197 lines
4.7 KiB
Markdown
197 lines
4.7 KiB
Markdown
# Mobicoop V3 - Auth Service
|
|
|
|
Authentication (AuthN) and Authorization (AuthZ) data management.
|
|
|
|
## Requirements
|
|
|
|
You need [Docker](https://docs.docker.com/engine/) and its [compose](https://docs.docker.com/compose/) plugin.
|
|
|
|
You also need NodeJS installed locally : we **strongly** advise to install [Node Version Manager](https://github.com/nvm-sh/nvm) and use the latest LTS version of Node (check that your local version matches with the one used in the Dockerfile).
|
|
|
|
The API will run inside a docker container, **but** the install itself is made outside the container, because during development we need tools that need to be available locally (eg. ESLint, Prettier...).
|
|
|
|
A RabbitMQ instance is also required to send / receive messages when data has been inserted/updated/deleted.
|
|
|
|
## Installation
|
|
|
|
- copy `.env.dist` to `.env` :
|
|
|
|
```bash
|
|
cp .env.dist .env
|
|
```
|
|
|
|
Modify it if needed.
|
|
|
|
- install the dependencies :
|
|
|
|
```bash
|
|
npm install
|
|
```
|
|
|
|
- start the containers :
|
|
|
|
```bash
|
|
docker compose up -d
|
|
```
|
|
|
|
The app runs automatically on port **5002**.
|
|
|
|
## Database migration
|
|
|
|
Before using the app, you need to launch the database migration (it will be launched inside the container) :
|
|
|
|
```bash
|
|
npm run migrate
|
|
```
|
|
|
|
## Usage
|
|
|
|
The app is used for authentication (aka AuthN) and authorization (aka AuthZ).
|
|
|
|
### AuthN
|
|
|
|
AuthN consists in verifying a username / password couple. A user can have multiple usernames (representing multiple identifiers), all of them sharing the same password. In the app, all the authentication information about a user is called an _auth_. As of 2022/10/23, the possible identifiers are :
|
|
|
|
- an email
|
|
- a phone number
|
|
|
|
Note that all usernames are unique in the system : many users can't have the same email or phone number.
|
|
|
|
For AuthN, the app exposes the following [gRPC](https://grpc.io/) services :
|
|
|
|
- **Create** : create an auth with usernames and a password
|
|
|
|
```json
|
|
{
|
|
"userId": "30f49838-3f24-42bb-a489-8ffb480173ae",
|
|
"usernames": [
|
|
{
|
|
"name": "john.doe@email.com",
|
|
"type": "EMAIL"
|
|
}
|
|
],
|
|
"password": "John123"
|
|
}
|
|
```
|
|
|
|
- **AddUsername** : add a username to an auth
|
|
|
|
```json
|
|
{
|
|
"userId": "30f49838-3f24-42bb-a489-8ffb480173ae",
|
|
"name": "+33611223344",
|
|
"type": "PHONE"
|
|
}
|
|
```
|
|
|
|
- **UpdateUsername** : update a username
|
|
|
|
```json
|
|
{
|
|
"userId": "30f49838-3f24-42bb-a489-8ffb480173ae",
|
|
"name": "johnny.doe@email.com",
|
|
"type": "EMAIL"
|
|
}
|
|
```
|
|
|
|
- **DeleteUsername** : delete a username (an error is thrown if it's the only username of an auth, as an auth **must** have at least one associated username)
|
|
|
|
```json
|
|
{
|
|
"name": "+33611223344"
|
|
}
|
|
```
|
|
|
|
- **UpdatePassword** : update the password of an auth
|
|
|
|
```json
|
|
{
|
|
"userId": "30f49838-3f24-42bb-a489-8ffb480173ae",
|
|
"password": "Johnny123"
|
|
}
|
|
```
|
|
|
|
- **Validate** : validate an auth (= authentication with name/password)
|
|
|
|
```json
|
|
{
|
|
"name": "john.doe@email.com",
|
|
"password": "Johnny123"
|
|
}
|
|
```
|
|
|
|
- **Delete** : delete an auth and its associated usernames
|
|
|
|
```json
|
|
{
|
|
"userId": "30f49838-3f24-42bb-a489-8ffb480173ae"
|
|
}
|
|
```
|
|
|
|
### AuthZ
|
|
|
|
AuthZ consists in verifying if a given **user** has the right permission to execute a given **action** within a given **domain**. Some context-dependant information can be given as well.
|
|
|
|
For AuthZ, the app exposes the following [gRPC](https://grpc.io/) services :
|
|
|
|
- **Decide** : asks the authorization service if a user has the right permission
|
|
|
|
```json
|
|
{
|
|
"userId": "96d99d44-e0a6-458e-a656-de2a400d60a9",
|
|
"domain": "USER",
|
|
"action": "READ",
|
|
"context": [
|
|
{
|
|
"name": "owner",
|
|
"value": "96d99d44-e0a6-458e-a656-de2a400d60a8"
|
|
},
|
|
{
|
|
"name": "role",
|
|
"value": "admin"
|
|
}
|
|
]
|
|
}
|
|
```
|
|
|
|
In return, the service gives an authorization response :
|
|
|
|
```json
|
|
{
|
|
"allow": true
|
|
}
|
|
```
|
|
|
|
## Messages
|
|
|
|
Various RabbitMQ messages are sent for logging purpose.
|
|
|
|
## Tests / ESLint / Prettier
|
|
|
|
Tests are run outside the container for ease of use (switching between different environments inside containers using prisma is complicated and error prone).
|
|
The integration tests use a dedicated database (see _db-test_ section of _docker-compose.yml_).
|
|
|
|
```bash
|
|
# run all tests (unit + integration)
|
|
npm run test
|
|
|
|
# unit tests only
|
|
npm run test:unit
|
|
|
|
# integration tests only
|
|
npm run test:integration
|
|
|
|
# coverage
|
|
npm run test:cov
|
|
|
|
# ESLint
|
|
npm run lint
|
|
|
|
# Prettier
|
|
npm run pretty
|
|
```
|
|
|
|
## License
|
|
|
|
Mobicoop V3 - Auth Service is [AGPL licensed](LICENSE).
|