Comments (10)
@maxkwallace Sorry, I'm not working on this. It's been busy for a while now but I'm hoping to contribute to this project again when I get some time in the future.
Thanks @wittejm for taking this up!
from recordexpungpdx.
Yes, I was working on this. Let me assign it to myself.
Maybe next meeting we can discuss what the authentication API will look like on the frontend
Sounds good. It is captured in the design document. We can add missing details if there are any.
from recordexpungpdx.
@maxkwallace the /auth_token endpoint code is about finished with python tests passing, though I've just discovered that it's broken on the wsgi server (returns 400) and am looking into this.
from recordexpungpdx.
@erikjasso The only feature listed here that is missing from the app is to use persistent RSA keys in the prod environment, whereas the dev configuration works as intended (generating a random rsa key on app start).
I suppose we could write a more specific issue and toss it into the project backlog, to unclutter the project board a bit. The feature is blocked on having the app use any prod configuration at all, since the wsgi.py launcher is hard-coded to use only the dev configuration
from recordexpungpdx.
The conversation from slack was "use JWTs, handle login on the backend". Erik asked me to add some background, so here we go.
JWTs (JSON Web Tokens, pronounced "jot" for some reason) are generally used with oAuth2/OIDC. They are stateless authentication tokens that include user data and a "signature" to prevent tampering. Token signing requires RSA keys that will have to be stored and managed on the server.
- store salted & hashed user password 🎉
- store RSA keys (must be able to handle 2 at a time for rotation)
- rotate RSA keys every 30-90 days
- login endpoint.
- take in user credentials
- load user record from DB
- use salt with user-supplied password to create hash, compare
- load relevant user attributes (groups, roles)
- create token payload (user ID, expiration, groups, etc..)
- sign token (standard RSA signature creation tools/lib exist in every language)
- return to user
- verify token.
- extract token from the AUTHORIZATION header
- load KEY ID from token header
- load matching key
- compare token signature (standard RSA signature verification tools/lib exist in every language)
from recordexpungpdx.
@a-ilango you are working on this, right? Would be good to assign this issue to yourself if yes. Maybe next meeting we can discuss what the authentication API will look like on the frontend.
from recordexpungpdx.
@a-ilango ah, great! I forgot about the design document, thank you. I'll take a look again.
from recordexpungpdx.
@a-ilango Hey Arun! Are you still working on this? Just wanted to check in.
from recordexpungpdx.
@wittejm Can we close this?
from recordexpungpdx.
The only remaining feature here has been moved to #581
from recordexpungpdx.
Related Issues (20)
- Create soft requirments for FillForms HOT 5
- Provide alternative search summary display HOT 6
- Create feature to log out of OECI credentials
- Create a section at the end of the Manual where we can post Form links
- Create new Eligibility types: "Eligible but on case with [Ineligible/Future Eligible] charge" HOT 14
- Add new Partners to the landing page HOT 5
- Add Arrest Date information to all expungement forms HOT 2
- Remove `#paybalances` links HOT 1
- Typo in "manual" page HOT 1
- Felony reduced to misdemeanor disambiguation
- Clackamas County HOT 4
- Implementing an "Expanded View" HOT 1
- NEW FORMS HOT 13
- NEW FORM PART 2 requests HOT 1
- Fix time analyzer tests HOT 4
- Makefile, Docker Compose, eslint HOT 5
- Broken deploy to staging
- Generate Paperwork button bug HOT 1
- Case detail page occasionally dropping
- Group Owe$ charges with Future Eligible charges on same case
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from recordexpungpdx.