Content
View differences
Updated by Bruno Pagno 8 months ago
Context as of 16.Oct.25
The solution we are going to use is going to be using a OAuth application and token from OpenProject to connect to hocuspocus and to request data from the API.
* Create an OAuth application in OP
* Whenever the frontend needs a token
* Generate one with the OAuth above
* Send the newly generated token to hocuspocus to establish a connection
* Whenever hocuspocus makes a request to OpenProject
* Op validates the OAuth token
**Tasks:**
* Setup a OAuth application FOR hocuspocus
* Send OAuth token when connecting to hocuspocus
* Send additional data to the hocuspocus server
* Hocuspocus use the new Token for API requests (header)
* Seeding data to create the OAuth application
The data that needs to circle around
* host (requires validation on Hocuspocus)
* token (validated when requesting data from OpenProject)
* document\_id (validated when requesting data from OpenProject)
Look out for
* Is there any way a user can fetch arbitrary data that is currently in memory on hocuspocus?
* Hocuspocus should not trust all the data sent in the auth request
* Considering we have multi tenant instances, one hocuspocus server will need to handle multiple OP instances. Which means likely the Auth process needs to have a return URL
* Return URL validation (protect from making random requests we do not want)
\---
Define and implement an authentication/authorization method between the hocuspocus server and a configurable OpenProject instance.
OpenProject documentation on authentication on the API: [https://www.openproject.org/docs/api/example/#authentication](https://www.openproject.org/docs/api/example/#authentication)
Make sure that as the outcome of this implementation we also have clear documentation on the repository on how to connect to an OpenProject instance (environment variables, parameters, URLs)
The solution we are going to use is going to be using a OAuth application and token from OpenProject to connect to hocuspocus and to request data from the API.
* Create an OAuth application in OP
* Whenever the frontend needs a token
* Generate one with the OAuth above
* Send the newly generated token to hocuspocus to establish a connection
* Whenever hocuspocus makes a request to OpenProject
* Op validates the OAuth token
**Tasks:**
* Setup a OAuth application FOR hocuspocus
* Send OAuth token when connecting to hocuspocus
* Send additional data to the hocuspocus server
* Hocuspocus use the new Token for API requests (header)
* Seeding data to create the OAuth application
The data that needs to circle around
* host (requires validation on Hocuspocus)
* token (validated when requesting data from OpenProject)
* document\_id (validated when requesting data from OpenProject)
Look out for
* Is there any way a user can fetch arbitrary data that is currently in memory on hocuspocus?
* Hocuspocus should not trust all the data sent in the auth request
* Considering we have multi tenant instances, one hocuspocus server will need to handle multiple OP instances. Which means likely the Auth process needs to have a return URL
* Return URL validation (protect from making random requests we do not want)
\---
Define and implement an authentication/authorization method between the hocuspocus server and a configurable OpenProject instance.
OpenProject documentation on authentication on the API: [https://www.openproject.org/docs/api/example/#authentication](https://www.openproject.org/docs/api/example/#authentication)
Make sure that as the outcome of this implementation we also have clear documentation on the repository on how to connect to an OpenProject instance (environment variables, parameters, URLs)