Securing Platformatic DB with Authorization
Authorization in Platformatic DB is role-based. User authentication and the assignment of roles must be handled by an external authentication service. Take a look to at the reference documentation for Authorization.
The goal of this simple guide is to protect an API built with Platformatic DB
with the use of a shared secret, that we call
adminSecret. We want to prevent
any user that is not an admin to access the data.
The use of an
adminSecret is a simplistic way of securing a system.
It is a crude way for limiting access and not suitable for production systems,
as the risk of leaking the secret is high in case of a security breach.
A production friendly way would be to issue a machine-to-machine JSON Web Token,
ideally with an asymmetric key. Alternatively, you can defer to an external
service via a Web Hook.
Please refer to our guide to set up Auth0 for more information on JSON Web Tokens.
Block access to all entities, allow admins
The following configuration will block all anonymous users (e.g. each user without a known role) to access every entity:
The data will still be available if the
X-PLATFORMATIC-ADMIN-SECRET HTTP header
is specified when making HTTP calls, like so:
curl -H 'X-PLATFORMATIC-ADMIN-SECRET: replaceWithSomethingRandomAndSecure' http://127.0.0.1:3042/pages
Configuring JWT or Web Hooks will have the same result of configuring an admin secret.
Rules can be provided based on entity and role in order to restrict access and provide fine grained access.
To make an admin only query and save the
page table /
page entity using
adminSecret this structure should be used in the
platformatic.db configuration file:
Note that the role of an admin user from
adminSecret strategy is
platformatic-admin by default.
Read-only access to anonymous users
The following configuration will allo all anonymous users (e.g. each user without a known role)
to access the
pages table /
page entity in Read-only mode:
Note that we set
true to allow the access, while the other options are
Work in Progress
This guide is a Work-In-Progress. Let us know what other common authorization use cases we should cover.