User management - Student-Management-System/Sparkyservice-Project GitHub Wiki

Information

Realms

  • LDAP : External users without password
  • LOCAL : Users which are only in the local database
  • MEMORY : Demoted user state

Permission Roles

Users from all realms can be a member one of one permission role at the same time:

  • DEFAULT
  • ADMIN
  • SERVICES

Service Accounts

Service accounts are mainly for services which should have persistent access to a specific resource. They can generate persistent JWT tokens in order to authorize without the need to renew the token after 24 hours. To disable a issued token, put it in the payload in the profile settings of the user. (currently only a single token can be disabled at the time. Wildcards are possible).

The default expiration date of an issued token is the same as the accounts expiration. When the account is set to never expire (expiration date is empty), the JWT token will expire after 10 years.

Change the role to UserRole.SERVICE to change the type of that account.

WARNING: When disabling an account, DO NOT delete the database entry. Currently the lock is done through account settings and when these aren't present, all generated JWT tokens will be valid again until they expire (which depends on the configured account validity).

Password

Currently only bcrypt is used as hash algorithm. The password must contain....

Settings

All user in all realms have their own settings except users from MEMORY. Technically they have settings, but they'll never written to a persistent location since all their information are loaded during startup.

Editing

The user-controller is responsible for editing users.

Values

Expiration (admin)

The expiration time is set to 6 month by default but can be set to any valid date (without exact time). Expiration time is only available for users in the LOCAL realm.

Example JSON entry:

{
  [...]
  "expirationTime": "2020-08-10"
}

Summary:

  • Is always null when non-admin users invokes a a query
  • Can only be modified through admins
  • Can be set to null through edit, leads to no expiration time
  • When set to null during creation, the account expires in 6 month
  • only for @LOCAL users

Payload (admin)

Any Text can be stored in a users payload. The payload is only visible for admin users and is always null when a non-admin user invokes a query.

Sepcial cases: When a user has a the role SERVICE the payload defines all blocked JWT token of this user. Currently only a single token at a time is supported.