Space Cloud offers robust authentication and authorization mechanism with the philosophy that applications and platforms built with Space Cloud should be secure by default. Treating security as an afterthought is a recipe for disaster.
The security module in Space Cloud secures the requests to database, file storage and remote services via security rules written by user. Any operation to a resource (database, function or a file path) not specified in the configuration file is denied. This ensures that all operations are secure by default in Space Cloud.
As an user, you have to write security rules for the various operations on all the resources (database, file storage and remote services) exposed by the Space Cloud. These security rules have to be written in the config file provided to Space Cloud. All incoming requests to Space Cloud are first validated by the API controller via the security module based on the corresponding rule in the config file. Validation happens in two stages: Authentication and Authorization.
Space Cloud uses JWT-based authentication. It expects a JWT token in every incoming request. The security module verifies if the signature of the token is valid or not based on a
secret provided to it. This makes sure that the user is authenticated and hasn’t tried to change or create his / her own false token. You can check out the official website of the JWT project to learn more about it.
Each JWT token provided to user on signin/signup is signed with a
secret by an authentication service (in-built or your custom service). This is the same
secret which is provided to the config file of Space Cloud. JWT tokens also contain a JSON object (known as claims) as a payload. The user is free to decide what claims should go into the JWT token while writing a custom service. When using the in-built user authentication module, the claims consist of the
role of the user. This JSON object is parsed and is made available as the
args.auth variable in security rules. The integrity of the auth variable is maintained due to the nature of JWT tokens.
This stage decides whether an authenticated user is authorized or not to make a request. The request is validated only if the security rule is resolved based on it’s type. Various ways to resolve rule:
2XXto validate the request.
Security rules are a mechanism used to enforce authorization. The request is allowed to be made only if the conditions specified by the security rules are met. Currently the following rules are supported:
deletewhile selectively allowing the other ones.
403error to the client.
queryrules to tackle complex authorization tasks.
Each module has their own way of using security rules. You can head over to the module specific security rule page to know how they are used and some examples.