Complete implementation of scopes and roles for user types in AWS Cognito

[tylerthome]

Other issues are covering this, but this could be helpful as documentation. Setting as draft until this is turned into an actionable issue. 9/12/24 Ariel Lasry

Overview

Create remaining scopes applicable to each user type within AWS Cognito, and add API route protection in Flask application

Resources/Instructions

Given these resource types:

• Guest Questions (and associated response types/values)
• Host Questions (and associated response types/values)
• Guest Details
• Host Details
• Guest Responses
• Host Responses
• Restrictions
• Matches

Create the appropriate scopes in Auth0 and assign appropriate permissions to each role:

• User Types
  • Guest
    • READ ONLY
      • Guest Questions
      • Match Results for current user
      • Host Details (for matched hosts only)
    • READ/WRITE
      • Guest Response Values
      • Guest Details
  • Host
    • READ ONLY
      • Host Questions
      • Match Results for current user
      • Guest Details (for matched guests only)
    • READ/WRITE
      • Host Response Values for current user
      • Host Details for current user
  • Case Worker / Org Employee (or "admin")
    • READ ONLY
      • Match Results for assigned Guests
      • Host Details
      • Host Questions and Responses
    • READ/WRITE
      • Match Results for assigned Guests (to manipulate status values for manual business processes)
  • Organization Administrator (or "super admin")
    • READ ONLY
      • Host and Guest Details
      • Host and Guest Responses
    • READ/WRITE
      • Host and Guest Questions (and associated response types/values)
      • Match Results (status)
      • (proposed) Permissions of Case Workers / Org Employees to access system resources

[JRHutson]

Please provide update

1. Progress
2. Blocker
3. Availability
4. ETA

[JRHutson]

Need to complete user flows before defining.

[randelbrot]

Hi @tylerthome, is this issue still in progress? If not, can you move this issue to the appropriate status column? Thanks!

[Joshua-Douglas]

Hey @tylerthome,

I've done some research into role based endpoint access, and I think I can begin putting together a design to achieve this.

Would it be possible to take over this issue? Thanks

[erikguntner]

@Joshua-Douglas here's a link to discussion regarding this topic from a little while ago in case it's any help:
#535

[Joshua-Douglas]

We can't effectively add role based access until we begin authenticating our endpoints. In order to determine if user has the correct role, you first need to verify their identity. This is what authentication helps us achieve.

We can start this issue after #577

[tylerthome]

Moving this to the dev team, @Joshua-Douglas @erikguntner @paulespinosa completed design and implementation for basic access control and user roles. This sounds like a good issue for someone ready to work with AWS and/or Terraform as we look toward setting up HUU in the incubator

[Joshua-Douglas]

@tylerthome, The user roles PR has been merged. Now each of the endpoints have access to the user's role, and it is easy to implement role-based access control, using naive approaches (e.g. add if user.role != Guest and user.role != Admin: return "invalid user access", 403).

I can add middleware to encapsulate user access role checks, but that'll take some research. I'm planning to focus on #462, but let me know if more work is required on this issue. Thanks!