Implementing Access Control
HAPI Backend does not have access control because of varying requirements of ATSs. ATSs that integrate with HAPI Backend directly, can write code in their backend and integrate their own Access Control solutions and control which endpoints of HAPI Backend are accessible by whom.
With HAPI Elements however, this is not currently possible because HAPI Elements communicates with HAPI Backend which does not have an access control system. HAPI Elements on the other hand, supports possibility of having a backend proxy.
We have added an example on how to implement the backend proxy as well as the Access Control. Please refer to Integration Examples for more information.
HAPI Elements Integration without Backend Proxy
This diagram demonstrates how normally HAPI Elements works without a backend proxy.
Loading...
HAPI Elements Integration with Backend Proxy Without Access Control
This diagram demonstrates how normally HAPI Elements works with backend proxy but no access control.
Loading...
HAPI Elements Integration with Backend Proxy with Access Control
This diagram demonstrates how normally HAPI Elements works with backend proxy and also access control.
Loading...
Implementing Access Control
Please first refer to what the clientId refers to which will help you understand how you can implement multi-tenancy and role based access control.
Your frontend, before injecting HAPI Elements frontend, will need to generate HAPI JWT Token through the credentials you were given by your VONQ Partner Account Manager which is explained in Setting Up page of our documentation.
The JWT Token given to you by HAPI Backend belongs to the entity of whom you pass the clientId so in other words, in a multi-tenant, multi-user application, it belongs to the tenant. The diagram of the authentication flow can be found in Backend Proxy without Access Control section.
For Access Control management, you need your backend proxy to do the following:
- Generate HAPI Backend JWT token
- save it in the entity of whom you pass the
clientId(in other words the tenant) e.g.hapiAccessToken
- save it in the entity of whom you pass the
- Generate a custom token for your user
- return this custom token to your frontend
Your frontend then should do the following:
- Set this custom token on
clientTokenparameter of HAPI Elements Injector as explained in Setting Up - Set the
apiHostof HAPI Elements Injector to your backend URL as explained in Using your own backend proxy
HAPI Elements then will do the following:
- Attach the custom token you added via
clientTokento all the requests made to your backend proxy
Your backend proxy will then:
- Get your custom token via
x-authorizationheader and check to which user it belongs to - Check whether the user has the permission to do the action
- if the user has permission
- swap the
x-authorizationheader value to thehapiAccessTokenof the tenant this user belongs to. - make the request to HAPI Backend
- respond to HAPI Elements with the response HAPI Backend sent back
- swap the
- if the user does not have the permission
- return
401HTTP Status Response with{"message": "Your custom message"} - HAPI Elements will then show a warning alert to the end user with the
messageyou respond with.
- return
- if the user is not found or any other case
- return you can return
401with anothermessage
- return you can return
- if the user has permission
Please refer to the API documentation Using your own Backend proxy section for more information.