Authentication and Authorisation (Levels of Permission)¶

Authentication refers to a user being recognised in the system (in this case being logged in). Authorisation refers to a user having the permission or ability to do an action.

In the ASER web app, there are different levels of permission indicated by:

• Administrator
• Organisation Maintainer
• User

Administrator¶

They can do whatever they want.

Organisation Maintainer¶

This specific role is tied with a specific organisation. They are mainly responsible for the organisation information and equipment listing.

User (The General User)¶

This is the role dedicated for anyone that has Pheme access. Technically, this permission is automatically granted and does not require a specific permission listed in the user. In other words, if a user does not have any permission listed in the table, and permission that is supposed to go to a general user is granted for anyone.

Implementation¶

JWT Authentication¶

The authentication is handled by Feathers (authentication documentation) for server-side user processing and in some extent client side.

The authentication methods are:

• local (email + password (hashed when stored))
• Oauth with Auth0 (todo)

Redux Store¶

The authentication and user details is stored in the redux store with the auth reducer (refer to reducers/index.js and reducers/auth.js)

AuthGuard Component¶

The AuthGuard component in components/Layout is responsible for checking:

• authentication
• authorisation

and is defined in client/components/layout/AuthGuard (the authenticated dashboard layout) and to wherever requires more levels (usually used for authorisation eg. Administrator pages).