changes authentication to no longer use a refresh token & access token
for accessing protected endpoints. Instead only an auth token is used.
Before the login flow was:
Login -> get refresh (stored as HttpOnly cookie) + access token (stored in memory) ->
protected endpoint request (attach access token as Authorization header) -> access token expires in
15 minutes, so use refresh token to obtain new one when that happens
now it looks like this:
Login -> get auth token (stored as HttpOnly cookie) -> make protected endpont
request (token sent)
the reasoning for using the refresh + access token was to reduce DB
calls, but in the end I don't think its worth the hassle.
the secret key for signing JWT tokens is now read from server.secret.
if that does not exist, then a random UUID v4 is generated and used
instead. a log warning is also shown.
enforces user admin role requirement for
- creating / deleting / setting role for organization users
- creating / deleting / setting role for project users
- updating project name
- deleting project
hides action elements based on role for
- admin console
- team settings if team is only visible through project membership
- add project tile if not team admin
- project name text editor if not team / project admin
- add redirect from team page if settings only visible through project
membership
- add redirect from admin console if not org admin
role enforcement is handled on the api side through a custom GraphQL
directive `hasRole`. on the client side, role information is fetched in
the TopNavbar's `me` query and stored in the `UserContext`.
there is a custom hook, `useCurrentUser`, that provides a user object
with two functions, `isVisibile` & `isAdmin` which is used to check
roles in order to render/hide relevant UI elements.
