Authorisation with JWT

Overview

We are using JSON Web Token (JWT) for authorisation and use scopes (roles) to control access to endpoints.

We are using AWS Cognito as our user directory and authentication resource.

In combination with openapi-backend, this makes handling permissions for the backend API endpoints a simple process of adding the permissions scopes to the endpoint and ensuring that all calls made to that endpoint satisfy those constraints.

Securing your endpoint

We are employing a deny/allow security policy for our endpoints, as the system is accessible mostly to logged-in users, by default all endpoints must be restricted to logged-in users which is achieved by adding

 security: [
             { jwt: [] }
           ]

to the OpenAPIV3.Document this is stored in /modules/<module>/openapi/document.ts. From there, amend each path and add the required scopes to the path if stricter permissions are desired.

If your path does need to be open to non-logged-in users, then add security:[] to the path object

Assigning permissions to users

assign commissions to users we collect all the permissions from all the endpoints and produce a document or permissions object that will be at the front and will use to add a screen where the only user can assign either write or read-only or no permissions for each user that's created in the system.

Default permission assignment

By default, all administrator users will get an *:*:a permission which means that they can access all areas within the platform. Whilst owner users will get an inv-manage role which allows them to access all non-admin endpoints within the platform.

Overview​

Securing your endpoint​

Assigning permissions to users​

Default permission assignment​

Overview

Securing your endpoint

Assigning permissions to users

Default permission assignment