►
From YouTube: Elsa Workflows Community Meeting 22 ( 2022-08-30)
Description
Meeting 22
Topics
- Elsa 3
○ Documentation
○ DB-less execution
○ Secure API endpoints
- Elsa 2
Secrets module demo
A
Add
additional
data
that
you
can
populate
components
in
the
UI,
with
okay
cool
and,
for
example,
for
me,
the
the
first
plugin
I
was
a
simple
drop
down
list,
but
with
nothing
on
the
UI
I
use
a
basic
plugin
and
I
I
have
defined
a
specific
type,
specific
c-sharp
type
on
the
activity
property
and
with
this,
and
with
the
Declaration
of
specific
components,
I
have
just
on
this
server
side.
I
create
an
HTTP
request
to
another
server
and
the
basic
of
the
communication
between
the
UI
and
the
server.
A
B
A
Yeah
I
will
show
you
this,
so
there
is
a
sample
for
that,
and
I
would
like
to
look
into
that
as
well,
because
I'm
curious
about
how
it
works,
I
think
the
current
release
Andrew.
So
what
we're
discussing
now
is
something
that
was
working
from
I,
think
somewhere
2.4
or
something
like
that.
So
it's
in
the
2.8
also
available
hi.
C
C
I
saw
you
it's
good.
I
just
saw
France
yeah
all
right,
so
I
made
a
I
added
a
couple
of
topics
that
I
would
like
to
talk
about.
Does
anyone
of
you
have
any
topics
to
add
me?
Not
Andre,
not
no,
no,
all
right,
then.
Let's
just
dive
in
yeah,
so
I
just
wanted
to
give
a
brief
update
on
what
I've
been
working
on
and
what
my
current
focus
is,
which
is
sorry
come
again.
Are.
C
Screen
I
think
I
am
can,
can
you
guys
see
my
screen
or
nothing,
nothing
all
right.
Let
me
try
so
a
couple
of
topic:
X
I
wanted
to
talk
about
our
documentation
that
I
started
files
at
three
also
as
an
exercise
to
see
from
a
beginner's
point
of
view.
What
is
missing,
and
actually
one
of
the
first
things
that
I
think
is
missing
is
a
good
story
about
protecting
your
API
endpoints.
We
don't
have
it
in
LSAT
2..
There
is
a
way
to
do
it,
but
it's
not
properly
documented.
C
So
I
want
to
fix
that
for
Elsa
3
from
the
get-go.
So
as
you
as
a
new
user
of
Elsa
3,
when
you
started
from
your
Visual
Studio
or
whatever
IDE
you're
using
I
want
the
API
endpoints
to
be
protected
by
default
and
give
the
developer
an
option
to
opt
out
of
secured
API
endpoints,
but
by
default
it
should
be
enabled
and
also
not
only
should
it
be
enabled.
C
By
default,
there
will
be
a
user
called
guest
and
the
password
is
the
same.
Similarly,
we
could
do
that
for
Elsa
or
provide
a
very
easy
way
to
configure
an
administrator
user
from
app
settings
which
can
be
dangerous
because
we
don't
want
users
to
actually
start
adding
clear
text
passwords
to
app
settings
right.
Of
course,
users
would
shoot
to
it
from
the
environment,
but
not
all
Ides
support
providing
Secrets
without
committing
it
to
git,
although
Visual
Studio
has
user,
Secrets,
I
think
and
writer,
of
course
has
profiles,
project
profiles
that
store
the
secrets
elsewhere.
A
C
Would
like
to
walk
you
through
the
codes
a
little
bit
of
the
way
it's
gonna
look
like
from
a
security
point
of
view
when
working
with
else
apis-
and
the
first
thing
you
will
notice
is
this
line
here.
Add
fast
end
points,
so
Elsa
3
will
not
be
using
regular
MVC
controllers,
but
it
will
be
using
a
library
called
best
endpoints,
which
is
a
very,
very
nice
small
library.
That
makes
it
very
easy
to
make
the
authentication
story
programmable,
or
at
least
configurable,
from
the
user's
point
of
view.
C
It's
also
a
simpler
way
and
just
to
show
you
an
example:
let's
take
a
look
at
the
also
workflows,
API
project,
so
this
is
a
class
Library.
It's
in
Elsa
speak
it's
it's
a
module
and
what
makes
this
a
module?
It's
just
the
fact
that
it's
a
class
library
and
it
has
a
features
folder
and
it
exposes
a
class
called
in
this
case-
workflows,
API
feature.
C
For
example,
those
features
will
be
registered
automatically
with
proper
defaults,
but
every
feature
that
exposes
configuration
can
be
configured
from
the
from
your
startup
or
in.net6.
There
is
no
longer
a
startup,
of
course,
from
the
program
files
where
you
configure
your
services.
So
just
to
give
you
an
example
here
we
see
a
big
code
block
that
adds
all
sorts
of
things
like
activities
and
it
declares
what
features
is
going
to
be
used
and
other
features.
C
It
will
just
install
the
most
commonly
used
services
that
are
useful
for
most
common
scenarios,
and
maybe
there
will
be
an
ad
Elsa
core
that
installs
a
Bare
Bones
version
of
Elsa
in
terms
of
the
eye
services,
and
then
you
can
specifically
choose
what
you
want
to
add
as
well,
but
anyway,
that's
a
small
tangent
on
on
Elsa
features.
What
I
wanted
to
talk
about
is
fast
end
points
here:
I'm,
adding
the
sources
necessary
or
fast
endpoints
yeah.
C
So
this
is
from
that
library
and
the
way
an
endpoint
looks
that's
what
I
wanted
to
show
is.
The
is
an
example.
Here,
let's
say
you
have
an
endpoint
to
list
all
of
the
activity
types
available
to
the
system.
The
way
it
it
works.
Is
you
implement
a
class
where
you
create
a
class
that
derives
from
endpoints,
so
this
is
a
specific
endpoint,
but
from
the
fast
endpoint
Library
it
would
just
be
an
end
point
and
end
because
I
don't
accept
a
request
here,
just
to
inherit
from
endpoints
without
requests
or
it's
a
specific
subtype.
C
You
can
forget
about
the
details
for
now,
but
it's
a
class
that
you
inherit
from,
and
it
allows
you
to
configure
its
routes
using
a
configure
method,
and
this
is
the
point
I'm
getting
to.
Is
you
programmatically
configure
the
permissions,
and
this
could
be
rows
that
are
required
for
the
user
to
to
have
in
order
to
invoke
these
endpoint
or
it
could
be
a
policy
name
or
a
set
of
policies
that
the
user
must
adhere
to,
and
this
is
an
or
expression,
if
you
will
so,
the
user
needs
to
match
either
the
first
policy.
C
Let's
say:
policy,
one
or
policy,
two
Etc
and
same
goes
for
rules,
and
same
goes
for
permissions.
Permissions
is
the
one
I
think
it's
the
most
useful
for
Elsa,
which
is
then
used
as
a
class
library,
of
course,
because
this
way,
when
using
permissions,
it's
up
to
the
application
developer
to
Elsa
implementer
to
determine
when
what
users
get
what
permissions
and
I'm
using
wild
cards
here.
So
let
me
fix
this.
Let
me
undo
my
changes
for
a
second,
so
here
I
can
provide
a
list
of
permissions
that
the
user
requires
so
for
all
users.
C
Well,
users
that
have
the
star
permission
can
do
anything
so
and
that's
actually
implemented
in
this
method
here.
So
this
is
a
custom
Base
Class
that
itself
inherits
from
Fast
endpoints
face
classes,
but
what
it's
doing
here,
it's
doing
a
couple
of
things.
It's
checking
if
security
is
enabled.
So
this
is
a
static
property
that
else
I
implemented,
can
disable
or
enable
if
security
is
disabled,
anonym
requests
are
allowed
for
all
of
the
endpoints.
This
is
for
convenience.
C
It's
an
opt
out
feature,
so
you
have
to
opt
out
of
security,
so
you
can't
by
accident,
deploy
to
production
without
security.
So
that's
that's
a
safety
measure,
but
if
you
want
to
troubleshoot
it
just
quickly
get
going
or
else
on
your
local
machine,
you
can
set
this
flag
to
false
from
your
program
file,
but
by
default
it
will
be
enabled
which
means
that
any
request
requires
at
least
the
star
asterisk.
C
That's
this
constant
here,
it's
the
star,
the
asterisk
symbol,
so
the
user
needs
to
have
that
permission
or
whatever
permission
was
provided
from
the
child
class.
In
this
example,
read
star
or
read
activity
descriptors.
So
this
gives
you
a
very
granular
control
over
what
endpoints
can
be
accessed
by
which
users,
of
course,
the
challenge
will
also
be
in
the
dashboard
application
which
needs
to
visually
reflect
what
the
user
can
and
cannot
do,
which
should
be
okay
to
do,
since
these
are
part
of
a
claim
called
permissions.
C
So
you
have
to
imagine
when
you
sign
in
as
a
user,
you
will
get
back
an
access
token,
which
is
an
encoded
base64,
encoded,
jiot
or
JWT
token,
that
carries
a
permission
claim,
which
itself
contains
a
value.
This
is
an
array
of
your
permissions
and
then
the
client
can
read
those
permissions
and
based
on
the
provided
permissions,
certain
UI
elements
will
be
enabled
or
disabled.
So,
for
example,
if
you
don't
have
the
Public's
work
for
definitions
permission,
the
button
will
be
grayed
out
or
not
available
at
all.
C
So
this
is
what
I'm,
prototyping
and
experimenting
with
and
see
what
what
works
well
from
both
the
user's
perspective,
as
well
as
the
else
implementers
perspective
and
module
developers
that
are
looking
to
extend
the
system,
because
this
is
important.
This
system
needs
to
be
extensible
yeah.
So
let
me
remove
this
so
in
any
case,
I
recommend
checking
out
the
fast
endpoints
Library
very
feature,
Rich,
and
it
serves
all
of
the
feature
requirements
that
I
have
for
the
else.
C
Api
endpoints
and
another
nice
thing
is
that
it's
also
easier
to
control
what
endpoints
you
actually
register
with
you
don't
want
to
register
because
else
I
will
ship
out
of
the
box
with
many
of
these
these
packages.
Some
of
them
have
API
endpoints
like
activity,
definitions
like
Elsa,
workflows,
API
and
then
there's
also
the
labels
module,
which
also
exposes
endpoints.
But
let's
say
the
else
are
implementer,
isn't
going
to
use
the
labels
module.
So
therefore,
first
of
all
it's
when
the
developer
doesn't
even
reference.
The
label
tools,
packets,
the
endpoints,
won't
be
exposed.
C
So
that's
an
easy
way
of
not
exposing
labels
and
points.
But
let's
imagine
they
do
for
some
reason-
reference
the
packets,
but
they
want
to
disable
the
endpoints.
They
can
do
so
from
program
by
configuring.
The
endpoint
Discovery
options.
So
this
Library
lets
you
control
the
endpoints
Discovery
process
so
that
you
can
exclude
certain
packages.
C
This
was
a
request
from
someone
for
LSAT
2
and
it's
possible
to
do
with
asp.net
MVC
apis
by
removing
certain
it's
not
called
areas,
but
I
forgot
the
name
I'm
blanking
on
the
name,
but
there's
a
way
to
opt
out
of
it.
But
it's
a
little
bit
complicated.
I.
Think
I
think
this
is
easier
and
it
doesn't
conflict
with
controller.
C
So
if
the
Elsa
implementer
also
expose
their
own
controllers,
they
can
do
so
and
it
should
not
interfere
and
they
can
then
also
configure
their
controllers
to
use
a
different
Json
serializer,
for
example,
compared
to
the
Json
serializer
used
by
at
first
endpoints,
so
yeah.
So
that's
API,
secure,
API,
API
endpoints
that
are
secure
out
of
the
box.
Currently
I'm
working
on
as
I
mentioned
the
foundation
so
that
both
the
front
end
and
the
back
end
are
secure.
C
The
back
end
is
almost
done
and
the
front
end
I
I
just
started
working
on
and
it
will
have
a
security
context
or
an
authentication
context
where
modules
can
read
current
token
from
including
the
user's
name,
which
could
be
nice.
If
you
know,
if
we
are
able
to
display
the
user
name
in
the
toolbar,
for
example,
but
also
it's
extensible,
which
means
out
of
the
box,
will
we
may
have
an
else
identity
module
where
which
is
very
basic.
C
But
instead
the
user
would
be
redirected
to
off
zeros
login
page,
where
the
user
logs
in
and
then
officero
redirects
the
sign
in
user
back
to
the
outside
dashboard,
at
which
point
they
are
logged
in,
but
using
The
Fray
the
same
security
entities
that
I
have
in
place
there
the
the
same
Primitives
any
questions
about
that
I
know
it's
a
lot.
I've
been
rambling
on.
B
C
Good
question
I
asked
I,
haven't
actually
thought
about
that,
but
it's
a
very
relevant
question
and
I
think
the
answer
should
be
yes.
It
should
at
least
be
possible-
maybe
not
out
of
the
box
from
this
work,
but
it
should
lay
the
foundation
to
allow
that,
because
in
order
to
assign
permissions
to
a
workflow
and
make
it
executable
at
the
core
valves,
I,
don't
think
it
should
have
any
knowledge
of
users
or
permissions,
but
it
should
be
extensible
so
that
a
let's
say,
permissions
module
that
implements
this
feature
that
cooperates
with
the
else
identity
module.
C
Let's
say
if
that,
if
that
were
a
module,
then
that
should
be
possible
or
even
it
should
be
part
of
the
else.
Identity,
module
potential,
so
I'll
give
it
some
thought,
but
I
think
I
think
that
should
be
made
possible
and
we
could
even
take
it
a
step
further
so
that
not
only
at
the
workflow
level,
but
maybe
even
on
certain
activities
that
can
take
advantage
of
some
of
the
security
Primitives,
although
in
this
case
it's
more
about
the
user
managing
workflow.
So
maybe
not
that
relevant.
All
right.
Another
thing
I've
been
working
on.
C
Workflow
instances
in
the
database
not
automatically
or
not
necessarily
so
the
user
should
have
an
option
of
whether
that's
the
case
or
not,
and
the
reason
is,
if
you
have
a
scenario
where
you
have
workflows
that
just
need
to
do
a
lot
of
work
fast,
maybe
many
times,
and
you
don't
really
care
about
persisting
the
the
state
of
those
workflow
executions.
We
should
offer
the
option
of
not
even
storing
those
things.
Maybe
you
don't
care
about.
The
workflow
instance
objects
stored
in
the
database
because
maybe
your
workflows
are
driven
by
some
Kafka
Cube.
C
So,
let's
imagine
all
of
the
events
that
drive
workflows
happen
from
by
reading
from
a
Kafka
queue,
so
some
producer
sends
messages
to
a
queue
which
is
being
processed
and
then
drives
a
bunch
of
workflows.
Now,
let's
say
workflow
at
some
point
crashes,
but
the
message
is
still
there
in
Kafka,
so
maybe
it
could
be
replayed.
So
because
so
in
this
way
you
already
have
some
State
there
that
allows
you
to
retry
certain
workflows.
That
could
be
one
scenario.
C
Another
scenario
could
be
where,
as
workflows
execute
is
at
certain
stages,
they
create
and
store
a
snapshot
of
Kafka.
That's
another
way
of
persisting,
your
workflow
instances
or
some
aspect
of
it.
So
so
my
point
is
it
should
be
more
flexible.
So
maybe,
in
those
scenarios
you
don't
want
to
store,
create
word,
for
instance,
objects
before
executing
workflow,
which
is
the
case
in
LSAT
2.
and
then,
depending
on
your
workflow
setting,
it
will
update
the
workflow
instance
documents
every
at
every
step
of
the
way
or
when
it
encounters
a
blocking
activity.
C
That's
also
a
suspension
point
which
automatically
results
in
storing
the
workplaces
into
the
database.
You
don't
have
much
control
over
that
in
LSAT,
2.
and
elsa3
should
have
different
options
more
control
over
when
it's
stored,
and
that's
that's
the
dbless
execution
brands
that
I'm
working
on
where,
by
default,
it's
not
stored,
or
at
least
you
can
choose
that
it's
not
stored
by
default,
and
this
this
relies,
of
course,
heavily
on
the
on
the
actor
model.
As
implemented
by
a
protoactor,
but
this
is
in
its
early
stages,
so
it's
still
over
very
experimental
yeah.
C
So
that's
this
one
and,
as
I
mentioned,
I
started
working
on
documentation
to
to
identify
any
missing
gaps
and
that
led
me
to
the
API,
secure
endpoints.
Let's
let
me
show
you
what
template
I
found
for
the
documentation
sites,
a
popular
demand
was
light
mode
and
dark
mode,
I
think
very
important
to
have
so
it's
there.
This
is
by
the
way,
based
on
a
Tailwind
templates,
which
is
pretty
cool.
C
So
if
you
go
to
tailwindui.com,
there's
a
template
section
which
is
fairly
new
and
they
have
a
pretty
amazing
templates,
but
using
Tailwind,
UI
or
Tailwind
CSS
classes,
but
these
templates
are
they're
beautiful
and
this
the
one
for
the
documentation
is
syntax.
So
this
is
specifically
designed
for
documentation,
websites
and
I'll
see
our
live
preview,
so
it
has
a
search
feature
built
in
it.
C
Has
a
nice
section
here
on
the
left
and
another
nice
aspect
of
this
is
that
is
the
fact
that
the
documentation
is
written
in
markdown,
so
it
uses
some
xjs
module
that
turns
markdown
into
a
beautifully
styled
pages.
So
yeah
I
started
just
with
the
home
page,
so
a
lot
of
work
has
yet
to
be
done
as
I
mentioned
I'm.
Also
using
this
as
a
as
an
exercise
to
see
what
does
the
story
look
like
for
starters
of
Elsa
3?
C
What
are
the
missing
gaps
for
these
initial
steps
and
we'll
build
on
on
top
of
that
and
really
dig
into
the
details?
One
critique
I
received
often
on
the
current
Elsa
documentation
is
it's
it's
a
bit
can
be.
It
can
be
a
bit
confusing
on
how
to
start.
Even
though
there's
a
few
quick
starts.
What's
not
so
clear
is
when
do
you
use,
which
scenario?
What's
not
always
clear,
is
that
else
can
be
used
in
any
kind
of.net
application
right,
so
it
can
be
used
in
a
console.
C
Application
could
be
used
in
an
asp.net
core
application,
which
is
the
most
common
case,
I
think,
but
it
could
also
be
used
in
WPF
or
Windows
services,
or
even
Maui.
Apps
should
be
possible
because
anywhere.net
runs
else.
I
can
run
as
well.
I
want
to
try
and
start
a
documentation
more
from
a
top-down
level
so
that
you
start
with
an
overview
and
then
this
various
paths
you
can
dig
into
and,
of
course,
any
any
feedback
and
thoughts
on
you.
C
B
B
Yeah,
so
probably
in
the
same
way
that
we
are
contributing
to
the
source
code,
if
you
can
also
try
to
promote
contributing
solutions
to
the
documentation
that
could
also
help
in
which,
rather
than
make
it
as
a
burden,
you
know
someone
has
to
go
and
update
all
the
documents
which
we
know
as
developers.
It's
always
I
wait
on
on
us,
yeah.
C
C
That's
a
great
idea:
I
love
that
yeah
and
it's
it's
also
good
to
try
and
make
it
a
habit
to
instead
of
directly
answering
questions,
especially
if
those
questions
are
asked
more
frequently
to
create
a
topic.
Even
if
it's
a
temporary
guide
or
a
hint
or
a
tip
section,
doesn't
matter,
try
and
add
it
here
and
then
share
a
link
to
that
page,
and
it
doesn't
have
to
be
perfect
immediately.
C
We
can
improve
it
over
time
because
that's
I
guess
the
reason
why
it's
easier
for
me
at
least
to
directly
answer
in
Discord
or
on
GitHub
or
stack
Overflow,
because
the
answer
doesn't
need
to
be
polished
right.
You
can
just
give
a
few
pointers.
It
doesn't
have
to
be
complete,
but
it
always
feels
seems
to
me
that
when,
when
you
start
adding
documentation
it,
it
needs
to
be
more
polished
or
more
complete,
at
least
and
and
that's
also
a
barrier
to
to
actually
do
it.
C
But
maybe
we
should
have
some
sort
of
section
where,
even
if
it's
just
a
quick
pointer
at
least
it's
more
helpful
because
it
can
be,
we
can
point
to
it
so
yeah.
So
those
are
the
challenges
of
maintaining
an
open
source
project
and
its
documentation,
yeah.
So
I
guess
that's
my
update
for
now
and
tomorrow.
C
C
I
saw
that
question
yeah
yeah
all
right.
So
when
we
click
on
add
new,
we
can
add
a
new
secret
of
a
given
type.
So
let's
say
we
want
an
a
bearer
token.
Let's
call
it
GitHub
access
token.
So
that's
the
Secret's
name,
the
type
authorization.
So
this
seems
to
be
a
read-only
fields
and
then
I
imagine
this
to
be
the
value.
So
this
could
come
from
settings
or
a
value
hard
code
here.
So
let's
say
we
use
this
value,
save
all
right.
C
So
now
we
have
a
secret
called
get
up
access
token
and
then,
presumably,
we
should
be
able
to
add
an
HTTP
request
activity
using
that
secret.
So
instead
of
hard
coding,
the
authorization
header
value.
So
let's
see,
if
that's
true,
send
a
spirit
Quest.
Let's
say
we
invoke
a
GitHub
API
endpoint,
then
in
advance,
there's
authorization
and
then
okay,
so
the
module,
the
secrets
module,
replace
the
authorization
field
with
a
drop
down
so
that
you
can
pick
one
of
the
secrets.
So
that's
the
basic
idea
and
I
imagine
the
same
way.
C
C
I
have
to
individually
fill
out
every
component,
but
that's
the
way
it
is
right
now,
so
data
source
would
be,
let's
say
localhost,
maybe
my
app
database,
true
or
yes,
I,
don't
know
yes,
whatever
our
password
I
think
should
be
probably
should
this
would
be
a
password
filter,
not
clear
text,
but
anyway,
let's
try
it
like
this.
So
now
we
have
a
secret
of
type
Ms,
SQL
server,
and
this
I
think
works
together
with
one
of
the
SQL
cool
activities.
So
here's
SQL
execute
SQL.
B
C
A
B
C
C
Oriented
yeah
yeah
there's
a
get
config
JavaScript
function
that
can
read
from
not
well
not
app
settings,
but
it
will
read
from
the
net
configuration
API
and
I
think
it's
called
get
config,
but
it's
probably
not
enabled
by
default.
You
need
to
set
a
script
option
called
enable
configuration
access.
I
think
this
is
a.