-
Notifications
You must be signed in to change notification settings - Fork 61
# Authentication and Authorisation (logging in) Update
As Street Support grows, our need to ensure the data we hold remains secure and correct comes more into focus. For this reason, we have been updating our applications to use a third-party service to manage our authentication and authorisation mechanism. By offloading this concern to a third-party, we can rest assured that the primary means of accessing the ability to edit and delete our data is managed by a dedicated team of experts in the field, and adheres to industry-standard protocols. In addition to the security benefits, this move also unlocks a number of architectural options, should we require it.
We have chosen Auth0 to be that third-party: a tried and tested provider, trusted by a number of large companies. Their free pricing plan is sufficient for our needs at this time. Should our needs change, we can review our options - moving to a different provider should be relatively simple, due to the mechanism's adherence to the OAuth protocol.
The API checks the Authorization header on all requests for a JWT, and verifies it against Auth0. It extracts the User's Auth0 id and retrieves the corresponding User from the Street Support database. The requested endpoint checks the User's claims, via Nancy's authorisation mechanism.
When a User comes to login, they will be redirected to the Auth0 login page, where they enter their email and password. If correct, they are redirected back to the Admin Portal, along with an access token. This access token is added to each request to the API in the Authorization header.
Existing Users will be migrated into Auth0, with a randomly generated password. On their first login attempt, they will need to reset their password.
The 'forgotten password' is entirely managed by Auth0, hopefully reducing the manual support we need to provide to Users. Emails are sent via our SendGrid account.
On adding their Organisation via the '/register' page, the User will be sent an email prompting them to change their password. On doing so, they are then redirected to the Admin Portal to login.
On adding a new Org, City or Super Admin, the API creates the User entry in Auth0. The User will be sent an email prompting them to change their password. On doing so, they are then redirected to the Admin Portal to login.