Authorization Middleware

[armintalaie]

A layer to authorize incoming API requests. The middleware should allow arguments to retrieve the scopes of access.
This will be used by all api endpoints and should be flexible enough to adapt to new changes.

---

• Create a scope table to store all available scopes. initial setup should be added as migration script

  • Current version of Scopes: Update as needed

  • Convention: [area]:[permission]:[domain]:[limits]

scope_id	Scope_name	Scope_description
	profile:read:self	can read their own profile. When/if user is blocked/restricted the access can be revoked.
	profile:read:others	can read other users' profiles.
	profile:write:self	can update current authenticated user or delete
	profile:write:self:limited	can update current authenticated user
	profile:write:others	can update any user and delete any user
	profile:write:others:limited	can update any user
	admin:write	can update any internal information
	admin:read	can update any internal information

Note: admin:write is a special role we will use to authorize api calls that modify our system such as adding more roles, more scopes and etc. Later on we can assign domains to admins levels such as "members" or "posting"

• Create a role_scope table that has keys to a role's id (from role table) and scope's id (from scope table)

• Middleware should allow to use cases:

• pass user id and authorization and return all scopes of user

• pass user id and authorization with a list of scopes to determine if user has those

---

Example Scenario

For the Users API:

• Creating Users: only authenticate their google credentials. will want to know if user is authenticated
• Editing Users: Triggered by either user or "admin" roles. will want to know if current user can update either themselves or others
• Delete users: similar to above
• Admin-related: using the api to add a new faculty, role, or remove a program, etc