Comments (5)
I think we could have Commits without conventional authentication, since these Commits use signatures. This should still be implemented, though, but it solves the write part, at least.
from atomic-server.
I'm looking for a clean, simple way to let the server know which agent is making some request. Usually what happens, is that the one making the request has to sign some message from the server to prove ownership over some key, and after that a temporarily usable token is stored as a session / device cookie.
If the client posesses a private key (which is currenlty used in Commits, too), we could use that key to sign a request. Perhaps have a signature
and agent
HTTP header, after which the server checks if the agent's public key and the signature are OK. The signature message source could be the requested subject + the current timestamp + the agent subject. This combination should be unique for each request.
Checking this for every single request seems a bit tedious, so we should probably use a session token, so the server only has to do the signature checking once for every session.
from atomic-server.
So a couple of methods exist to sign HTTP requests. One is to add a Digest
and Authorization
HTTP header. Another way is to add a Body with a JWS (or other signature) that contains information about the request, such as the requested resource and some fleeting identifier (timestamp).
from atomic-server.
I think the sign(timestamp + subject)
approach is pretty valid. I'll start working on an implementation.
The request needs to include the signature, the timestamp, and the public key of the agent.
const privateKey = agent.privateKey;
const timestamp = getTimestampNow();
const message = `${subject} ${timestamp}`;
const signed = await signToBase64(message, privateKey);
headers.set('x-atomic-public-key', await agent.getPublicKey());
headers.set('x-atomic-signature', signed);
headers.set('x-atomic-timestamp', timestamp.toString());
from atomic-server.
Authorization can be costly, so let's make some simple optimizations to prevent large performance regressions.
First, the server needs to decide whether authentication is necessary at all. If a resource is public, skip it. Also, if the user is an admin, skip further checks.
If the resource is for specific eyes only (recursively check parents for read rights), continue.
The server needs to parse three headers.
After that, the server needs to find the Agent corresponding to the public key. This could be a ValueIndex request.
from atomic-server.
Related Issues (20)
- Creating relations between classes in ontology editor can be simplified
- Auto-renew TLS requires reboot, takes too long HOT 2
- CSS weird long content in LineRow
- Explore replacing @tomic/cli with generating packages on the server HOT 1
- Docs improvements
- Drive not properly saved after accepting invite
- Add `Website` Class and View (replaces `ArguSite`) HOT 2
- Move localstorage logic from @tomic/react to databrowser
- File resource doesn't support CJK file name HOT 2
- CI should fail if E2E fails
- Support for non-tag resource arrays in Tables
- URL encoding bug: "Incorrect signature" when creating resources with special characters in URL
- Forms - submit-only view
- Sidebar shifts a few pixels when navigating
- New Version Changelog Screen HOT 1
- Regular pipeline should not update docs / push things
- browser+test fails in CI HOT 1
- CLI tool to update/create hardcoded json-ad data from ontologies
- Chinese / Japanese / Korean tokenizer support for search / tantivy HOT 2
- Dead Link in the docs HOT 1
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from atomic-server.