Conversation
…or route: /api/projects
…via authcontext. AuthZ code builds on shared/roles and shared/authorizationUtils for a single source of truth for roles/accessLevels
…dmin(), hasMinimumRole(), or hasAnyRole() to showcase flexibility/options, also and adding comments to code
|
Note - once this PR is merged, hold off on rebuilding DEV until check-in for logged in users is enabled [add issue link here]. Otherwise, we may run into an issue where most users remain logged in and cannot check in without first logging back out of VRMS |
|
@rteas mentioned that Project manager permissions are still handled the same way as before (standard user who is associated with a project = project manager). @rteas may create a new issue that creates a new UAL of "Project Manager" to follow the middleware refactor for other UALs (admin, superadmin, users, and project managers). Requires front end changes. Also, users assigned to an existing project will need to be promoted to "project manager" UAL in database. |
| 'c0d7d0716e4cecffe9dcc77ff90476d98f5aace08ea40f5516bd982b06401021191f0f24cd6759f7d8ca41b64f68d0b3ad19417453bddfd1dbe8fcb197245079', | ||
| CUSTOM_REQUEST_HEADER: process.env.CUSTOM_REQUEST_HEADER, | ||
| TOKEN_EXPIRATION_SEC: 900, | ||
| // 15 minutes |
There was a problem hiding this comment.
what is the difference between these two ACCESS_TOKEN_EXPIRATION, and ACCESS_TOKEN_EXPIRATION_MS?
| // Utility functions | ||
|
|
||
| function generateAccessToken(user, auth_origin) { | ||
| return jwt.sign( |
There was a problem hiding this comment.
Why is there no experation time on the signature of the access token?
|
|
||
| // Load in all of our node modules. Their uses are explained below as they are called. | ||
| const express = require('express'); | ||
| // const cron = require('node-cron'); |
| // WORKERS | ||
| const runOpenCheckinWorker = require('./workers/openCheckins'); | ||
| runOpenCheckinWorker(cron, fetch); | ||
| // const runOpenCheckinWorker = require('./workers/openCheckins')(cron, fetch); |
| @@ -1,8 +1,10 @@ | |||
| /*eslint-disable */ | |||
| module.exports = { | |||
| SECRET: | |||
There was a problem hiding this comment.
This should not be part of the code, this should be as the name implies a secret. This should be a env var.
| module.exports = { | ||
| SECRET: | ||
| 'c0d7d0716e4cecffe9dcc77ff90476d98f5aace08ea40f5516bd982b06401021191f0f24cd6759f7d8ca41b64f68d0b3ad19417453bddfd1dbe8fcb197245079', | ||
| CUSTOM_REQUEST_HEADER: process.env.CUSTOM_REQUEST_HEADER, |
There was a problem hiding this comment.
Calling an env variable like this, if the var does not exist will cause a silent failure returning undefined.
| const crypto = require('crypto'); | ||
| const AuthUtils = require('../../shared/authorizationUtils'); | ||
|
|
||
| const SECRET_KEY = process.env.JWT_SECRET; |
There was a problem hiding this comment.
We should avoid calling these blindly, they will silently fail if they do not exist.
| }, | ||
| ); | ||
| }) | ||
| token = jwt.sign({ id: user.id, role: user.accessLevel, auth_origin }, CONFIG_AUTH.SECRET, { |
There was a problem hiding this comment.
On these test why are you not using the function in code to sign the token for the test?
| }, | ||
| ); | ||
| }) | ||
| token = jwt.sign({ id: user.id, role: user.accessLevel, auth_origin }, CONFIG_AUTH.SECRET, { |
There was a problem hiding this comment.
Same comment here, why is the funtion in code to sign the token for tests?
| }, | ||
| ); | ||
| }) | ||
| token = jwt.sign({ id: user.id, role: user.accessLevel, auth_origin }, CONFIG_AUTH.SECRET, { |
3 participants
Fixes
#1861
#2066
#2068
#2072
#2075
What changes did you make and why did you make them ?
No visuals, but website runs using access tokens (JWTS) 15m usage and Refresh Tokens (allowing users extended sessions up to 30 days without needing to relog into the application). Logging out will delete the refresh token and require users to re-login.