I am faced with a hurdle when it comes to security when managing server access rights.
At the moment I'm running a community that can create subserver. In this way, Community A can allow certain users to moderate, change settings, invite users, read logs, etc. for their own subserver, but not others.
My current system has a global user, this user has permissions structured as follows:
"id" :"their unique id",
"username" : "username",
"globalRole" : "user",
"resource" : "guilds_id_here",
"permissions" : [
"resource" : "guild.logs",
"read" : true,
"write" : false
A single user has access based on resources, and when he tries to change, read, or do something through my API or socket, I check that he has access to the resource he is changing.
This is pretty easy for me to manage permissions through the API when I intercept the request, grab the resource, and see if they can do the action they want to take, such as: For example, read a log or invite a user, and then either reject the API call before it reaches the controller.
The main problem I have now is maintaining multiple accessibility. I now have the REST API and a WebSocket that can access the same types of data, depending on where they access the guild.
Now the authorization system has become much more complicated and it is no longer so easy to intercept and block a request from the REST API. Now I have two authentication systems that I think are wrong and violate the DRY principle.
I'd like to know if there are industry standards for multiple data access. Should I create a resource manager that always needs credentials and the target resource, and then have a system user for internal access, or is there a simpler standard for tight control over who can do what, based on the permissions they set for one have a specific resource.
The ultimate goal is to grant permission to an object and properly filter out data that is authorized for the user requesting data.