New here? Begin by clicking here!

The good, the bad and the ugly: oms-core-elixir

Owned by Sergey Peshkov
Last updated: 26/Dec/2019
2 min read

Let's sum up the good and the bad things about the core that is currently in use, to keep that in mind while developing the new one, so it'll be awesome from the start. Add your opinion here as well.


Sergey.

The good:

  • the circles/permissions system

  • postgres as the db

  • the refresh/access token system



The bad:

  • the stack (nobody knows elixir, you know)

  • no gsuite integration

  • users and members are separated, making it difficult to use

  • no body history

  • no actions history (like, there's no way to see who done what at which time. This can be solved by storing logs though)

  • most fields are optional

  • no consent in the db

  • no automatic users management (like the users are not deleted from the body/suspended once the fee is expired)

  • circles permissions (there's such thing as circle admin, when a person is a circle admin s/he can do more time, and it doesn't match the permissions schema)

  • security-wise: no way to revoke a session (refresh_token); sessions are not revoked once the password is changed; no need to confirm email once it was changed; no notification on changed password



Proposals for the new core:

- js as a language

- postgres as a db

- Sails.js as a framework

- a lot of copypaste from statutory/events, most likely

- preserve the permissions/circles system exactly the way it is now (seems like a really flexible solution)

- merge users and members

- add the consent into the db

- disallow acting in any way if the optional fields are not set and if the consent is not given

- have background jobs to suspend/delete inactive users

 

Fabrizio.

The good:

  • RBAC works well apparently (circles/permissions)

 

The bad:

  • elixir

  • no gsuite integration, which has led us to eventually waste a lot of time in manual creations.

  • DB schema is not the most clever: users and members are separated entities, and that’s “logically” ok, but the email should be on the member (or anyway not where it is now)

  • no body history, which was one top requirement

  • no audit log (action history), which was one top requirement

  • most fields are optional and not validated

  • no consent in the db

  • no cron/ automatic users management (like the users are not deleted from the body/suspended once the fee is expired)

  • No LDAP, which was one top requirement



Proposals for the new core:

  • js as a language

  • postgres as a db for relational data, LDAP is also a first-class citizen. E.g. membership data in LDAP and only permission data on postgres (or, both membership and permission in postgres and ldap only membership)

  • Strapi as a framework (see below why)

  • maybe do not merge users and members if there is really no clever solution

  • have background jobs to suspend/delete inactive users, to store statistics, etc (unless prom takes care of that / to make prom scrape it)

Why strapi:

  • you define the model of the data through admin interface (or through code, but can check visually)

  • allows postgres

  • highly customisable, e.g. permission / hooks

  • if not strapi, i think loopback.io would be better (sails has a lot of frontend in it, but we have ours; keystone looks less neat than loopback)

 

Proposal in general:

  • introduce an API gateway layer, to incorporate common features there: authentication, authorisation, routes logging

    • perhaps this can help when developing new modules (we used to have “oms-common-js”)

  • remember to delegate authentication and security to auth0

New here? Begin by clicking here!