I’m exploring an opportunity to expand the security requirements for an OWA through JWT Tokens and React Middleware. As I discussed with @mogoodrich already, I’m moving this thread here to get your ideas on the following idea
Still, we don’t have any tokens for authorizations, only depends on the server session based login system. Since we are moving towards the React based UI modules, I feel good to move for token management such as JWT. I have explored about JWT in OpenMRS, and I could find a ticket (RESTWS-648) regarding this but I can’t find any implementations.
In the React-Components also, we depend on the session for login and authorization. See here . So it should need an HTTP Request to handle each and every user authentications before providing services, it might cause unwanted delays for users.
- I would like to move this implementation to Core-Authorization filter rather than having it in RESTWS module. So each authentication will have a unique JWT token based on the configurations.
- Attach some non-sensitive user data, and user Access Scopes along with this token
- Implement a unique REST Endpoint for user authentications and issuing tokens (Not with session endpoint) - eg: openmrs/rest/v1/auth
- Implement a react logic to fetch JWT tokens of the authenticated user from server and store as a cookie/session/local storage in the browser.
- Still I can’t see any middleware components in React-Components rather than sagaMiddleWare. So I wish to have a middleware which checks for user access/authentications through the JWT token stored in the cookie/session/local storage in the browser without having an HTTP request to the server.
After this idea, A React-OWA will not reach the server for validating user access/user authentications before providing services. If the user JWT token is expired, the React-OWA will launch thelogin screen for relogin.
I’m expecting your suggestions to move this idea for GSoC 2019