Skip to content

[Multi-Tenant] Filter OP resources by tenantId in Admin API calls #2929

New issue
New issue
Closed
Closed
[Multi-Tenant] Filter OP resources by tenantId in Admin API calls#2929
Assignees
BlairCurrey
Labels
pkg: backendChanges in the backend package.
@njlie

Description

@njlie
njlie
opened on Aug 30, 2024

The Rafiki Admin API should use the Kratos session token to retrieve and add a tenantId to the context. Resolvers should use this context to:

  • Only retrieve Open Payments resources that belong to that tenant (unless that tenant is also the instance operator).
  • It should prevent requests where provides a valid id is provided for an Open Payments resource, but that resource does not belong to that tenant. Return a Not Found response in this case.
  • When creating a new resource that requires a tenantId as database field, it should either:
    • Verify that the provided tenantId in the input matches the one added to the context, or is from an operator
    • Provided that tenantId from the context.
      • Maybe we could even remove tenantId as an input from all graphql inputs, and just include it in service requests by pulling it from the context at all times.

This logic should be applied to resolvers for:

  • Quotes
  • Incoming/Outgoing Payments
  • Wallet Addresses

Metadata

Metadata

Assignees

Labels

pkg: backendChanges in the backend package.

Type

No type

Projects

Rafiki

Status

Done

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions