mukimovd/turash
1
0
Fork 0
mirror of https://github.com/SamyRai/turash.git synced 2025-12-26 23:01:33 +00:00
Code Issues 1 Actions Packages Projects Releases Wiki Activity
4a38490104
turash/bugulma/frontend/AUTH_AND_PERMISSIONS.md

422 lines
8.8 KiB
Markdown
Raw Blame History

# Authentication, Authorization & Permissions System
## Overview
Complete authentication, authorization, and permission system for the admin panel and application.
## Architecture
### 1. Authentication (`AuthContext`)
**Location**: `contexts/AuthContext.tsx`
**Features**:
- User login/logout
- Token management (JWT)
- Server-side token validation
- User state management
- Auto-refresh user data
**User Interface**:
```typescript
interface User {
id: string;
email: string;
name: string;
role: UserRole; // 'admin' | 'user' | 'content_manager' | 'viewer'
permissions?: string[]; // Optional granular permissions from backend
}
```
**Usage**:
```tsx
import { useAuth } from '@/contexts/AuthContext';
const { user, login, logout, isAuthenticated, isLoading, refreshUser } = useAuth();
```
### 2. Permissions System (`types/permissions.ts`)
**Permission Types**:
- `organizations:*` - Organization management
- `localization:*` - Translation management
- `content:*` - Content management
- `users:*` - User management
- `analytics:*` - Analytics access
- `settings:*` - Settings management
- `system:*` - System administration
**Roles**:
- `admin` - Full access to all permissions
- `content_manager` - Content and localization management
- `viewer` - Read-only access
- `user` - Regular user (no admin permissions)
**Role-Permission Mapping**:
- Defined in `ROLE_PERMISSIONS` constant
- Easy to extend and modify
- Type-safe
### 3. Permission Hooks
#### `usePermissions()`
**Location**: `hooks/usePermissions.ts`
**Features**:
- Check single permission
- Check multiple permissions (any/all)
- Role checks (isAdmin, isContentManager, etc.)
- Memoized for performance
**Usage**:
```tsx
import { usePermissions } from '@/hooks/usePermissions';
const {
role,
checkPermission,
checkAnyPermission,
checkAllPermissions,
isAdmin,
isContentManager,
isViewer,
} = usePermissions();
// Check single permission
if (checkPermission('organizations:update')) {
// Show edit button
}
// Check multiple (any)
if (checkAnyPermission(['organizations:update', 'organizations:create'])) {
// Show action menu
}
// Check multiple (all)
if (checkAllPermissions(['organizations:read', 'organizations:update'])) {
// Show full editor
}
```
#### `useAdmin()`
**Location**: `hooks/useAdmin.ts`
**Features**:
- Combines admin context with permissions
- Convenience methods for common checks
- Admin stats access
**Usage**:
```tsx
import { useAdmin } from '@/hooks/useAdmin';
const {
isAdminMode,
adminStats,
refreshAdminStats,
canManageOrganizations,
canManageUsers,
canAccessSettings,
} = useAdmin();
```
### 4. Admin Context (`AdminContext`)
**Location**: `contexts/AdminContext.tsx`
**Features**:
- Admin-specific state
- Admin statistics (pending verifications, translations, alerts)
- Auto-refresh stats
- Only active for admin users
**Usage**:
```tsx
import { useAdmin as useAdminContext } from '@/contexts/AdminContext';
const { isAdminMode, adminStats, refreshAdminStats } = useAdminContext();
```
### 5. Route Protection Components
#### `ProtectedRoute`
**Location**: `components/auth/ProtectedRoute.tsx`
**Features**:
- Role-based protection
- Permission-based protection
- Loading states
- Redirect handling
**Usage**:
```tsx
<ProtectedRoute requiredRole="admin" permission="organizations:read">
<OrganizationsPage />
</ProtectedRoute>
```
#### `AdminRoute`
**Location**: `components/auth/AdminRoute.tsx`
**Features**:
- Specifically for admin routes
- Automatic admin role check
- Optional permission checks
- Better error messages
**Usage**:
```tsx
<AdminRoute permission="organizations:update">
<OrganizationEditPage />
</AdminRoute>
```
### 6. Permission-Based UI Components
#### `RequirePermission`
**Location**: `components/auth/RequirePermission.tsx`
**Features**:
- Conditionally render content
- Show error or fallback
- Supports multiple permissions
**Usage**:
```tsx
<RequirePermission
permission="organizations:delete"
fallback={<div>No permission</div>}
>
<DeleteButton />
</RequirePermission>
```
#### `PermissionGate`
**Location**: `components/auth/PermissionGate.tsx`
**Features**:
- Hide/show UI elements
- Lighter weight than RequirePermission
- No navigation, just conditional rendering
**Usage**:
```tsx
<PermissionGate permission="organizations:update">
<EditButton />
</PermissionGate>
```
## Provider Setup
**Location**: `providers/AppProvider.tsx`
```tsx
<AuthProvider>
<AdminProvider>
{/* Other providers */}
</AdminProvider>
</AuthProvider>
```
## Usage Examples
### Example 1: Protected Admin Route
```tsx
// In AppRouter.tsx
<Route
path="/admin/organizations"
element={
<AdminRoute permission="organizations:read">
<AdminLayout>
<OrganizationsPage />
</AdminLayout>
</AdminRoute>
}
/>
```
### Example 2: Permission-Based Button
```tsx
import { PermissionGate } from '@/components/auth';
const OrganizationActions = ({ org }) => {
return (
<div className="flex gap-2">
<PermissionGate permission="organizations:update">
<Button onClick={() => edit(org)}>Edit</Button>
</PermissionGate>
<PermissionGate permission="organizations:delete">
<Button variant="destructive" onClick={() => delete(org)}>
Delete
</Button>
</PermissionGate>
<PermissionGate permission="organizations:verify">
<Button onClick={() => verify(org)}>Verify</Button>
</PermissionGate>
</div>
);
};
```
### Example 3: Admin Dashboard with Stats
```tsx
import { useAdmin } from '@/hooks/useAdmin';
const AdminDashboard = () => {
const { adminStats, refreshAdminStats, canAccessAnalytics } = useAdmin();
return (
<div>
{adminStats && (
<div>
<p>Pending Verifications: {adminStats.pendingVerifications}</p>
<p>Pending Translations: {adminStats.pendingTranslations}</p>
</div>
)}
{canAccessAnalytics && (
<AnalyticsSection />
)}
</div>
);
};
```
### Example 4: Conditional Menu Items
```tsx
const AdminSidebar = () => {
const { checkPermission } = usePermissions();
return (
<nav>
<NavItem to="/admin/organizations">Organizations</NavItem>
{checkPermission('localization:read') && (
<NavItem to="/admin/localization">Localization</NavItem>
)}
{checkPermission('users:read') && (
<NavItem to="/admin/users">Users</NavItem>
)}
{checkPermission('settings:read') && (
<NavItem to="/admin/settings">Settings</NavItem>
)}
</nav>
);
};
```
## Backend Integration
### Token Structure
The JWT token should include:
```json
{
"user_id": "uuid",
"email": "user@example.com",
"name": "User Name",
"role": "admin",
"permissions": ["organizations:read", "organizations:update", ...]
}
```
### API Endpoints
- `POST /api/v1/auth/login` - Login
- `GET /api/v1/auth/me` - Get current user (token validation)
- `POST /api/v1/auth/logout` - Logout (optional, client-side cleanup)
### Backend Middleware
- `AuthMiddleware` - Validates JWT token
- `RequireRole` - Checks role
- Future: `RequirePermission` - Checks specific permissions
## Security Considerations
1. **Token Validation**: Always validated server-side
2. **Client-Side Checks**: UI-only, never trusted for security
3. **Permission Checks**: Backend must enforce all permissions
4. **Token Storage**: localStorage (consider httpOnly cookies for production)
5. **Auto-Refresh**: Tokens should be refreshed before expiry
6. **Logout**: Clears all auth-related storage
## Future Enhancements
1. **Granular Permissions from Backend**: Support for user-specific permissions
2. **Permission Groups**: Group permissions for easier management
3. **Audit Logging**: Track permission checks and access attempts
4. **Token Refresh**: Automatic token refresh before expiry
5. **Multi-Factor Authentication**: 2FA support
6. **Session Management**: Multiple active sessions
7. **Role Hierarchy**: Support for role inheritance
## Migration Notes
### Updating Existing Code
1. **Replace role checks**:
```tsx
// Old
{user?.role === 'admin' && <AdminButton />}
// New
<PermissionGate permission="organizations:update">
<AdminButton />
</PermissionGate>
```
2. **Update ProtectedRoute usage**:
```tsx
// Old
<ProtectedRoute requiredRole="admin">
<AdminPage />
</ProtectedRoute>
// New (for admin routes)
<AdminRoute permission="organizations:read">
<AdminPage />
</AdminRoute>
```
3. **Use permission hooks**:
```tsx
// Old
const isAdmin = user?.role === 'admin';
// New
const { isAdmin, checkPermission } = usePermissions();
```
## Testing
### Unit Tests Needed
- Permission checking logic
- Role-to-permission mapping
- Route protection components
- Permission gate components
### Integration Tests Needed
- Login flow
- Token validation
- Permission-based UI rendering
- Route protection
- Admin context state
Reference in New Issue View Git Blame Copy Permalink