node (check that your local version matches with the one used in the Dockerfile).

The API will run inside a docker container, **but** the install itself is made outside the container, because during development we need tools that need to be available locally (eg. ESLint, Prettier...).

A RabbitMQ instance is also required to send / receive messages when data has been inserted/updated/deleted.

## Installation

- copy `.env.dist` to `.env` :

    ```bash
    cp .env.dist .env
    ```

    Modify it if needed.

- install the dependencies :

    ```bash
    npm install
    ```
    
- start the containers :

    ```bash
    docker compose up -d
    ```

    The app runs automatically on port **5002**.

## Database migration

Before using the app, you need to launch the database migration (it will be launched inside the container) :

```bash
npm run migrate
```

## Usage

The app is used for authentication (aka AuthN) and authorization (aka AuthZ).

### AuthN

AuthN consists in verifying a username / password couple. A user can have multiple usernames (representing multiple identifiers), all of them sharing the same password. In the app, all the authentication information about a user is called an _auth_. As of 2022/10/23, the possible identifiers are :

-   an email
-   a phone number

Note that all usernames are unique in the system : many users can't have the same email or phone number.

For AuthN, the app exposes the following [gRPC](https://grpc.io/) services :

-   **Create** : create an auth with one username / password (you can't create multiple usernames at once)

    ```json
    {
        "uuid": "30f49838-3f24-42bb-a489-8ffb480173ae",
        "username": "john.doe@email.com",
        "password": "John123",
        "type": "EMAIL"
    }
    ```

-   **AddUsername** : add a username to an auth

    ```json
    {
        "uuid": "30f49838-3f24-42bb-a489-8ffb480173ae",
        "username": "+33611223344",
        "type": "PHONE"
    }
    ```

-   **UpdateUsername** : update a username

    ```json
    {
        "uuid": "30f49838-3f24-42bb-a489-8ffb480173ae",
        "username": "johnny.doe@email.com",
        "type": "EMAIL"
    }
    ```

-   **DeleteUsername** : delete a username (an error is thrown if it's the only username of an auth, as an auth **must** have at least one associated username)

    ```json
    {
        "username": "+33611223344"
    }
    ```

-   **UpdatePassword** : update the password of an auth

    ```json
    {
        "uuid": "30f49838-3f24-42bb-a489-8ffb480173ae",
        "password": "Johnny123"
    }
    ```

-   **Validate** : validate an auth (= authentication with username/password)

    ```json
    {
        "username": "john.doe@email.com",
        "password": "Johnny123"
    }
    ```

-   **Delete** : delete an auth and its associated usernames

    ```json
    {
        "uuid": "30f49838-3f24-42bb-a489-8ffb480173ae"
    }
    ```

### AuthZ

AuthZ consists in verifying if a given **user** has the right permission to execute a given **action** within a given **domain**. Some context-dependant information can be given as well.

For AuthZ, the app exposes the following [gRPC](https://grpc.io/) services :

-   **Decide** : asks the authorization service if a user has the right permission

    ```json
    {
        "uuid": "96d99d44-e0a6-458e-a656-de2a400d60a9",
        "domain": "USER",
        "action": "READ",
        "context": [
            {
                "name": "owner",
                "value": "96d99d44-e0a6-458e-a656-de2a400d60a8"
            },
            {
                "name": "role",
                "value": "admin"
            }
        ]
    }
    ```

    In return, the service gives an authorization response : 

    ```json
    {
        "allow": true
    }
    ```


## Messages

Various RabbitMQ messages are sent for logging purpose.

## Tests

Tests are run outside the container for ease of use (switching between different environments inside containers using prisma is complicated and error prone).
The integration tests use a dedicated database (see *db-test* section of *docker-compose.yml*).

```bash
# run all tests (unit + integration)
npm run test

# unit tests only
npm run test:unit

# integration tests only
npm run test:integration

# coverage
npm run test:cov
```

## License

Mobicoop V3 - Auth Service is [AGPL licensed](LICENSE).
initial commit 2022-12-15 09:59:45 +00:00			`# Mobicoop V3 - Auth Service`
Initial commit 2022-12-15 09:51:09 +00:00
initial commit 2022-12-15 09:59:45 +00:00			`Authentication (AuthN) and Authorization (AuthZ) data management.`
Initial commit 2022-12-15 09:51:09 +00:00
update readme 2022-12-23 15:10:42 +00:00			`## Requirements`
Initial commit 2022-12-15 09:51:09 +00:00
update compose 2023-01-04 12:51:40 +00:00			`You need [Docker](https://docs.docker.com/engine/) and its [compose](https://docs.docker.com/compose/) plugin.`
Initial commit 2022-12-15 09:51:09 +00:00
update readme 2023-01-06 14:06:54 +00:00			`You also need NodeJS installed locally : we strongly advise to install [Node Version Manager](https://github.com/nvm-sh/nvm) and use the latest LTS version of Node (check that your local version matches with the one used in the Dockerfile).`

			`The API will run inside a docker container, but the install itself is made outside the container, because during development we need tools that need to be available locally (eg. ESLint, Prettier...).`

update readme 2022-12-23 15:10:42 +00:00			`A RabbitMQ instance is also required to send / receive messages when data has been inserted/updated/deleted.`

			`## Installation`

update readme 2023-01-06 14:06:54 +00:00			- copy `.env.dist` to `.env` :
Initial commit 2022-12-15 09:51:09 +00:00
update readme 2023-01-06 14:06:54 +00:00			```bash
			`cp .env.dist .env`
			```
Initial commit 2022-12-15 09:51:09 +00:00
update readme 2023-01-06 14:06:54 +00:00			`Modify it if needed.`
Initial commit 2022-12-15 09:51:09 +00:00
simplify, update readme 2023-01-06 14:10:40 +00:00			`- install the dependencies :`

			```bash
			`npm install`
			```

update readme 2023-01-06 14:06:54 +00:00			`- start the containers :`
Initial commit 2022-12-15 09:51:09 +00:00
update readme 2023-01-06 14:06:54 +00:00			```bash
			`docker compose up -d`
			```
Initial commit 2022-12-15 09:51:09 +00:00
update readme 2023-01-06 14:06:54 +00:00			`The app runs automatically on port 5002.`

initial commit 2022-12-15 09:59:45 +00:00			`## Database migration`
Initial commit 2022-12-15 09:51:09 +00:00
update readme 2023-01-06 14:06:54 +00:00			`Before using the app, you need to launch the database migration (it will be launched inside the container) :`
Initial commit 2022-12-15 09:51:09 +00:00
initial commit 2022-12-15 09:59:45 +00:00			```bash
update readme 2023-01-06 14:06:54 +00:00			`npm run migrate`
initial commit 2022-12-15 09:59:45 +00:00			```
Initial commit 2022-12-15 09:51:09 +00:00
			`## Usage`

update readme 2023-01-18 15:08:11 +00:00			`The app is used for authentication (aka AuthN) and authorization (aka AuthZ).`

			`### AuthN`
update readme 2022-12-23 15:10:42 +00:00
			`AuthN consists in verifying a username / password couple. A user can have multiple usernames (representing multiple identifiers), all of them sharing the same password. In the app, all the authentication information about a user is called an _auth_. As of 2022/10/23, the possible identifiers are :`
crate/update/validate auth 2022-12-16 15:46:14 +00:00
update readme 2022-12-23 15:10:42 +00:00			`- an email`
			`- a phone number`

			`Note that all usernames are unique in the system : many users can't have the same email or phone number.`

			`For AuthN, the app exposes the following [gRPC](https://grpc.io/) services :`

			`- Create : create an auth with one username / password (you can't create multiple usernames at once)`
crate/update/validate auth 2022-12-16 15:46:14 +00:00
			```json
			`{`
			`"uuid": "30f49838-3f24-42bb-a489-8ffb480173ae",`
			`"username": "john.doe@email.com",`
update readme 2022-12-23 15:10:42 +00:00			`"password": "John123",`
			`"type": "EMAIL"`
			`}`
			```

			`- AddUsername : add a username to an auth`

			```json
			`{`
			`"uuid": "30f49838-3f24-42bb-a489-8ffb480173ae",`
			`"username": "+33611223344",`
			`"type": "PHONE"`
crate/update/validate auth 2022-12-16 15:46:14 +00:00			`}`
			```

update readme 2022-12-23 15:10:42 +00:00			`- UpdateUsername : update a username`
crate/update/validate auth 2022-12-16 15:46:14 +00:00
			```json
			`{`
			`"uuid": "30f49838-3f24-42bb-a489-8ffb480173ae",`
			`"username": "johnny.doe@email.com",`
update readme 2022-12-23 15:10:42 +00:00			`"type": "EMAIL"`
			`}`
			```

			`- DeleteUsername : delete a username (an error is thrown if it's the only username of an auth, as an auth must have at least one associated username)`

			```json
			`{`
			`"username": "+33611223344"`
			`}`
			```

			`- UpdatePassword : update the password of an auth`

			```json
			`{`
			`"uuid": "30f49838-3f24-42bb-a489-8ffb480173ae",`
			`"password": "Johnny123"`
crate/update/validate auth 2022-12-16 15:46:14 +00:00			`}`
			```

			`- Validate : validate an auth (= authentication with username/password)`

			```json
			`{`
			`"username": "john.doe@email.com",`
update readme 2022-12-23 15:10:42 +00:00			`"password": "Johnny123"`
crate/update/validate auth 2022-12-16 15:46:14 +00:00			`}`
			```
Initial commit 2022-12-15 09:51:09 +00:00
update readme 2022-12-23 15:10:42 +00:00			`- Delete : delete an auth and its associated usernames`

			```json
			`{`
			`"uuid": "30f49838-3f24-42bb-a489-8ffb480173ae"`
			`}`
			```

update readme 2023-01-18 15:08:11 +00:00			`### AuthZ`

			`AuthZ consists in verifying if a given user has the right permission to execute a given action within a given domain. Some context-dependant information can be given as well.`

			`For AuthZ, the app exposes the following [gRPC](https://grpc.io/) services :`

			`- Decide : asks the authorization service if a user has the right permission`

			```json
			`{`
			`"uuid": "96d99d44-e0a6-458e-a656-de2a400d60a9",`
Update README.md 2023-01-31 13:13:54 +00:00			`"domain": "USER",`
			`"action": "READ",`
update readme 2023-01-18 15:08:11 +00:00			`"context": [`
			`{`
			`"name": "owner",`
			`"value": "96d99d44-e0a6-458e-a656-de2a400d60a8"`
			`},`
			`{`
			`"name": "role",`
			`"value": "admin"`
			`}`
			`]`
			`}`
			```

			`In return, the service gives an authorization response :`

			```json
			`{`
			`"allow": true`
			`}`
			```


update readme 2022-12-23 15:10:42 +00:00			`## Messages`

			`Various RabbitMQ messages are sent for logging purpose.`

update readme 2023-01-06 14:06:54 +00:00			`## Tests`

			`Tests are run outside the container for ease of use (switching between different environments inside containers using prisma is complicated and error prone).`
			`The integration tests use a dedicated database (see db-test section of docker-compose.yml).`
Initial commit 2022-12-15 09:51:09 +00:00
initial commit 2022-12-15 09:59:45 +00:00			```bash
update readme 2023-01-06 14:06:54 +00:00			`# run all tests (unit + integration)`
			`npm run test`
Initial commit 2022-12-15 09:51:09 +00:00
update readme 2023-01-06 14:06:54 +00:00			`# unit tests only`
			`npm run test:unit`

			`# integration tests only`
			`npm run test:integration`
Initial commit 2022-12-15 09:51:09 +00:00
update readme 2023-01-06 14:06:54 +00:00			`# coverage`
			`npm run test:cov`
			```
Initial commit 2022-12-15 09:51:09 +00:00
			`## License`

initial commit 2022-12-15 09:59:45 +00:00			`Mobicoop V3 - Auth Service is [AGPL licensed](LICENSE).`