Sravan/BizGaze_Remote
0
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

BizGaze Connect: chat, meetings, recordings, mobile, directory + UI fixes

Browse Source 
Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
This commit is contained in:
Sravan
2026-06-23 16:15:29 +05:30
parent d045847a59
commit 27355cec76
21 changed files with 3952 additions and 208 deletions
Download Patch File Download Diff File Expand all files Collapse all files
ARCHITECTURE.md
+13 -4
View File
@@ -133,10 +133,19 @@ viewer CONTROLS the remote screen** (reuses the WebRTC `inputChannel` + OS input
- [x] **`Authorization: Bearer <token>`** accepted in `currentUser()` across HTTP + WS, alongside the
cookie (session.js `tokenFromReq`); `/api/login` now also returns the `token` for native clients.
WS upgrades carry the token in the Authorization header (native) or `?access_token=` (browser fallback).
- [ ] **Refresh tokens** (short access token + long refresh) so native apps stay signed in safely.
- [ ] **API keys** table + middleware (scoped per *tenant*, hashed at rest).
- [ ] **Push-notification hooks** (APNs/FCM) for incoming sessions/calls on mobile.
- [ ] **OIDC/JWT** SSO; per-tenant **webhook subscriptions** with retries.
- [x] **Refresh tokens** `/api/v1/auth/refresh` exchanges a long-lived (90d) refresh token for a
fresh access token, with **rotation** (old token revoked on use) + replay rejection. Stored as a
SHA-256 hash (`refresh_tokens` table). Login returns one; logout/deactivate/reset/delete revoke them.
Web/cookie path unchanged.
- [x] **API keys** — admin-managed (`POST/GET /api/v1/keys`, `POST /api/v1/keys/revoke`), per-tenant,
scoped (`report:read`, `audit:read`), `bzc_`-prefixed, SHA-256 hashed at rest, shown once. Accepted via
`X-API-Key` or `Authorization: Bearer bzc_…` on `/api/v1/report` + `/api/v1/audit` with scope enforcement.
- [x] **Per-tenant webhook subscriptions** — admin-managed (`/api/v1/webhooks` create/list/delete +
`/webhooks/events`), each with its own signing secret; events `session.started`/`session.ended`
delivered HMAC-SHA256-signed (`X-BizGaze-Signature`) with in-memory retries. Legacy global
`BIZGAZE_WEBHOOK_URL` still works. (webhooks.js + signaling emits.)
- [ ] **Push-notification hooks** (APNs/FCM) for incoming sessions/calls on mobile — needs Apple/Google creds to test.
- [ ] **OIDC/JWT** SSO — needs an identity provider to test against.
### Phase 3 — Licensing + scale (last, per priority)
- [ ] Elevate **tenant → `organization`** (additive migration: add `organizations`, keep `team_id`