flesh out partial syncing / authZ restrictions

[0xgeert]

How to deal with partial sync / authZ restrictions?

Is it ok to have policies in front of the common REST-endpoints as to filter/restrict the output? Is this ok in light of http caching?

Idea would be to do everything based on json webtokens passed along in a cookie for authenticated users. Or: (probably better) have the client fetch the cookie and pass the json webtoken as some sort of auth header, which enables the sails backend to behave as a stateless Resource server.

(although it's a matter of opinion I guess why cookies would count as stateful and headers as stateless).

relates to #39 which enables post process filtering on field level

[0xgeert]

Good authZ article with flow:
http://www.thebuzzmedia.com/designing-a-secure-rest-api-without-oauth-authentication/

[0xgeert]

Condensed API guidelines:
https://github.com/gebrits/flux-test/wiki/Api-best-practices

[0xgeert]

clientside

• url hash id to pass userid or admin for admin
• flexible method for encoding authorization header. Used for all ajax and socket calls. For now the above urlhash id is passed as value for the authorization

serverside

• when no authorization passed Todocontroller can't be checked.
• when authorization header passed finders work on own data
• when authorization header passed CUD work on own data
• socket updates can only be received when at least read-access
• admin may see more data per todo (relates to SailsJS ability to implement: Post process filtering on a field-level for Resource Instances.  #39 )

[0xgeert]

See:
balderdashy/sails#1857
https://github.com/randallmeeker/SailsBluePrintActions/tree/master/findOneWithQueryParams