Assume auth on all routes; add new route to check auth #32
Description
Verification
- I have searched the existing issues to ensure this feature has not already been requested.
Provide a detailed description of the proposed feature.
Auth checks should be its own route instead of being built in to every single Data Platform route. This would enable greater seperation of concerns.
Alongside this, LocationPolicyGroups should be able to exist without being assigned to Organisations.
What is the motivation for the feature?
After the first pass at IAM, every route has auth built in - e.g. the GetForecastAsTimeseries RPC takes in an OAuthID and will return nothing if the associated user has no access to the forecast's associated location. It somewhat ties these auth checks to the data platform though, and we might want to change how they are handled in the future. As such, keeping this logic somewhat seperate, and putting the responsibility on the caller, makes it easier to reason about, more modular, and more testable.
Outline a potential approach or solution (optional).
Remove the OAuthID option from all the standard Get routes. Add a CheckUserLocationAccess RPC that determines whether a user has access to a location. It would then be the responsibility of applications that use the API to run this function prior to requesting data (if they require user scoping).