...
This documentation will walk you through the creation of fully qualified links,
allowing you to grant access to Contract Fit's dashboard the contract.fit web application by sending a "shared fully qualified link" containing a specific token.
The goal of the following example will be to generate a "share fully qualified link" to a specific document review page,
in an "invoice" inbox.
This doc is also available as an interactive Jupyter notebook:
...
The fully-qualified link embeds authentication and authorization in a randomly generated API-Key
that you can then share to end users who don't have an account on the Contract Fit's dashboardcontract.fit web application.
They will be granted temporary access to a given resource, scoped by the roles you have defined.
...
To make this flow possible, every time you need to create a fully qualified link you must call
the Contract Fit contract.fit API with the roles (permissions) you want. In return,
you get back the matching API-Key for this scope that you then can embed in a link.
An API-Key is revocable at any time using the Admin API, can be created with a baked-in
expiration date and must be bound to a dedicated User in our database.
For security reason reasons and consistency you cannot alter the roles of an API-Key after its creation:
you need to create a new one and delete the previous one.
...
To access the review page in the Contract Fit's dashboard contract.fit web application you need to grant 2 different roles to the API-Key
so that the user has access to all required functions:
...
on your dashboard, add a button "Go to document review" on the doc page
on click, a call is made to your back-end
your back-end calls Contract Fit contract.fit API and obtains a new API-Key scoped to the specific document
your back-end generates the fully qualified link to the doc
your back-end redirects the user to the Contract Fit dashboard contract.fit web application using the link
your end user obtains a session derived from the API-Key roles and is logged in
after review, your end user returns to your dashboard and mark the doc as done
your back-end revokes the API-Key to avoid abuse
the API-Key cannot be used anymore
...
| Code Block | ||
|---|---|---|
| ||
import requests
from secrets import token_urlsafe
from getpass import getpass
tenant = "https://alfredo.contract-q.fit"
admin = "timothe@contract.fit"
password = getpass(f"User {admin} password: ")
sess = requests.Session()
res = requests.post(f"{tenant}/admin/auth", json={
"username": admin,
"password": password
})
res.raise_for_status()
jwt = res.json()["authentication_token"]
sess.headers = dict(Authorization=f"Bearer {jwt}")
|
Get inbox
You need to have the inbox ID, used in the roles declaration
| Code Block | ||
|---|---|---|
| ||
res = sess.get(f"{tenant}/admin/inboxes")
res.raise_for_status()
inboxes = res.json()
invoice_inbox = next(filter(lambda x: x["name"] == "invoice", inboxes))
|
Create roles
One time only: use / create roles with as little permissions as possible.
...
Now you can share a fully qualified link to your end users: they will be granted temporary access to
the review page for the given document.
To pass the API-Key to Contract Fit's dashboardthe contract.fit web application, you need to pass it in the
querystring parameter named nonce :
...