enterprise domain rules and restrictions #748
Description
We will need to be able to disable some functionality in the app based on settings of their domain.
API Specs
These are authenticated calls, therefore you will need to login using OpenID Connect id_token (you should already be receiving this if scopes include "openid" and "email"), else please add these scopes.
First, one time per account, you need to generate uuid which is 40 characters long, containing only lowercase hex characters 0-9a-f. Example: 8d43af.................................93. Use secure random to generate these. You can think of uuid as an auto-generated password, which you create and store in the app. It is sensitive, so store it securely.
Correct email + uuid combination allows to access restricted API (similar to email+password).
1) FlowCrypt Account Login
To register email+uuid combination of an account, you need to prove user identity the to API backend. You can prove user identity by using the id_token you received from google for that account, because it is signed by google and we can verify that it's the right user.
For this initial user registration (done one time for each generated uuid), you need to call the login endpoint:
POST https://flowcrypt.com/api/account/login
headers:
Authorization: Bearer <id_token>
payload:
{
"account": "some@email.com",
"uuid": "<uuid>"
}
In the Authorization header you will directly paste the id_token, for example:
Authorization: Bearer eyaskdjaskldjaslkjdaslkdjsa.aslkdakldjkasjdlsakjdlkasjdklas.ashdsakdaskjdkasjhdksajhdjksahdasjdkashkda
Response must have both registered=true and verified=true to be success
response 200 {
"registered": true,
"verified": true
}
There should be unique uuid per each account (per each device).
If any restricted API returns you http error code 401 (auth), that means your uuid is not verified, and you have to request a new id_token from the user (by asking the user to go through google oauth permission grant again), then getting the new id_token, and verify it with the call above. After that you can repeat the call that gave you 401. If you do this, remember to ask for a new id_token because they usually expire quickly (1 hour).
But once you have uuid verified, the uuid will not expire, so you can keep using it forever.
2) getting domain rules from backend
POST https://flowcrypt.com/api/account/get
payload:
{
"account": "some@email.com",
"uuid": "<uuid>" // this one must be already verified, else you get http error 401
}
response:
{
"domain_org_rules": {
"flags": [
"NO_PRV_CREATE",
"NO_PRV_BACKUP",
"STRICT_GDPR",
"ENFORCE_ATTESTER_SUBMIT"
]
},
"account": { ... } // you can ignore this
}
This gives you a list of flags (rules). The default is empty array. Once you make it work so you can at least receive empty array, I will help you test situations that have some other settings.
Please cache the rules forever in the app, per each account. Once cached, you don't need to pull them again (in the future, we will add periodic checks every 24 hours, but that's for another issue - not important yet)
Working with the rules
NO_PRV_CREATE
Disable creating of new private keys. Private keys can only be manually imported.
When this flag is present, during setup, the only option that user will see is to import keys.
NO_PRV_BACKUP
Disable all forms of private key backup. If creating keys is enabled, and user is creating a key, do not automatically back up the key.
ENFORCE_ATTESTER_SUBMIT
Do not allow to skip errors during public key submission to attester during setup. Wait for the result from submission. If it is error, show the error with details, and offer a retry button. If user cannot successfully submit, the user cannot finish setup.
How to test
I will probably have to set up some domains for you that will have special rules.
This mechanism does not work for people who log in with IMAP directly. It has to use OpenID Connect (oauth). So right now it will only work for Gmail accounts.