[review] Security Guide by renejeglinsky · Pull Request #2321 · capire/docs

renejeglinsky · 2026-01-16T09:23:51Z

General remarks on:

Remote Authentication

guides/security/authorization.md

renejeglinsky · 2026-01-16T09:29:43Z

Remote Authentication

That guide is based on a Java sample only, right? Are there plans for Node.js as well?

guides/security/authentication.md

guides/security/authorization.md

renejeglinsky · 2026-01-16T14:25:50Z

guides/security/authorization.md


-> <sup>1</sup>For bound actions and functions that are not bound against a collection, Node.js supports instance-based authorization at the entity level. For example, you can use `where` clauses that *contain references to the model*, such as `where: CreatedBy = $user`. For all bound actions and functions, Node.js supports simple static expressions at the entity level that *don't have any reference to the model*, such as `where: $user.level = 2`.
+> <sup>1</sup>For bound actions and functions that are not bound against a collection, Node.js supports instance-based authorization at the entity level, see [link] (somewhere in Node.js docs)<br>
 > <sup>2</sup> For unbound actions and functions, Node.js supports simple static expressions that *don't have any reference to the model*, such as `where: $user.level = 2`.


Should it say "bound and unbound actions and functions"? In consequence we should add 2 also in the table for entity.
See:

Suggested change

> 2 For unbound actions and functions, Node.js supports simple static expressions that *don't have any reference to the model*, such as `where: $user.level = 2`.

> 2 For bound and unbound actions and functions, Node.js supports simple static expressions that *don't have any reference to the model*, such as `where: $user.level = 2`.

@BraunMatthias What do you think?

guides/security/authentication.md

renejeglinsky · 2026-01-23T07:01:59Z

guides/security/authentication.md

 ::: warning
 If you switch off CAP authentication, make sure that the internal communication channels are secured by the given infrastructure.
 :::


@BraunMatthias How about moving this note into the java div with the hint how to turn off authentication? If there's is no equivalent in Node.js then we could move it into the Java div as it doesn't apply to Node.js at all. Right?

renejeglinsky · 2026-01-26T10:36:04Z

Remote Authentication

That guide is based on a Java sample only, right? Are there plans for Node.js as well?

@sjvans How would you see that? Is there something to fill from the Node.js perspective?

sjvans · 2026-02-02T19:28:29Z

Remote Authentication

That guide is based on a Java sample only, right? Are there plans for Node.js as well?

@sjvans How would you see that? Is there something to fill from the Node.js perspective?

@renejeglinsky the same concepts apply, but configs (e.g., application.yaml vs package.json) differ. we could create a node version/ input for one if you'd like

Co-authored-by: Paul <paul.erlenwein@gmail.com>

guides/security/authentication.md

guides/security/authorization.md

Removed unsupported privilege properties example from authorization documentation.

renejeglinsky · 2026-02-03T13:43:18Z

Remote Authentication

That guide is based on a Java sample only, right? Are there plans for Node.js as well?

@sjvans How would you see that? Is there something to fill from the Node.js perspective?

@renejeglinsky the same concepts apply, but configs (e.g., application.yaml vs package.json) differ. we could create a node version/ input for one if you'd like

Please do so in a new PR. I think it would add value. Matthias was not so sure, that's why I asked you.

guides/security/authorization.md

sjvans · 2026-02-04T11:51:32Z

Remote Authentication

That guide is based on a Java sample only, right? Are there plans for Node.js as well?

@sjvans How would you see that? Is there something to fill from the Node.js perspective?

@renejeglinsky the same concepts apply, but configs (e.g., application.yaml vs package.json) differ. we could create a node version/ input for one if you'd like

Please do so in a new PR. I think it would add value. Matthias was not so sure, that's why I asked you.

added to our backlog

Example first

0440376