Filter OP resources by `tenantId` in Admin API calls #2929

njlie · 2024-08-30T11:52:56Z

The Rafiki Admin API should use the Kratos session token to retrieve and add a tenantId to the context. Resolvers should use this context to:

Only retrieve Open Payments resources that belong to that tenant (unless that tenant is also the instance operator).
It should prevent requests where provides a valid id is provided for an Open Payments resource, but that resource does not belong to that tenant. Return a Not Found response in this case.
When creating a new resource that requires a tenantId as database field, it should either:
- Verify that the provided tenantId in the input matches the one added to the context, or is from an operator
- Provided that tenantId from the context.
  - Maybe we could even remove tenantId as an input from all graphql inputs, and just include it in service requests by pulling it from the context at all times.

This logic should be applied to resolvers for:

The text was updated successfully, but these errors were encountered:

njlie mentioned this issue Aug 30, 2024

Multi-tenant Rafiki #2893

Open

17 tasks

BlairCurrey self-assigned this Oct 3, 2024

njlie mentioned this issue Oct 11, 2024

Admin API User Roles #2895

Closed

1 task

BlairCurrey mentioned this issue Oct 14, 2024

Bc/2929/filter op resources by tenantid #3026

Draft

njlie added the pkg: backend Changes in the backend package. label Oct 18, 2024

Provide feedback