SmartAuth

Natively Dolibarr provides an API and each user can have a single API key that gives access to all the functional scope to which the user has access.

We're not happy with this way of working: for example, I want to be able to develop a mobile application which, via the API, should only have access to the user's calendar and nothing else.

If I configure the dolibarr native API key linked to the user, the application will also be able to access invoices and other items.

This is particularly problematic from an access compartmentalisation point of view.

The classic 'solution' for dolibarr users is to create a 2nd user with fewer rights and configure this user's API key in the diary application… but only now it's another user and user 2's calendar isn't the same as user 1's … which then forces you to do some technical contortions.

Our approach with SmartAuth is to say that a user can have as many API keys as they want, each key having rights and if a key is linked to one application it must not be reused by another.

This is what you can see when you use applications such as NextCloud: when your smartphone creates the 1st link to your NextCloud server, a specific API key is generated. So if your smartphone is stolen, you can delete only this key and generate a new one for your new smartphone.

You will also have access to connection logs that will enable you to detect incorrect actions and/or manage access.

With the current implementation of dolibarr, if your key is compromised when your smartphone is stolen, you will have to reconfigure ALL the devices on which you have configured your key in order to put a new one in place!

The smartAuth repository is here https://inligit.fr/cap-rel/dolibarr/plugin-smartauth/ and don't stop at the doc which is not necessarily up to date.