Users and Authentication
Stallion comes in with a built-in system for User management.
For Java code, it consists of the following components:
- io.stallion.users.User – the user model, defining the fields of a user such as username, email, displayName, etc.
- io.stallion.users.UserController – manages the user models, handling everything from user
- UsersApiResource – the RESTful endpoints and HTML screens for logging in, creating users, managing users, etc.
- io.stallion.settings.childSections.UserSettings – configure various default behavior for the UserController and endpoints.
- io.stallion.users.Role – defines the available roles for users, such as MEMBER, STAFF, or ADMIN
Default user screens
Here are some screens built into Stallion for doing basic user login and management:
/st-users/login– login to the application
/st-users/reset-password– reset your password using your user account email address
/st-users/verify-email– verify your account email address
/st-users/manage– allows ADMIN’s to do basic user management
You can disable these screens in the user settings, or write your own replacements.
Key things to know
- To get to the user management screen, you need an admin user. To create a default super user, use the “users” action from the command-line. This will define a user in a file. Then deploy the site. You can edit this user by editing the .json file in the users file and then redeploying. This user cannot be edited via the UI. If you only have a few users, you can create them all via the command line rather than adding them in the database.
- When a user logs in, they are assigned a cookie ``. This cookie contains encrypted information about the user. There is no session information stored in the database. To invalidate a session, you must change the encryption key for that user, which will invalidate all their cookies.
- All users have a role, defined in the Roles enum. Roles have a ranking to them ANON is the lowest role, then CONTACT, MEMBER, STAFF_LIMITED, STAFF, and ADMIN. For every endpoint in your system, you can add an annotation @MinRole(Roles.MEMBER). This will restrict the endpoint to someone who has that role, or a great role. So an endpoint with @MinRole(Roles.MEMBER) would be accessible to MEMBER’s and STAFF but not CONTACT or ANON. There is also a helper method on the user object “isInAtLeastRole” for determing whether the user is the given role or higher.