Custom query - permissions

[ecerichter]

Is your feature request related to a problem? Please describe.
In documentation, there is a clear description of how to implement security for acessing tables.
How to do that for custom queries?

Describe the solution you'd like
Implement security settings for custom queries, e document how to do that.

Describe alternatives you've considered
Add server side filters in Apache Http or HaProxy, but they are not effective because there is no user context at this stage.

Additional context

• not applicable.

[arxdsilva]

Hi @ecerichter , as long as you have the JWT Authentication setup, the custom queries will also verify the request header for a bearer token, this way it'll only allow access to valid tokens for the provided jwt secret

[ecerichter]

Thank you. I see... Actually, I misunderstood security settings... I would expect to give a "role" some special permissions, and then associate roles to users... I believe this feature is not implemented (yet, perhaps).
Anyway, I'll check source code and see if we can make it fit our needs. If yes, then we would propose a patch.

[arxdsilva]

Thank you. I see... Actually, I misunderstood security settings... I would expect to give a "role" some special permissions, and then associate roles to users... I believe this feature is not implemented (yet, perhaps). Anyway, I'll check source code and see if we can make it fit our needs. If yes, then we would propose a patch.

No problem! As we intend to be a API over any db It's hard to enforce any user management or table. There's a basic user setup that can be done so you can authenticate and have a very basic user over /auth route, but it doesnt have any kind of permissions yet.

[gedw99]

Hey @arxdsilva

awesome project !!

I was wondering if formal support for roles to users could be modelled in the db so that queries can use that for:

determining if a user is allowed to execute a query or mutation

Roles can be used in queries and mutations , so that we can search by roles or user.

—-

the later requires this data to exist in the database in order to do it .

jwt as far as I can see is not enough. Pleae let me know.

I need this for my Open Science project .. https://github.com/gedw99/sc-gio

[arxdsilva]

@gedw99

Hey @arxdsilva, awesome project !!

Thanks the team appreciates :D

We certainly want to upgrade how we do security and permissions, but now there is no easy way and this will likely fall into our API v2. Although even if we had the permissioning that we want for most routes on requests, the permissioning over custom queries probably would be another story, as this can use any table.

Furthermore this is very complicated and I'm not sure how we want to solve now, but probably will have a separate permissioning required, since the user that has access to custom queries should have more rights. We're currently discussing our roadmap for 2023, so feel free to also add your insights here. (:

In the current state of the project we cant assure you that we'll have it anywhere soon. I'm sorry for that, but feel free to contact us in any social media if you want to further discuss this or any other subject around the project.