Authentication & Authorization
Authentication & Authorization
Section titled “Authentication & Authorization”Querri uses a multi-layered approach to authentication and authorization to ensure secure access to data and resources.
Authentication Flow
Section titled “Authentication Flow”WorkOS SSO Integration
Section titled “WorkOS SSO Integration”Querri uses WorkOS for enterprise-grade Single Sign-On (SSO):
- User initiates login at frontend
- Frontend redirects to WorkOS authentication page
- User authenticates with their organization’s identity provider
- WorkOS validates credentials and returns auth code
- Hub service exchanges code for user profile
- JWT token issued with user claims
- Frontend stores token for API requests
JWT Token Structure
Section titled “JWT Token Structure”{ "user_id": "usr_123456", "email": "user@example.com", "organization_id": "org_789", "workos_id": "user_workos_abc", "exp": 1234567890, "iat": 1234567890}Token Lifecycle
Section titled “Token Lifecycle”- Issued: On successful login
- Expiration: 7 days default
- Refresh: Automatic renewal before expiration
- Revocation: On logout or security events
Authorization
Section titled “Authorization”Fine-Grained Authorization (FGA)
Section titled “Fine-Grained Authorization (FGA)”Querri implements FGA for resource-level permissions:
Permission Model
Section titled “Permission Model”user:user_123 ├─ can view → project:proj_456 ├─ can edit → project:proj_789 └─ can admin → organization:org_001
organization:org_001 └─ members can view → connector:conn_123Resource Types
Section titled “Resource Types”- Projects: View, edit, delete, share
- Dashboards: View, edit, embed
- Files: View, download, delete
- Connectors: Use, edit, delete
- Organizations: Admin, member
Permission Levels
Section titled “Permission Levels”-
Viewer: Read-only access
- View project results
- View dashboards
- Download data
-
Editor: Modify resources
- Create/edit projects
- Create/edit dashboards
- Upload files
-
Admin: Full control
- Manage sharing
- Delete resources
- Manage connectors
- Invite users
Organization-Level Permissions
Section titled “Organization-Level Permissions”All users in an organization have:
- Access to organization connectors
- Ability to create projects
- View organization members
- Access to shared resources
Public Sharing
Section titled “Public Sharing”Projects and dashboards can be shared publicly:
Share Links
Section titled “Share Links”- Time-limited: Expire after set duration
- Token-based: Unique URL with access token
- Anonymous: No login required
- Read-only: View-only access
Share Link Format
Section titled “Share Link Format”https://app.querri.com/share/{token}/project/{uuid}API Authentication
Section titled “API Authentication”All API requests require authentication:
Header Format
Section titled “Header Format”Authorization: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9...Traefik JWT Validation
Section titled “Traefik JWT Validation”Traefik validates JWT before routing:
- Extract JWT from Authorization header
- Verify signature using secret key
- Check expiration timestamp
- Allow request if valid, reject if invalid
- Add user context to request headers
Session Management
Section titled “Session Management”Frontend Session
Section titled “Frontend Session”- Token storage: Memory (recommended) or localStorage
- Auto-refresh: Before token expiration
- Logout: Clear token and redirect to login
Backend Session
Section titled “Backend Session”- Redis-based: Session data stored in Redis
- TTL: Matches JWT expiration
- Cleanup: Automatic expiration via Redis TTL
Security Features
Section titled “Security Features”Password Requirements
Section titled “Password Requirements”WorkOS handles password requirements based on organization policy:
- Minimum length
- Complexity rules
- Expiration policies
- MFA requirements
Multi-Factor Authentication (MFA)
Section titled “Multi-Factor Authentication (MFA)”Organizations can require MFA:
- TOTP: Time-based one-time passwords
- SMS: Text message codes
- Push notifications: Mobile app approval
Account Security
Section titled “Account Security”- Session termination: Force logout on all devices
- Activity logs: Audit trail of user actions
- IP restrictions: Limit access by IP address
- Device management: Track and manage authenticated devices
CORS Configuration
Section titled “CORS Configuration”Allowed Origins
Section titled “Allowed Origins”Development:
http://localhost:5173http://localhost:3000Production:
https://app.querri.comhttps://*.querri.comAllowed Methods
Section titled “Allowed Methods”GET, POST, PUT, PATCH, DELETE, OPTIONSAllowed Headers
Section titled “Allowed Headers”AuthorizationContent-TypeX-Requested-WithAPI Rate Limiting
Section titled “API Rate Limiting”Rate limits prevent abuse:
- Authenticated users: 1000 requests/hour
- Public shares: 100 requests/hour
- File uploads: 10 GB/day per user
Rate Limit Headers
Section titled “Rate Limit Headers”X-RateLimit-Limit: 1000X-RateLimit-Remaining: 950X-RateLimit-Reset: 1234567890Security Best Practices
Section titled “Security Best Practices”For Administrators
Section titled “For Administrators”- Enable MFA for all users
- Review permissions regularly
- Audit share links and revoke unused ones
- Monitor activity logs for suspicious behavior
- Rotate API keys periodically
For Developers
Section titled “For Developers”- Never log JWTs or credentials
- Use HTTPS for all requests
- Validate input on both client and server
- Implement CSRF protection for state-changing operations
- Follow principle of least privilege
For End Users
Section titled “For End Users”- Use strong passwords
- Enable MFA if available
- Don’t share credentials
- Review active sessions regularly
- Report suspicious activity
Troubleshooting
Section titled “Troubleshooting””Unauthorized” Errors
Section titled “”Unauthorized” Errors”Check:
- JWT token is present in request
- Token hasn’t expired
- User has required permissions
- Token signature is valid
”Forbidden” Errors
Section titled “”Forbidden” Errors”Check:
- User has permission for the resource
- Resource belongs to user’s organization
- Share link hasn’t expired
Session Expires Quickly
Section titled “Session Expires Quickly”Possible causes:
- System time is incorrect
- Redis session expired early
- Organization policy requires shorter sessions