auth icon indicating copy to clipboard operation
auth copied to clipboard
verified publisher icon dwyl

Add an API endpoint to refresh users roles

Open t0mhaines opened this issue 5 years ago • 6 comments

To make sure we don't end up with stale role data in smart-home-auth, it would be good to have an endpoint that we can use to refresh the current roles of a person.

Currently we only get roles on receipt of a new JWT, which is usually when a user logs in. If a user keeps their session alive for a long time/doesn't log in our role data can get stale very quickly.

Example: A person is granted guest access to a door, and they log on and setup their keycard/phone. If they then don't interact with smart-home for a year, their role data stays stale. They can still open the door as their roles are not refreshed unless they log in again. We have no way of obtaining updated roles.

t0mhaines avatar Sep 17 '20 14:09 t0mhaines

@th0mas this is a good idea. 👍

Would it be somewhat mitigated by allowing the owner of an app to set a default expiry for the JWT when people authenticate with their app thus the person's session will expire and they are forced to re-auth which refreshes their roles ?

E.g. in the case of the smart-home-auth it could be The expiry could even be set programatically based on role e.g. "visitor" role defaults to 1 hour.

nelsonic avatar Sep 17 '20 14:09 nelsonic

That could work but that doesn't solve the root of the problem in that we can't check programatically if a user has a role, we have to wait for a JWT to be given to us, meaning if a user doesn't log into the hub server, their roles are not updated.

When a user taps a card/phone, a lookup is done internally based off the device ID. No JWTs are used - so an expiry here wouldn't work. We could add a timeout, but this means if a user goes out of WiFi range they will be locked out of the home if their role expires as they won't be able to re-authenticate with hub.

As far as I know, an API endpoint is the only way of solving this seamlessly for the user.

To do this securely, an access token could be given that allows the holder to lookup a users role once they have logged in, therefore not giving every app access to every user on auth.

t0mhaines avatar Sep 17 '20 14:09 t0mhaines

@th0mas OK, in that case do you want to add a function to RBAC to refresh the roles for a given person_id and then we can add the corresponding endpoint in auth ?

nelsonic avatar Sep 17 '20 16:09 nelsonic

I've added the endpoint: GET /personroles/:person_id/:client_id which returns a list of roles for the :person_id for the corresponding :client_id image

We can transform this JSON list in RBAC to be whatever you need in Smart Home. Just LMK. 👍

nelsonic avatar Sep 19 '20 22:09 nelsonic

The following code is included in #123: https://github.com/dwyl/auth/blob/2f63ba291b628c87c3594f243091c4d9cf8cd9cb/lib/auth_web/controllers/api_controller.ex#L29-L49

Feel free to alter it to suit your needs. As noted in #120 (document API endpoints), all REST API handlers are now stored in the api_controller.ex.

nelsonic avatar Sep 20 '20 07:09 nelsonic

@nelsonic A list of role_ids should be fine here

t0mhaines avatar Sep 23 '20 15:09 t0mhaines