Introduction
This documentation will walk you through the creation of fully qualified links,
allowing you to grant access to Contract Fit's dashboard by sending a "shared link" containing a specific token.
The goal of the following example will be to generate a "share link" to a specific document review page,
in an "invoice" inbox.
This doc is also available as an interactive Jupyter notebook:
Technical description
The fully-qualified link embeds authentication and authorization in a randomly generated API-Key
that you can then share to end users who don't have an account on the Contract Fit's dashboard.
They will be granted temporary access to a given resource, scoped by the roles you have defined.
Their session is short-lived and derived from the API-Key; when their session expires
they can reopen the fully qualified link to obtain a new short-lived session.
API-Key
To make this flow possible, every time you need to create a fully qualified link you must call
the Contract Fit API with the roles (permissions) you want. In return,
you get back the matching API-Key for this scope that you then can embed in a link.
An API-Key is revocable at any time using the Admin API, can be created with a baked-in
expiration date and must be bound to a dedicated User in our database.
For security reason and consistency you cannot alter the roles of an API-Key after its creation:
you need to create a new one and delete the previous one.
WARNING: the API-Key will allow the end user to perform ANY action authorized by the roles you
set in the API-Key: be careful about the roles and permissions you set!
User
The API-Key User will be used in all User references (for instance lock info) and
must not be deleted: It is a placeholder user for all the end users who don't have an
account on our dashboard. The password authentication of this user - even if possible - is never used.
In this diagram:
User john is a regular User with an account
User guest is the placeholder User for the API-Keys
The permissions will be the following:
Since John has a regular account, his user roles allow him to access inbox A & B
Using hPym5P API-Key, only inbox A and the document 1 page (not document 2) will be accessible
Using doCWk4 API-Key, only inbox A and the document 2 page (not document 1) will be accessible
Using RAck9j API-Key, only inbox B and all documents in it will be accessible
Flow example
on your dashboard, add a button "Go to document review" on the doc page
on click, a call is made to your back-end
your back-end calls Contract Fit API and obtains a new API-Key scoped to the specific document
your back-end generates the fully qualified link to the doc
your back-end redirects the user to the Contract Fit dashboard using the link
your end user obtains a session derived from the API-Key roles and is logged in
after review, your end user returns to your dashboard and mark the doc as done
your back-end revokes the API-Key to avoid abuse
the API-Key cannot be used anymore
Note
Although currently incomplete, you can check out the OpenAPI documentation about API-Key endpoints.
Initial setup
You will need the following:
a User on your tenant with enough permissions to set up the authentication
permissions: edit_backend_settings and view_api_keys
this user is only used to make the setup calls, you must not use it as the base user for the API-Key!
a dedicated User on your tenant who will be bound to your API-Key
a Role (or more) to grant to the end user
Scoped to an inbox or to a (document, inbox) combination
import requests from secrets import token_urlsafe from getpass import getpass tenant = "https://alfredo.contract-q.fit" admin = "timothe@contract.fit" password = getpass(f"User {admin} password: ") sess = requests.Session() res = requests.post(f"{tenant}/admin/auth", json={ "username": admin, "password": password }) res.raise_for_status() jwt = res.json()["authentication_token"] sess.headers = dict(Authorization=f"Bearer {jwt}")
Get inbox
You need to have the inbox ID, used in the roles declaration
res = sess.get(f"{tenant}/admin/inboxes") res.raise_for_status() inboxes = res.json() invoice_inbox = next(filter(lambda x: x["name"] == "invoice", inboxes))
Create role
One time only: use / create a simple role with as little permissions as possible.
permissions = { "view_statistics": True, "upload": False, # we don't want our users to be able to upload using this role "review": True, "submit": True, "view_list": True, "read_thresholds_settings": True, "escalate_document": True, } res = sess.post(f"{tenant}/admin/roles", json={"name": "ReviewGuest", "permissions": permissions }) res.raise_for_status() role = res.json()
Create dedicated user
One time only: create the guest placeholder user. All end users using the API-Keys will be seen as this user.
The User must have equal or broader role and permissions than the API-Keys will require.
res = sess.post(f"{tenant}/admin/users", json={ "username":"shared-link", "active": True, "password":token_urlsafe(18), # The user password does not matter, use a randomly generated string "roles": [{"role": role["id"],"inbox": invoice_inbox["id"]}] }) res.raise_for_status() user = res.json()
Create API-Key
Each time you need to create a fully qualified link with a new scope (ie. new doc),
you need to create a new key with the new scopes.
Each API-Key has:
an expire_at attribute indicating the expiration date of the Key
a roles list of role scope
an active flag
Roles
Important: you cannot change the roles after the API-Key creation!
If you want to limit the API-Key to a single doc, you can specify the document scope but you also need to specify the
inbox scope, so that your end user has access to all required features for the review page.
If you want to change the roles, just create a new API-Key and delete the old one.
To give access to a specific document you must also specify the inbox of the document within the same role definition; you can add multiple independent roles in the roles list, each one giving access to a single inbox or a (inbox, document) combination.
doc_id = "60ddb937b260064252bd5a98" # your doc ID roles = [ {"role": role["id"], "inbox": invoice_inbox["id"], "document_id": doc_id} # same role as the user but limited to one doc ] res = sess.post(f"{tenant}/admin/auth/api-key", json={ "user": user["id"], "roles": roles }) res.raise_for_status() token = res.json()["token"]
Now you can share a fully qualified link to your end users: they will be granted temporary access to
the review page for the given document.
To pass the API-Key to Contract Fit's dashboard, you need to pass it in the
query string parameter named nonce :
url = f"{tenant}/#/view/{doc_id}?nonce={token}" print(url)
Based on my example variables, the link will thus look like:
(The link above does not work, this is normal)