Conversation
|
A database migration was added for this so make sure you do a flyway migration and generate the jooq sources. |
|
bi-web uses a health endpoint that is provided by micronaut which is not currently in the api docs. Even though we didn't write it, it's still part of the api for the system so I think it should be added to the api docs. |
|
| @@ -107,18 +102,13 @@ public HttpResponse<Response<Program>> createProgram(Principal principal, @Valid | |||
| @Produces(MediaType.APPLICATION_JSON) | |||
| @AddMetadata | |||
| @Secured(SecurityRule.IS_AUTHENTICATED) | |||
There was a problem hiding this comment.
I see that the edit endpoints are not set to ADMIN which looks consistent with the requirements flow charts (admin & breeder) but I'm wondering about the front end. Currently you can only edit a program on the admin page. Not for this card but do we need to add editing capability to the user program management page if you have a breeder program role? Or would a breeder get pieces of admin functionality on the sidebar? Just discussing here because this permission thing made me think of it. Thoughts @eawoods?
There was a problem hiding this comment.
I believe that permission scheme is an intentional decision -> program metadata (name and species) is not editable by anyone except the admin role.
| @Produces(MediaType.APPLICATION_JSON) | ||
| @Secured(SecurityRule.IS_AUTHENTICATED) | ||
| @Secured({"ADMIN"}) | ||
| public HttpResponse deleteUser(@PathVariable UUID userId){ |
There was a problem hiding this comment.
Maybe not this card but eventually we're going to have deactivating users I think so this would be using the securityService to get the acting user. I see we have the active flag in the database now so may be a good time to change this?
There was a problem hiding this comment.
After talking with Tim, I think the thought right now is to shorten the JWT expiration time and add a refresh token capability so that the user will get their refreshed info frequently. Not checking the user on the incoming call does leave a gap equal to the duration of the JWT expiration where a bad actor with an account can still have access though. But, I think the thought was that the case would be rare and they would have to be in the system to start anyway, so the case may not be worth making checks for it. It does avoid having to query the user on every single call. I'm down to discuss this again though if you had thoughts?
Also, for the deactivate user endpoint, there is a card made for switching that endpoint over on the UI side,
We could just mix the controller in on that too. I want to save it for later since changing it over is outside of scope for this card.
There was a problem hiding this comment.
I'm happy to discuss this further too
There was a problem hiding this comment.
Posting this thought before I forget it. We could create a security rule that will check if the method being requested has the @Secured annotation, and if it's anything but a GET, and if so, then check in the db to make sure the user that the JWT was issued for is still active, therefore preventing a bad actor from making destructive changes the instant their account is deactivated.
There was a problem hiding this comment.
I like that idea! It seems like a good balance between cutting down the queries, but giving us some added protection as well. @nickpalladino thoughts about this?
There was a problem hiding this comment.
@timparsons @nickpalladino A new security role has been added. A lot of the new tests were removed that checked for an active user that didn't exist in the database because the security rule will stop the flow before they get to the controller in that case. New tests were added for the security rule cases.
I put a TODO in ProgramSecuredAnnotationRule class to add tests when the time comes.
Yeah that is a good point. My thought would be that it doesn't matter to us if their orcid account was removed. Since the orcid is used so we can know they are who they are, once we know who they are we can decide whether they should continue to have access to our system on our side and just check to see if they are who they are when they need a new JWT. |
changed and pushed |
eawoods
left a comment
eawoods
left a comment
There was a problem hiding this comment.
Looks good to me, and I got all the possible error states to trigger at the correct times.
I defer to @nickpalladino and @timparsons on technical endpoints/permissions/token/timeout questions.
timparsons
left a comment
timparsons
left a comment
There was a problem hiding this comment.
Looks good. One comment on one test
src/test/java/org/breedinginsight/api/v1/controller/ProgramControllerIntegrationTest.java
Outdated
Show resolved
Hide resolved
timparsons
left a comment
timparsons
left a comment
There was a problem hiding this comment.
A few small comments/quick discussion points
src/main/java/org/breedinginsight/api/auth/AuthServiceLoginHandler.java
Outdated
Show resolved
Hide resolved
src/main/java/org/breedinginsight/api/v1/controller/ProgramController.java
Show resolved
Hide resolved
4 participants
This features adds the user system roles and the user id into JWT claims. It also adds a means for the controllers to easily access those roles and id in the claims.
This feature also includes some code contributed by Tim that will be used when program roles enforcement is implemented. The code is active, but won't be called if the
@ProgramSecuredannotation is not used on any controllers. Which it is not yet.Tests were added for the rare case that a user has a valid JWT, but not a user account. This case can occur if the user is valid, gets their JWT, but then their user account gets deleted (by a dev directly in the database), but there JWT hasn't expired yet. We don't check for this in the controller, but will be caught in the database because there is a foreign key constraint on the updated_by, created_by in the database.
Dependencies
This feature modifies the login flow to bi-web. There is a matching feature card in bi-web, INF-158 that should be reviewed alongside this.
Review and Tests
ADMINendpoint, do they get a 403SecurityService