- Explain how ReBAC is implemented using oakrbac.Predicate to address the distinction explained here: https://dev.to/egeaytin/rbac-vs-rebac-when-to-use-them-47c4
- Figure out the best way to mitigate CSRF:
- SPA router generator with sha256 hashes for security that can be used for sign-in, recovery workflows!
- Safety: static types, immutability, and proper defaults.
- Minimalism: tracks the least amount of information possible without compromising safety.
- Consistency: assumes single fully synchronized source of truth. Revocations are instant.
- Flexibility: simple, independent, and configurable models that support multiple back-ends.
-
oakrbac: role-based access control
- Humanity Recognition
- Throttling
- Prevent password-reuse?
- Timing modulation
- Registration
- Authentication
- Password policy
- Revocation
- Kill switch
- Recovery
- Authorization
- Observability
- Logging
- Identity: provides authentication.
- Group: enumerates roles which are available for identities.
- Role: provides authorization by granular permissions.
- Permission
- Service
- Domain
- Resource
- Action
- Permission
- Session: the result of pairing identity to a role.
- Token: one-time utility codes.
The library is created in ways that anticipate misconfiguration by aiming at simplicity.
- All roles and policies deny access by default.
- Policies and predicates must return explicit sentinel value
Allow
. - Comes with a code generation tool that helps build tight access control policies and test cases.
Logging can be approached in several different ways:
- By writing a Policy wrapper. Use the function
WithLogger
for an example. - Inside the policies themselves.
- At a higher level with request logs.