Public | Automated Build

Last pushed: 11 days ago
Short Description
A base build image for CircleCI and docker.
Full Description

Mission Control

Dashboard

This is the end user UI.

Management-API

This is what serves the data for the end user UI.

CI Base

There is a base image here for builds that get run by CI. This is automatically built by dockerhub and pushed to the repo on changes.

Testing

CI

CI runs on every commit. The files changed for this commit are examined. Once being filtered by projects (dashboard, management-api, ...), make circleci is called for each project that had changes in it.

Authorization and Authentication

We use auth0 for authentication. This allows us to enable social connections such as google easily as well as add third party connections such as active directory. All user data including roles and organizations is stored there.

User groups, roles and permissions

By default, auth0 does not provide groups, roles and permissions for users. This is less than ideal because we want both groups (the tenant or organization) and roles (admin, read, write) for users. Auth0 provides storage on the user object (app_metadata) and rules. By combining these two, we can add [oauth scopes][oauth-scopes] to JWT tokens and do everything we need for authorization.

Invite flow

To get access to the dashboard, we propose this flow:

  1. Admin logs into dashboard.
  2. Admin invites user, adding specific roles for that user.
  3. User receives email notifying them of account creation.
  4. User logs in for the first time with correct organization and role.

We do not want any of the following:

  • Any user can login.
  • Users must login and then contact their admins for new roles.

Admin flow

  1. Admin invites user.
  2. management-api receives the graphql mutation (invite_user).
  3. An RS256 JWT token is generated with the following metadata:

    • email - email address of the user being invited.
    • organization - organization of the admin.
    • roles - a list of roles to add to this user.
    • exp - when this token expires, the default is 24 hours right now.
    • iat - when the token was created. This isn't being used currently.
  4. An inviteUrl is generated with the JWT token as a query param, sent to the /claim endpoint.

  5. We split the inviteUrl into a number of chunks. This defaults to 10 right now. Take a look at the code for a more in-depth explanation of why this happens.
  6. An identify call is issued containing the email, organzation, company (organization) and invite url split into chunks.
  7. A track call issues an invite event.
  8. The identify and track are picked up by configured segment integrations.
  9. Intercom, one of the configured segment integrations, creates a user record from the identify call.
  10. When Intercom recieves the invite event, it kicks off an automatic email. This email stitches the inviteUrl chunks together and provides a link to the user.

User Flow

  1. User recieves email in their inbox.
  2. User clicks link containing the invite token, sending them to /claim.
  3. We redirect to auth0, with invite_token in the query params.
  4. While the user is logging ino auth0, we check for the existence of invite_token.
  5. If the token is valid and matches the email address of the user logging in, we set user.app_metadata.signed_up on the user.
  6. The user is sent back to the dashboard as per normal.
  7. On subsequent logins, signed_up is checked and skips the token validation logic.

How to setup a new Auth0 account

TODO: Automate as much of this as possible. Account creation should be automatic.

Setup the client to be used

  1. Create a SPA client.
  2. Add allowed callback URLs to the settings.

    http://localhost:3000/callback
    http://local.dev:3000/callback

  3. Go to Connections and disable Username-Password-Authentication.

  4. Take the clientId and add that to the dashboard config at conf/auth0.conf.js.

Add the rule logging.

  1. Go to Extensions and add Real-time Webtask Logs.

Add the invite validation rule

  1. Click on Rules
  2. Under Settings, create a key of invitePublicKey that has the contents of management-api/keys/jwt.public.key.
  3. Add a new rule, name it invite-validation.
  4. Save the new rule with the content from auth/rules/invite.js.

Add the authz rule

  1. Click on Rules
  2. Add a new rule, name it authz.
  3. Save the new rule with the content from auth/rules/authz.js.
Docker Pull Command
Owner
vaporio
Source Repository