Skip to content

Enable Dewey user types and groups #8

Description

@iamh2o

Summary

Add Dewey-native user authorization support with:

  • user types: admin, standard
  • groups: dewey-admin, rw, ro

Goal

Move Dewey beyond coarse bearer-token access and support basic user/group-based authorization for both the operator UI and API surfaces.

Requested behavior

  • Introduce Dewey user types:
    • admin
    • standard
  • Introduce Dewey groups:
    • dewey-admin
    • rw
    • ro
  • Map groups to effective access:
    • dewey-admin => admin access
    • rw => standard read/write access
    • ro => standard read-only access
  • Resolve authorization from authenticated user/session claims rather than treating all valid API access the same.

Scope

  • Add group-to-user-type / group-to-access mapping in Dewey auth logic.
  • Enforce read-only vs read/write vs admin behavior across API and operator UI.
  • Ensure Cognito-backed UI sessions preserve and use group membership.
  • Ensure API auth has a compatible path for user/group-aware authorization.

Acceptance criteria

  • Dewey can distinguish admin vs standard users.
  • Dewey recognizes dewey-admin, rw, and ro group membership.
  • Admin-only routes/actions require dewey-admin.
  • Mutating routes/actions require rw or dewey-admin.
  • Read-only routes/actions allow ro, rw, or dewey-admin.
  • Unauthorized access returns clear 401/403 behavior.
  • Documentation is updated to describe the user types, groups, and access rules.

Notes

This should align Dewey more closely with the direction already used elsewhere in the stack, while keeping the Dewey model intentionally simple.

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions