We plan to integrate with the Forest Admin. We’re building the digital banking app so security has the highest priority.
- Could you describe how the authorization and authentication process is implemented?
- Where credentials and permissions are stored?
- Can we override the routes with API calls instead of database-based views?
Our requirements regarding authorization are :
- Credentials (usernames and passwords) are stored on our servers. Credentials are never exposed to external services (ie. Forestadmin’s servers).
- When users are authenticated, credentials are sent from the client app (web browser) to our servers, which issue tokens (if credentials are valid). Tokens are JWT tokens signed with private keys stored on our servers.
- Tokens are stored by the client app and are later passed with every request to endpoints serving views and smart actions. Endpoints verify tokens before requests are served (verifications check signature and credentials stored in token).
Remarks regarding custom routes and API calls: our business logic is implemented in code, not in a database. It is impossible to enforce this logic in the database. It is also impossible to infer views and actions (that should be available through the Forestadmin panel) based on the database schema. We need (and are willing to) to provide dedicated endpoints that describe views and actions for the Forestadmin panel, as well as provide actual data to be shown in the panel. These endpoints would take care of authorization (ie. verification of tokens described above).
Head of Product at pawaBank