Figure out user authentication about recordexpungpdx HOT 10 CLOSED

@maxkwallace Sorry, I'm not working on this. It's been busy for a while now but I'm hoping to contribute to this project again when I get some time in the future.

Thanks @wittejm for taking this up!

from recordexpungpdx.

Yes, I was working on this. Let me assign it to myself.

Maybe next meeting we can discuss what the authentication API will look like on the frontend

Sounds good. It is captured in the design document. We can add missing details if there are any.

from recordexpungpdx.

@maxkwallace the /auth_token endpoint code is about finished with python tests passing, though I've just discovered that it's broken on the wsgi server (returns 400) and am looking into this.

from recordexpungpdx.

@erikjasso The only feature listed here that is missing from the app is to use persistent RSA keys in the prod environment, whereas the dev configuration works as intended (generating a random rsa key on app start).

I suppose we could write a more specific issue and toss it into the project backlog, to unclutter the project board a bit. The feature is blocked on having the app use any prod configuration at all, since the wsgi.py launcher is hard-coded to use only the dev configuration

from recordexpungpdx.

The conversation from slack was "use JWTs, handle login on the backend". Erik asked me to add some background, so here we go.

JWTs (JSON Web Tokens, pronounced "jot" for some reason) are generally used with oAuth2/OIDC. They are stateless authentication tokens that include user data and a "signature" to prevent tampering. Token signing requires RSA keys that will have to be stored and managed on the server.

• store salted & hashed user password 🎉
• store RSA keys (must be able to handle 2 at a time for rotation)
• rotate RSA keys every 30-90 days
• login endpoint.
  • take in user credentials
  • load user record from DB
  • use salt with user-supplied password to create hash, compare
  • load relevant user attributes (groups, roles)
  • create token payload (user ID, expiration, groups, etc..)
  • sign token (standard RSA signature creation tools/lib exist in every language)
  • return to user
• verify token.
  • extract token from the AUTHORIZATION header
  • load KEY ID from token header
  • load matching key
  • compare token signature (standard RSA signature verification tools/lib exist in every language)

from recordexpungpdx.

@a-ilango you are working on this, right? Would be good to assign this issue to yourself if yes. Maybe next meeting we can discuss what the authentication API will look like on the frontend.

from recordexpungpdx.

@a-ilango ah, great! I forgot about the design document, thank you. I'll take a look again.

from recordexpungpdx.

@a-ilango Hey Arun! Are you still working on this? Just wanted to check in.

from recordexpungpdx.

@wittejm Can we close this?

from recordexpungpdx.

The only remaining feature here has been moved to #581

from recordexpungpdx.