3.4 KiB
Cisco FT SecureX Simplified Registration
- tags
- Auth
- source
- https://github.com/advthreat/response/issues/821
- dashboard
- https://github.com/advthreat/iroh/projects/32
.
Technical Plan
Support private email vs public emails
The solution is to use a blacklist of domains where any user could create multiple email accounts pseudo-anonymously.
Support, search admin with same email domain
We should be able given an email from a user, to find all the orgs for which at least one of its admin has a matching domain name.
- Most efficient: add an invisible field
email-domain
to all users. This should be lower-case, and we will need a migration. Doing this we could have a faster match than using string related queries.
Problems, users can login in the same user, with the same public email with different emails. This should be rare.
- Search via text match.
The algorithm should look a bit like:
;; only when this is an unknown user
(let [user-email ,,,
domain (string/replace user-email #".*@" "")
users (matching-admins domain) ;; returns a potentially big list of admin users
indexed-orgs (group-by :org-id users)]
(vals indexed-orgs))
Support Org request to admins
We need to create another Entity for access request to an Org.
(s/defschema OrgAccessRequest
(st/merge
{:id UUID
:idp-mapping IdPMapping
:user-email s/Str
:org-id s/Str
:status (s/enum :pending :accepted :rejected)}
(st/optional-keys
{:user-name s/Str
:user-nick s/Str})))
When a user request access to an organization. We should create this object in DB.
There should be a CRUD API restricted to the admin/user-mgmt/org-requests
scope:
GET /iroh/user-mgmt/org-requests
list pending org access requestsGET /iroh/user-mgmt/org-requests/<id>
read a single org access requestPOST /iroh/user-mgmt/org-requests/<id>/accept
Grant the accessPOST /iroh/user-mgmt/org-requests/<id>/reject
Reject the access
List
GET /iroh/user-mgmt/org-requests
If no parameter is provided, only list pending OrgAccessRequests
of the org
of the caller.
Otherwise we could pass the query-parameter status
with the following
value(s):
pending
accepted
rejected
Note we should probably support duplicate statuses. Ex:
GET /iroh/user-mgmt/org-requests?status=accepted&status=pending
Read
GET /iroh/user-mgmt/org-requests/org-request-id
Should returns a 404 if not found or the single Org Access Request object.
Accept the Org Access
POST /iroh/user-mgmt/org-requests/<id>/accept
Grant the access
The body should contain the role (either admin
or user
) with the following schema:
{"role":"admin"}
During the call, should:
- Create a new user with:
{:user-id (gen-uuid)
:org-id (:org-id org-access-request)
:user-email (:user-email org-access-request)
:idp-mappings [(:idp-mapping org-access-request)]
:user-name (:user-name org-access-request)
:user-nick (:user-nick org-access-request)
:role (get-in request [:body :role])
:enabled? true
}
UI Revamp.
All the page shown during login are hosted in IROH. So we should revamp all pages and we should probably, take great attention to every shown webpage.