Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[api] add form signature route #59

Closed
signebedi opened this issue Mar 24, 2024 · 6 comments
Closed

[api] add form signature route #59

signebedi opened this issue Mar 24, 2024 · 6 comments

Comments

@signebedi
Copy link
Owner

The idea here is that signatures on form submissions can be passed and handled using the rest API. They should not require data changes as these are just updates in the metadata, but should be given a journal entry. This allows us to reconstruct eg. that "User X signed form at TIMESTAMP".

Originally posted by @signebedi in #39 (comment)
@signebedi signebedi mentioned this issue Mar 24, 2024
Open
@signebedi
Copy link
Owner Author

The underlying principle is that the user can only sign their own form. The question is what part of the application decides: the API, or the document database manager? The other question is how to decide whether a form can be signed. Is this set in the form config? Can all forms be signed? Is it a necessary part of the approval process? Do we set an onSign event hook?

@signebedi
Copy link
Owner Author

[form] add form event hooks
In past version of libreForms, we had event hooks for onCreate, onRead, onUpdate, onApproval, onDisapproval, and onDuplication. Perhaps we add onDelete and onSign event hooks here too.

@signebedi signebedi mentioned this issue Mar 26, 2024
Open
@signebedi
Copy link
Owner Author

Add utils for managing signatures
In past versions we used Fernet, but I think that RSA will work better. The implication is that we will need to store user keypairs on the filesystem. This may or may not be a good thing...

@signebedi signebedi mentioned this issue Mar 26, 2024
Closed
@signebedi
Copy link
Owner Author

Form signatures I think should be based only on the data section of a given document, not the metadata. The reason is that the data, once signed, is expected not to change; the metadata is expected TO change... eg. as approvers sign a document to move it forward. In light of this, we don't want signature validation to fail just because a manager has approved a document.

@signebedi signebedi mentioned this issue Mar 26, 2024
Closed
signebedi added a commit that referenced this issue Mar 26, 2024
@signebedi
Added: sign document route (#71) (#59)
ebd0d9d
@signebedi
Copy link
Owner Author

signebedi commented Mar 26, 2024
edited
Loading

[api] Add a validate signature API route
The idea being that we should validate the signature on a document. No need to use the document database, this can all be done in the API. We should validate that the user has the permission to read the document, so we should call a read_document call to the document database, but again the heavy lifting is done in the API logic.

@signebedi signebedi mentioned this issue Mar 26, 2024
Closed
signebedi added a commit that referenced this issue Mar 26, 2024
@signebedi
Added: verification of signatures on sign (#71) (#59)
3687cd0
signebedi added a commit that referenced this issue Mar 26, 2024
@signebedi
Modified: will not sign if the document has valid signature (#71) (#59)
058eaa5
@signebedi
Copy link
Owner Author

[api] add a remove signature route
This route will remove a signature - valid or otherwise, from a form if the user has the permissions to do so (sign_own).

This was referenced Mar 27, 2024
Closed
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@signebedi