I need an API to be accessed by a mobile application that will service a CRM system with an apron on React.
User logon in CRM is implemented using JWT Auth0.The user logged in, gets to the main page, which is allowed to view all logged in users, regardless of access rights.Everything is clear.But if there is an administrative application that is accessible only to a certain circle of people.It is necessary that it accesses the API and has access to everything, as it is implemented, a role is created with all the rights, called, for example, app.But how to be in that case with a tentifikatsiey? If the user throws on the login page, then what about the application? It’s always the same, it’s the same.It’s necessary to give it permission to access without authentication, without problems, even without JWT...Or is it not possible? What is the login mechanism for accessing the API for an application?
  • Some kind of porridge.Try to articulate the problem. – Difficult31 Jul 10 '19 at 18:57
  • What application and who uses it? – European13 Jul 10 '19 at 19:00
  • After authorization, give the user a role and display interfaces for the role in the application. – Ugly Unicorn Jul 10 '19 at 23:08
  • Difficult31
    Perhaps messy, yes...
    In a different way.If there is an application that should have exclusive access(to all functions) to the API, and the API requires access token and checks access rights, how is the application's access to the API implemented in this case.It is clear that some “login”(I don’t understand the mechanism, it’s not a live user, you don’t show the login form) and then send an access token with each request(and also update it, re-enter, etc.).But logically there is no authorization for the application meaning(to make it work according to the classical scheme with JWT, it's more about using ers), it would be necessary that it has always been authorized, t.k.drugih none, this"user" and only he has the right to exact.
    As an assumption, it can, do not bother, do not authenticate the application, and with any request, simply send it as a kind of passport indicating that the application has the right:

    ? Action=get&param1=xxx&param2=xxx&param3=xxx&timestamp=111&x=xxx

    Where secret=sha1(get + param1 + param2 + param3 + timestamp + secretSalt).
    When receiving a request from the server, check the secret, which will make it clear that the request is from a trusted subject.To severely restrict the possibility of reusing such a request in the case of interception and not keeping the database, take for granted that each request is alive for 5 seconds, i.e.when receiving, check the timestamp, and if the request is still fresh, then give the data.The banks in their API use such a data exchange scheme(but with all the requests stored in the database and checked).
    But in the case of an application that accesses the API, is this a normal practice or do I reinvent the wheel and have some typical time-worked solutions, best practices? Think of something to do - not a problem.It is necessary to broaden the horizons so that there is no excess of amateur performance.
    – Inquisitive Ibis Jul 13 '19 at 01:01

1 Answers 1

What's the problem?
Judging by the text, already there is a separation of users by roles and, depending on the role, this or that functionality is available in the application

Add a new role that will have access to everything.Accordingly, if you log in to the administrative application as a user with “admin” privileges, the API information will be displayed, and without a user, you will get an error.

In theory, it does not matter what kind of application you have(public/non-public), all your logic should be implemented in the API, and the application will only"draw" what will arrive from the API.

If the problem is something else - state the question more clearly.