Api and JWT calls

Based on preliminary discussions I'm using ruby snippets as examples.

All users will be logged in to our user service which will return a JWT token. Each external service will be given a secret key in order to decode the JWT token and validate whether it is valid. The service should throw a Forbidden 403 HTTP error. Tokens for reOS staff will include a validSupportStaff Bool as seen below.

The following api call can be made to login.

request

curl --request POST \
  --url https://api.reos.co.za/api/user/login \
  --header 'content-type: application/json' \
  --data '{
    "email": "jeff@ekaya.com",
    "password": "mypassword!!!"
}'

response

{
  "authToken": "VERY LONG TOKEN HERE",
  "refreshToken": "REFRESH TOKEN HERE",
  "miscellaneous": {
    "registered": true,
    "onboardingProgress": {
      "profileVerification": 100,
      "agencyDetails": 100,
      "agencyBranding": 100,
      "propertyProgress": 100
    }
  }
}

All api calls come with a JWT token. Upon deployment

require 'jwt'
secret = 'sits on kubernetes'
token = "token provided by api call, see above."
x = JWT.decode token, secret, true, { algorithm: 'HS512' }

puts x.first.to_yaml
---
iss: user
exp: 1585134786
iat: 1585123986
type: UserSession
value:
  userId: 220528a6-24e4-42b5-a207-236140ec9d48
  agencyMembership:
    role: Owner
    agencyId: 0ed4c91b-d822-4685-9957-3ffa3599f318
    agencyName: Jeff Rentals
  firstName: Jeffrey
  email: jeff@ekaya.com
  service: user
  totpSecret: 0IDmM2T/vqK1i/czgEpEBXLFMDnhGW9o1jOrqo818p8=
  totpValidateAt: 1584446533961
  validSupportStaff: true

For services used by admin staff the validSupportStaff Boolean field is essential. But all api calls must be validated against the JWT token. If the JWT token cannot be decrypted or is no longer valid the user should not be able to make any api calls to your service.