GeoNetAgent, LDAPWeb, server-audit, server-connection
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
 
 
 
 
 
 

2.4 KiB

Architecture — Authentication Flow

Terakhir Diperbarui: 2026-06-29


Auth Methods

Method Digunakan Untuk Class
JWT (LDAP login) User via browser/app LdapJwtService
API Token Developer / personal access ApiToken model
Service Token Antar-service ServiceToken model

Alur Login LDAP → JWT

sequenceDiagram
    participant CLIENT as Browser / App
    participant GC as geonet-console
    participant LDAP as Active Directory (10.100.1.40)
    participant JWT as LdapJwtService

    CLIENT->>GC: POST /api/v1/auth/login {username, password}
    GC->>LDAP: LDAP bind dengan credentials user
    LDAP-->>GC: bind success / fail
    alt bind gagal
        GC-->>CLIENT: 401 Unauthorized
    end
    GC->>GC: LdapAuthService::attempt() — validasi grup admin (jika diperlukan)
    GC->>JWT: generate JWT payload {username, groups, iat, exp}
    JWT-->>GC: signed JWT token
    GC-->>CLIENT: 200 {token, expires_at}

Alur Request dengan Bearer Token

sequenceDiagram
    participant CLIENT as Client
    participant GC as geonet-console
    participant DB as PostgreSQL

    CLIENT->>GC: GET /api/v1/* \nAuthorization: Bearer <token>
    GC->>GC: ApiAuthService::resolve(token)
    alt JWT token
        GC->>GC: decode + validasi JWT
        GC->>GC: buat ApiActor{type: user, identifier, groups}
    else API Token
        GC->>DB: lookup api_tokens WHERE token_hash = ?
        GC->>GC: buat ApiActor{type: api_token, scopes}
    else Service Token
        GC->>DB: lookup service_tokens WHERE token = ? AND active
        GC->>GC: buat ApiActor{type: service_token, abilities}
    end
    GC->>GC: Controller pakai ApiActor
    GC-->>CLIENT: Response

LDAP Config

Parameter Nilai
Host 10.100.1.40
Port 389
Bind DN Administrator@gisportal.id
Base DN DC=gisportal,DC=id
Admin Groups Domain Admins, Administrators, Enterprise Admins

Service Token Flow (Antar-Service)

GeoNetAgent Collector
  → POST /api/v1/agent/report
  → Authorization: Bearer <service-token>
  → geonet-console: lookup service_tokens
  → ApiActor{type: service_token, service: "geonetagent"}
  → proses request

Service token di-sync ke geonetagent_dev.agent_tokens via AgentTokenSyncService.