0

I have a question regarding the design of the sign-up procedure using FeatherJS for the back-end of my application.

The problem I'm facing is the following:

I want a user to be able to sign-up his organisation/company using his/her email and a password. This user can be considered as the administrator of the organisation.

When that admin user has been created I want that same user to be able to create additional users that are linked to his/her organisation. To ensure that only the admin user can create additional users I've set up feathers-permission to check for 'admin' rights in the "before" hook of the "Users" service

module.exports = {
  before: {
    all: [ ],
    find: [ authenticate('jwt') ],
    get: [ authenticate('jwt') ],
    create: [ authenticate('jwt'), checkPermissions({
      roles: [ 'admin' ]
    }), hashPassword ],
    update: [ authenticate('jwt'), checkPermissions({
      roles: [ 'admin' ]
    }), hashPassword ],
    patch: [ authenticate('jwt'), checkPermissions({
      roles: [ 'admin' ]
    }), hashPassword ],
    remove: [ authenticate('jwt'), checkPermissions({
      roles: [ 'admin' ]
    }) ]
  },

The issue that I am encountering now is that I cannot sign-up the initial user because the before hook is requesting an authenticated user that has admin rights which I don't have because that user hasn't been created yet.

I could remove the authentication and permissions check but then I leave my User service "unprotected" and anyone would be able to create a user using the right POST call to the server.

The question I have is: How should I setup my service and/or hooks so that I can sign-up a new user in my application and that only that authenticated admin user can create new users in the application?

Many thanks in advance!

sgandolfo
  • 15
  • 4

2 Answers2

0

There's a few different ways you could go about this.

One would be to make your checkPermissions hook conditional on whether or not there already exists a user, using iff from https://github.com/feathersjs-ecosystem/feathers-hooks-common

Another would be a different endpoint for setting up the initial user - it would have different hooks (e.g. confirm there are no users in the system instead of the permissions check).

Joe
  • 41,484
  • 20
  • 104
  • 125
0

As @Joe said, there's a few ways you can implement this.

In my current project I am building a multi-tenant application. I differentiate between registration for organizations and users.

The first step is to register an organization and it's default user. The org's default user is set as 'super_user' and must verify email/phone(sms) before becoming active.

Once the default user is verified, I automatically create a record in the user table, set the user as 'admin' with a generic admin@[org name].com email address. The client-side verification UI redirects to an interface the requests a second password. Now, the org's default user can log in as super_admin to change org settings and can sign-in as an admin that provides access to all of the sites features including inviting users.

User invitations are set via email. The link within the email contains a special token that says that the user has been invited and can register under the specified organization. New users that register are setup as guests until the admin upgrades them to a higher role. I use hooks on user.create to verify all of this and return errors if things don't match up.

I also use feathers-authentication-management to wire up sending emails and managing tokens.

So, instead of forcing new user's to be admin's before creating them, I use tokens to ensure that have been invited. These tokens are associated to a specific org. Similar to your code example, I have a checkInvitation() function as a guard to my route rather than using a role.

Dharman
  • 30,962
  • 25
  • 85
  • 135
Alain Thiffault
  • 608
  • 3
  • 13