feat: RBAC for the admin-api #158
Open
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
dolcalmi
requested changes
Aug 4, 2025
k9ert
force-pushed
the
kn/admin_api_rbac
branch
2 times, most recently
from
568a8ae to
79430bc
Compare
k9ert
commented
Sep 2, 2025
k9ert
commented
Sep 2, 2025
k9ert
commented
Sep 2, 2025
k9ert
commented
Sep 2, 2025
k9ert
commented
Sep 2, 2025
k9ert
commented
Sep 2, 2025
k9ert
force-pushed
the
kn/admin_api_rbac
branch
2 times, most recently
from
5ce4d40 to
d8f13a6
Compare
k9ert
commented
Sep 10, 2025
Comment on lines
+110
to
+115
| dev_pnpm_task_test( | ||
| name="unit-test", | ||
| command="test", | ||
| deps = ["//:node_modules"], | ||
| ) | ||
|
|
There was a problem hiding this comment.
I have not much clue about BUCK. It doesn't seem that the admin-panel had unit-tests so far. So i created some and i think we need to add it here to have them tested more or less OOB?!
k9ert
force-pushed
the
kn/admin_api_rbac
branch
3 times, most recently
from
3f99a16 to
569273a
Compare
k9ert
force-pushed
the
kn/admin_api_rbac
branch
from
422831b to
27c6f66
Compare
fix: linter happy fix: linter happy chore: prettier fix: tests fix: types fix: linter fix: env-vars for buck2 fix: env vars for workflow fix: change way to use service-account credentials fix: NODE_ENV test for integration tests fix: GCS_APPLICATION_CREDENTIALS_PATH within env.ts fix: prettier chore: tidy up, part 1 chore: tidy up part 2 fix: remove env from BUCK poc: Try to enrich the JWT token remove gcloud dependencies fix
k9ert
force-pushed
the
kn/admin_api_rbac
branch
from
27c6f66 to
5502141
Compare
k9ert
commented
Oct 1, 2025
| yarn install | ||
| export PORT=3004 | ||
| yarn dev | ||
| pnpm install |
There was a problem hiding this comment.
This project is pnpm based since some longer time.
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
3 participants
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Problem
The admin panel only have an all or nothing authorisation concept. We need a more sophisticated authorisation.
Solution
On the admin-API, we group all the endpoints to specific access-rights. We have:
VIEW_ACCOUNTSVIEW_MERCHANTSLOCK_ACCOUNTAPPROVE_MERCHANTCHANGECONTACTS_ACCOUNTCHANGELEVEL_ACCOUNTDELETE_ACCOUNTSVIEW_TRANSACTIONSSEND_NOTIFICATIONSSYSTEM_CONFIGIf a request wants to call any of the endpoints (which need auth), that token need to have the corresponding access-right in its
token.scope.How do we achieve that?
We'll configure a ROLE_USER_MAPPING env var for the admin-panel which maps user to roles. Basic roles are for now:
ADMIN: can do everythingSUPPORTLV2: advanced support operations (includes all SUPPORTLV1 + contact changes)SUPPORTLV1: basic support operations (view accounts/merchants, lock accounts, level_changes, approve merchants)MARKETING: can send notifications onlyVIEWER: can only view accounts and transactionsOne user can have many roles.
The admin-panel then maps those roles to a list of access-rights like this:
Role Hierarchy:
VIEW_ACCOUNTS,VIEW_TRANSACTIONS,VIEW_MERCHANTSSEND_NOTIFICATIONSVIEW_ACCOUNTS,VIEW_TRANSACTIONS,VIEW_MERCHANTS,LOCK_ACCOUNT,APPROVE_MERCHANT,CHANGELEVEL_ACCOUNTCHANGECONTACTS_ACCOUNT,DELETE_ACCOUNTS,SYSTEM_CONFIGHere is a table:
VIEW_ACCOUNTSVIEW_TRANSACTIONSVIEW_MERCHANTSLOCK_ACCOUNTAPPROVE_MERCHANTCHANGECONTACTS_ACCOUNTCHANGELEVEL_ACCOUNTSEND_NOTIFICATIONSDELETE_ACCOUNTSSYSTEM_CONFIGLegend:
This list is then attached to the
token.scope(as stringified JSON).