Mobicoop V3 authentication and authorization service

Go to file

Fanch ee2c5c35c8 use full registry path for docker image		2024-01-17 10:20:56 +01:00
ci	use full registry path for docker image	2024-01-17 10:20:56 +01:00
opa	authorization module	2023-07-12 10:39:55 +02:00
prisma	add argon encryption	2023-11-16 10:14:39 +01:00
src	upgrade packages; handle throttle failure with message broker handler	2024-01-16 17:30:51 +01:00
.dockerignore	update gitlabci	2023-01-12 14:23:59 +01:00
.editorconfig	initial commit	2022-12-15 10:59:45 +01:00
.env.dist	use full registry path for docker image	2024-01-17 10:20:56 +01:00
.env.test	use full registry path for docker image	2024-01-17 10:20:56 +01:00
.eslintrc.js	lint pretty --check	2023-03-30 10:28:20 +02:00
.gitignore	remove pgadmin	2022-12-26 09:42:49 +01:00
.gitlab-ci.yml	Improve security : add sast and secret detection in gitlab ci	2023-11-06 08:55:14 +01:00
.ncurc.json	fix bcrypt crashing... again	2023-11-02 12:26:03 +01:00
.prettierignore	lint pretty --check	2023-03-30 10:28:20 +02:00
.prettierrc.json	lint pretty --check	2023-03-30 10:28:20 +02:00
Dockerfile	use full registry path for docker image	2024-01-17 10:20:56 +01:00
LICENSE	initial commit	2022-12-15 10:59:45 +01:00
README.md	update readme	2023-07-13 10:17:38 +02:00
docker-compose.ci.service.yml	clean compose	2023-02-28 10:46:03 +01:00
docker-compose.ci.tools.yml	upgrade ci base docker image	2023-11-16 10:22:18 +01:00
docker-compose.yml	add health check rest service	2023-04-04 10:14:41 +02:00
nest-cli.json	initial commit	2022-12-15 10:59:45 +01:00
package-lock.json	0.8.2	2024-01-16 17:31:01 +01:00
package.json	0.8.2	2024-01-16 17:31:01 +01:00
tsconfig.build.json	initial commit	2022-12-15 10:59:45 +01:00
tsconfig.json	update packages, refactor	2023-10-17 14:48:05 +02:00

README.md

Mobicoop V3 - Auth Service

Authentication (AuthN) and Authorization (AuthZ) data management.

Requirements

You need Docker and its compose plugin.

You also need NodeJS installed locally : we strongly advise to install Node Version Manager and use the latest LTS version of Node (check that your local version matches with the one used in the Dockerfile).

The API will run inside a docker container, but the install itself is made outside the container, because during development we need tools that need to be available locally (eg. ESLint, Prettier...).

A RabbitMQ instance is also required to send / receive messages when data has been inserted/updated/deleted.

Installation

copy .env.dist to .env :
```
cp .env.dist .env
```
Modify it if needed.
install the dependencies :
```
npm install
```
start the containers :
```
docker compose up -d
```
The app runs automatically on port 5002.

Database migration

Before using the app, you need to launch the database migration (it will be launched inside the container) :

npm run migrate

Usage

The app is used for authentication (aka AuthN) and authorization (aka AuthZ).

AuthN

AuthN consists in verifying a username / password couple. A user can have multiple usernames (representing multiple identifiers), all of them sharing the same password. In the app, all the authentication information about a user is called an auth. As of 2022/10/23, the possible identifiers are :

an email
a phone number

Note that all usernames are unique in the system : many users can't have the same email or phone number.

For AuthN, the app exposes the following gRPC services :

Create : create an auth with usernames and a password

{
    "userId": "30f49838-3f24-42bb-a489-8ffb480173ae",
    "usernames": [
        {
            "name": "john.doe@email.com",
            "type": "EMAIL"
        }
    ],
    "password": "John123"
}

AddUsername : add a username to an auth

{
    "userId": "30f49838-3f24-42bb-a489-8ffb480173ae",
    "name": "+33611223344",
    "type": "PHONE"
}

UpdateUsername : update a username

{
    "userId": "30f49838-3f24-42bb-a489-8ffb480173ae",
    "name": "johnny.doe@email.com",
    "type": "EMAIL"
}

DeleteUsername : delete a username (an error is thrown if it's the only username of an auth, as an auth must have at least one associated username)
```
{
    "name": "+33611223344"
}
```

UpdatePassword : update the password of an auth

{
    "userId": "30f49838-3f24-42bb-a489-8ffb480173ae",
    "password": "Johnny123"
}

Validate : validate an auth (= authentication with name/password)

{
    "name": "john.doe@email.com",
    "password": "Johnny123"
}

Delete : delete an auth and its associated usernames

{
    "userId": "30f49838-3f24-42bb-a489-8ffb480173ae"
}

AuthZ

AuthZ consists in verifying if a given user has the right permission to execute a given action within a given domain. Some context-dependant information can be given as well.

For AuthZ, the app exposes the following gRPC services :

Decide : asks the authorization service if a user has the right permission

{
    "userId": "96d99d44-e0a6-458e-a656-de2a400d60a9",
    "domain": "USER",
    "action": "READ",
    "context": [
        {
            "name": "owner",
            "value": "96d99d44-e0a6-458e-a656-de2a400d60a8"
        },
        {
            "name": "role",
            "value": "admin"
        }
    ]
}

In return, the service gives an authorization response :

{
    "allow": true
}

Messages

Various RabbitMQ messages are sent for logging purpose.

Tests / ESLint / Prettier

Tests are run outside the container for ease of use (switching between different environments inside containers using prisma is complicated and error prone). The integration tests use a dedicated database (see db-test section of docker-compose.yml).

# run all tests (unit + integration)
npm run test

# unit tests only
npm run test:unit

# integration tests only
npm run test:integration

# coverage
npm run test:cov

# ESLint
npm run lint

# Prettier
npm run pretty

License

Mobicoop V3 - Auth Service is AGPL licensed.