Security
Last updated
Last updated
We are using the module for authentication in XYZ. All authentication is handled by the module.
By setting the access key (PUBLIC or PRIVATE) in the with a PostgreSQL connection string (plus a table name separated by a | pipe) it is possible to restrict access. The access control list (ACL) table must be stored in a PostgreSQL database.
If set to PRIVATE a login is required to open the application or access any endpoint. If set to public login is optional for routes which are not restricted for administrator. Admin routes are not available if no ACL is provided. Without the admin route all changes to the settings need to be done in the code repository or database.
An ACL must have following table schema:
We are using a javascript implementation of the OpenBDS to encrypt passwords at rest in the ACL. The and views use for the email (max 50 character) and password (min 8 character). These are also validated on the backend.