I'm creating a connected Rails app to our salesforce instance.
Our system has a whole bunch of users and a handful of sysadmins. Salesforce appears to handle much of the CRUD permissions via user profiles at their end, but I also want to make sure only my approved system admins can 'login' to the app, clear oauth and make api calls.
I have a feeling that without securing this our other users would be able to log in but would get raised errors if they ended up requesting objects that they're not set up to view via salesforce permissions. But that's messy... and i don't want them getting that far anyway.
Is there any best practice/advice for when to intervene to secure an app using Oauth and making API calls?
I am using the excellent Restforce Gem and using omniauth to store returned user details.
My current thinking is to create a simple array:
@whitelisted_admins = [user1.uid, user2.uid, user3.uid]
then in my /models/user.rb use before_save to check that the user.name is included in the array:
class User < ActiveRecord::Base
def self.from_omniauth(auth)
before_save { user.uid.in?(@whitelisted_admins) }
where(auth.slice(:provider, :uid).permit!).first_or_initialize.tap do |user|
user.provider = auth.provider
user.uid = auth.uid
user.name = auth.info.name
user.oauth_token = auth.credentials.token
user.refresh_token = auth.credentials.refresh_token
user.instance_url = auth.credentials.instance_url
user.save!
end
end
end
I could then run something before every Restforce API call...
So to my questions:
- Are there security implications to having this as a hash instead of stored in active record, does that matter much?
- Is it better to check this at the point of Oauth, API call... or both? (I'm freaking out and going for both as default...)
