-
Notifications
You must be signed in to change notification settings - Fork 9
User management and authorization
Because the 360 view gives access to sensitive personal information, we need to ensure that only authorized users can access PDP pages.
There are three authorization levels/user roles:
- User: Can use the Common API to view 360 data but not make any changes
- Editor: User, plus can use the Editor API to manually link existing contacts
- Admin: Editor, plus can use the Admin API to upload data and manage users
Upon login, the user API shall return a JSON Web [Access] Token (JWT) with a limited lifetime[1]. The JWT includes the user's role.
The React client shall render only resources that are authorized by the current user's role. The React client shall present the JWT (using the Authorization: Bearer header) to the API server when making a request.
The API server shall verify that user represented by the JWT is authorized to access the requested API endpoint. The server API shall return a 403 status if the user is not authorized to access the endpoint.
[1] We need to decide on a lifetime that provides an appropriate balance between convenience and security. An expired Access token will require the user to login again. There is a Refresh-type token that allows automatic renewal of Access tokens without requiring the user to log in but the power of this kind of token poses additional security concerns.