XYZ - Developer Guide
  • Introduction
  • Licence
  • Deploying
    • Local Deployments
  • Access
    • Access Control List (ACL)
    • User account registration
    • Password reset
    • Failed login attempts
  • Environment Settings
    • Hosting
    • Access Control
    • Workspace Connections
    • 3rd party API keys
  • Workspaces
    • Title
    • Documentation
    • Locate
    • Locales
      • Gazetteer
    • Layers
      • Tile Layer
      • PostGIS Data Layers
      • Cluster Layer
      • GeoJSON Layer
      • MapBox Vector Tile (MVT) Layer
      • Grid (Hex) Layer
      • Filter
    • Locations
      • infoj
        • Groups
        • Filter
        • Lookups
        • withSelect
        • Table definition
        • Ordered list
        • Geometry
    • Editing
    • Access Restrictions & Filter
    • Workspace Checks
  • Routes
    • / (root)
    • /proxy/request
    • /api
      • /gazetteer
        • /autocomplete
        • /googleplaces
      • /layer
        • /cluster
        • /extent
        • /geojson
        • /grid
        • /mvt/:z/:x/:y
      • /location
        • /edit
          • /delete
          • /image/delete
          • /image/upload
          • /draw
          • /draw/catchment
          • /catchment/create
          • /catchment/delete
          • /update
        • /select
          • /id
          • /cluster
          • /latlng/contains
          • /latlng/nnearest
          • /latlng/intersects
          • /aggregate
        • /field/range
    • /auth
      • /login
      • /register
      • /token
        • /api
        • /renew
      • /user
        • /admin
        • /verify
        • /approve
        • /update
        • /delete
    • /workspace
      • /get
      • /load
      • /admin
      • /admin/json
  • Infrastructure
    • _xyz
      • host
      • layer
      • location
      • mapview
      • tableview
    • Dependencies
      • Webpack
      • SASS
    • Testing
    • Security
      • JWT token
      • Strategy
      • SQL Injections
    • Server
    • Client
Powered by GitBook
On this page
  1. Infrastructure

Security

PreviousTestingNextJWT token

Last updated 6 years ago

We are using the module for authentication in XYZ. All authentication is handled by the module.

By setting the access key (PUBLIC or PRIVATE) in the with a PostgreSQL connection string (plus a table name separated by a | pipe) it is possible to restrict access. The access control list (ACL) table must be stored in a PostgreSQL database.

If set to PRIVATE a login is required to open the application or access any endpoint. If set to public login is optional for routes which are not restricted for administrator. Admin routes are not available if no ACL is provided. Without the admin route all changes to the settings need to be done in the code repository or database.

An ACL must have following table schema:

create table if not exists users
(
	"_id" serial not null,
	email text not null,
	password text not null,
	verified boolean,
	approved boolean,
	admin boolean,
	verificationtoken text,
	approvaltoken text,
	failedattempts integer default 0,
	password_reset text,
	api text
);

We are using a javascript implementation of the OpenBDS to encrypt passwords at rest in the ACL. The and views use for the email (max 50 character) and password (min 8 character). These are also validated on the backend.

fastify-auth
auth.js
environmental settings
Blowfish (cipher)
login
register
input form validation