:PROPERTIES:
:ID:       1208f09c-d37d-4e6b-9110-151f3c6b7d34
:END:
#+TITLE: Cisco FT SecureX Simplified Registration
#+Author: Yann Esposito
#+Date: [2021-12-07]

- tags :: [[id:299643a7-00e5-47fb-a987-3b9278e89da3][Auth]]
- source :: https://github.com/advthreat/response/issues/821
- dashboard :: https://github.com/advthreat/iroh/projects/32

.


* Technical Plan
** Support private email vs public emails

The solution is to use a blacklist of domains where any user could create
multiple email accounts pseudo-anonymously.

** Support, search admin with same email domain

We should be able given an email from a user, to find all the orgs for
which at least one of its admin has a matching domain name.

1. Most efficient: add an invisible field =email-domain= to all users. This
   should be lower-case, and we will need a migration.
   Doing this we could have a faster match than using string related queries.

Problems, users can login in the same user, with the same public email with
different emails.
This should be rare.

2. Search via text match.


The algorithm should look a bit like:

#+begin_src clojure

;; only when this is an unknown user
(let [user-email ,,,
      domain (string/replace user-email #".*@" "")
      users (matching-admins domain) ;; returns a potentially big list of admin users
      indexed-orgs (group-by :org-id users)]
  (vals indexed-orgs))
#+end_src

** Support Org request to admins

We need to create another Entity for access request to an Org.

#+begin_src clojure
(s/defschema OrgAccessRequest
  {:id UUID
   :user-identity IdPMapping
   :user-email s/Str
   :org-id s/Str
   :status (s/enum :pending :accepted :rejected)})
#+end_src

When a user request access to an organization.
We should create this object in DB.

There should be a CRUD API restricted to the ~admin/user-mgmt/org-requests~ scope:

- ~GET  /iroh/user-mgmt/org-requests~ list pending org access requests
- ~POST /iroh/user-mgmt/org-requests/search~ search  org access requests
- ~GET  /iroh/user-mgmt/org-requests/<id>~ read a single org access request
- ~POST /iroh/user-mgmt/org-requests/<id>/accept~ Grant the access
- ~POST /iroh/user-mgmt/org-requests/<id>/reject~ Reject the access

** Problem: support link that present a different login page.