allucanget/calminer
2
0
Fork 0
Code Pull Requests Actions Packages Releases Activity
Files
9934d1483d367684a5857dfc1031691678fbce58
calminer/docs/architecture/08_concepts/08_01_security.md
zwitschi 7f4cd33b65
Some checks failed
Run Tests / e2e tests (push) Failing after 1m25s
Details
Run Tests / lint tests (push) Failing after 6s
Details
Run Tests / unit tests (push) Failing after 5s
Details
fix: Update authentication system to use passlib for password hashing
2025-10-27 10:57:27 +01:00

37 lines
1.9 KiB
Markdown
Raw Blame History

# User Roles and Permissions Model
This document outlines the proposed user roles and permissions model for the CalMiner application.
## User Roles
- **Admin:** Full access to all features, including user management, application settings, and all data.
- **Analyst:** Can create, view, edit, and delete scenarios, run simulations, and view reports. Cannot modify application settings or manage users.
- **Viewer:** Can view scenarios, simulations, and reports. Cannot create, edit, or delete anything.
## Permissions (examples)
- `users:manage`: Admin only.
- `settings:manage`: Admin only.
- `scenarios:create`: Admin, Analyst.
- `scenarios:view`: Admin, Analyst, Viewer.
- `scenarios:edit`: Admin, Analyst.
- `scenarios:delete`: Admin, Analyst.
- `simulations:run`: Admin, Analyst.
- `simulations:view`: Admin, Analyst, Viewer.
- `reports:view`: Admin, Analyst, Viewer.
## Authentication System
The authentication system uses JWT (JSON Web Tokens) for securing API endpoints. Users can register with a username, email, and password. Passwords are hashed using a `passlib` CryptContext for secure, configurable hashing. Upon successful login, an access token is issued, which must be included in subsequent requests for protected resources.
## Key Components
- **Password Hashing:** `passlib.context.CryptContext` with `bcrypt` scheme.
- **Token Creation & Verification:** `jose.jwt` for encoding and decoding JWTs.
- **Authentication Flow:**
1. User registers via `/users/register`.
2. User logs in via `/users/login` to obtain an access token.
3. The access token is sent in the `Authorization` header (Bearer token) for protected routes.
4. The `get_current_user` dependency verifies the token and retrieves the authenticated user.
- **Password Reset:** A placeholder `forgot_password` endpoint is available, and a `reset_password` endpoint allows users to set a new password with a valid token (token generation and email sending are not yet implemented).
View Git Blame Copy Permalink