Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[#34722] Add Authentication and Authorization to api routes #90

Merged
merged 25 commits into from
Oct 23, 2024
Merged

[#34722] Add Authentication and Authorization to api routes #90

merged 25 commits into from
Oct 23, 2024

Conversation

nevinsm
Copy link
Collaborator

@nevinsm nevinsm commented Sep 24, 2024
edited
Loading

Link to Ticket:
https://app.shortcut.com/snac/story/34722/require-user-to-be-an-authenticated-editor-for-any-post-put-delete-actions-on-concept-vocabulary

PR Summary:
Sets up authentication and authorization for api routes. Also adds in artisan user:add helper command

Testing Instructions:

  1. Confirm that user must be logged in to hit protected create, update, delete api routes
  2. Feature tests pass when running ddev artisan test
  3. artisan user:add can be used to interactively add a user to the system

Notes:

  • test_authorized_user_can_update_concept_relationships will fail due to issue with concept relationships in the concept model

@jglass-st jglass-st added the On Hold Awaiting for a design decision, better rollout time, or other reason label Sep 30, 2024
jglass-st
jglass-st reviewed Oct 1, 2024
View reviewed changes
app/Models/User.php
->where('uid', $this->id);
});
})->get();
}
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Seems like this sort of query should normally be a hasManyThrough, but given the number of joins this is probably the best way to do it. 👍

Copy link
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Unfortunately the many to many nature of the current schema prevents hasManyThrough from working and I tried using this package to provide the ability to have that many to many deep relationship as a default eloquent collection. The issue that kept cropping up was that the database tables don't follow Laravel conventions so none of it would play nicely which meant we ended up with a permissions getter method instead.

Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Oh, neat I hadn't seen that package before. Yeah, not being able to rely on standard naming conventions is tough. But I think you've made it as clean as possible given the legacy table constraints.

jglass-st
jglass-st reviewed Oct 1, 2024
View reviewed changes
app/Models/User.php
Comment on lines +82 to +107
public function isVocabularyEditor()
{
$permissions = $this->getPermissions();
$vocabEditor = Permission::where('label', 'Edit Vocabulary')->first();

return $permissions->contains($vocabEditor);
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

So much cleaner! Big improvement.

jglass-st
jglass-st approved these changes Oct 1, 2024
View reviewed changes
Copy link
Collaborator

@jglass-st jglass-st left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Nice api auth!

Sticking with Sanctum's pattern and adding a new table for API tokens is probably the right decision. The alternative would be trying to overload the existing legacy api_keys table, which would complicate things considering how differently they behave.

And given we shouldn't need to use any extra token functionality like abilities, only authenticate the user, this should handle everything we need from an authentication perspective.

@jglass-st jglass-st removed the On Hold Awaiting for a design decision, better rollout time, or other reason label Oct 1, 2024
nevinsm added 14 commits October 18, 2024 13:23
@nevinsm
initial sanctum setup and concept api controller protection
74eb33b
@nevinsm
add sanctum middleware to api group, update controllers to protect ro…
2eabaff 
…utes, update axios bootstrapping
@nevinsm
add reconcile to methods allowed on concept controller without auth
95eb616
@nevinsm
add role and permission models to application
4487b0d
@nevinsm
update isVocabularyEditor to use Permission model
969e654
@nevinsm
[#34722] add phpunit cache to gitignore
b5248dd
@nevinsm
[#34722] Scaffold out Concepts Authorization
5b053b6
@nevinsm
feat: Set up authorization for Concept model using policies and tests
685c8d5
@nevinsm
update user factory for Laravel 11
d16820e
@nevinsm
fix: Clean up example tests and concept test, simplify concept api co…
ce6fd0a 
…ntroller
@nevinsm
feat: Factories and model bindings for Term, Concept, and User
e8e0df4
@nevinsm
formatting fix
ae2c437
@nevinsm
feat: Working concept testing
280fe23
@nevinsm
feat: Create interactive artisan command to add user with role
60fc862
@nevinsm nevinsm force-pushed the nsm/34722-api-auth branch from 9379f48 to 60fc862 Compare October 21, 2024 19:35
@nevinsm nevinsm changed the title [#34722] Add Authentication to api routes [#34722] Add Authentication and Authorization to api routes Oct 21, 2024
@nevinsm
Copy link
Collaborator Author

nevinsm commented Oct 21, 2024

@jglass-st This should be ready for another review.

@nevinsm nevinsm requested a review from jglass-st October 21, 2024 21:22
jglass-st
jglass-st approved these changes Oct 23, 2024
View reviewed changes
Copy link
Collaborator

@jglass-st jglass-st left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks good!

Great to have those initial tests. All passing except for the known test_authorized_user_can_update_concept_relationships exception.

I've added SESSION_DOMAIN variable to the snac-dev .env, and I can add it to snac production as well.

@nevinsm nevinsm merged commit 376a4be into development Oct 23, 2024
1 check failed
@nevinsm nevinsm deleted the nsm/34722-api-auth branch October 23, 2024 15:44
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@jglass-st jglass-st jglass-st approved these changes

@dce dce Awaiting requested review from dce

@jeffmueller-st jeffmueller-st Awaiting requested review from jeffmueller-st

@bd-viget bd-viget Awaiting requested review from bd-viget

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@nevinsm @jglass-st