User Service
User service is a core service for handling creation, fetching, updating and deletion of users and validation of users' passwords.
It exposes endpoints that other generic services needs to get user information. For example auth service uses user-service.get-user to fetch
logged in user.
To a bare minimum user service expects the user object to have the following attributes:
| name | description |
|---|---|
id | Id of the user |
email | Email of the user which also can be used as username |
firstName | The first name of the user |
lastName | The last name of the user |
Additional attributes can be added to the user either by extending the user itself or by storing data in a separate profile collection.
Scopes and permissions
User service is responsible for mapping scopes to roles.
This is done by setting env variable ROLE_SCOPES on syntax:
admin:permission1,permission2;user:permission1.get
It is also possible to launch a web interface where scopes can be managed without need to reconfigure the service.
Note: We recommend against enabling this in production in order to minimize the attack surface.
This is enabled by setting config env variable USE_DB_ROLES_AND_SCOPES=true.
What are scopes used for?
Scopes is a central part of the built in access control in Fruster.
When API Gateway receives an authenticated request it will ask Auth Service to decode the JWT token and returns the auth user.
Auth Service will in turn invoke User Service to get the user including scopes which will be part of the inbound request so that request to subsequent service may use that to validate that logged in user has correct permissions.
- API Gateway receives HTTP request with JWT
- Auth service decodes and validates JWT
- User service returns user with its scope depending on role for user in JWT
Verifying an email
User Service has built in functionality to handle email verifications of new users, if configured to do so.
Enable by setting env variable REQUIRE_EMAIL_VERIFICATION=true
User Service will use mail service (or other service that honors same contract) to deliver the email.