Rewrite authentication (and authorisation) logic #1798
Assignees
Labels
For: Backend
Module: Application
For anything related to the Application module
Module: Company
For anything related to the Company module
Module: User
For anything related to the User module
Type: Enhancement
Type: Feature
Type: Idea
Type: Security
Comments
tomudding
added
Type: Feature
Type: Idea
Type: Security
Type: Enhancement
For: Backend
Module: Application
This was referenced Jun 7, 2024
|
We have to be careful which routes we mark as requiring a login. For example, the course document download must always be accessible (so |
5 tasks
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
What would you like?
This a combination of several ideas I have had over the past few years. With the introduction of GEWIS/gewisdb#234 in GEWISDB we have a better idea of how we are supposed to do this.
The authentication flow is re-done to better account for the several "account" types that we have:
With this it means we can actually make a split between
401and403errors. Part of GH-1124 can be done by already moving authentication to the route stack(s) (throughauth_typeas introduced in GEWIS/gewisdb#234). This can lead to the removal of theget(Company)UserIdentityOrThrowException()in theGenericAclService. Furthermore, we should move the IP range check partially towards our memcache (or a new redis instance).This will include GH-1557 and will allow for more API functionalities in the future (e.g. GH-1046).
Why is this needed?
Simplification of our existing systems. Even with my 4+ years of experience with this codebase the authentication and authorisation aspects of it are the most difficult to work with/understand in my opinion.
Other information
When changing the API authentication, we will break any existing setup.
The text was updated successfully, but these errors were encountered: