Application security

These are two types of applications - public and protected. You can switch application security in Application => Config => General. There you can see "Application endpoint" select box with options "login.html" (means protected) and "index.html"(means public). By default all newest created applications are public. Important! If you want to changed application security you should rebuild and redeploy it also.

Public applications:

When you run public applications you will see index.html page first. You don't need to login at this case. All API Services are public for executions.

Protected applications:

When you run public applications you will see login.html page first. You can see index.html without authorization. You can authorize on login.html page and if credentials are correct - system will redirect you to index.html page. All API Service are protected also in this case but after authorization you can execute their.

For protect applications JWT token functionality used - https://jwt.io

There is two functions for now at /lib/jwtAuth/index.js file - login() and appGate().

Login() function getting login/password from UI and if credentials are correct it return back token that save in browser cookie with name "dfx_app_token" if not - it return HTTP 401 code with message "Wrong password".

AppGate() function used as middle ware for some requests in dfx_proxy.js file for protect API Services execution. If token is valid function return tenantId and allow execute API Service if not - return HTTP 401 code with message "Unauthorized"