A flow to create individual tokens to access the API

TheExGenesis / community-archive

An open tweet database and API anyone can build on.

https://www.community-archive.org

MIT License

54 stars 7 forks source link

A flow to create individual tokens to access the API #153

Open DefenderOfBasic opened 4 weeks ago

DefenderOfBasic commented 4 weeks ago

Right now anyone can access the DB through the API. It would be better for security if we required people to create a token to access it, and that can then be revoked on an individual basis. This way we can keep it open but if there are bad actors/someone DDOSing the DB we can revoke it/turn off creation of new tokens etc.

The data on object storage can still be publicly available.

DefenderOfBasic commented 4 weeks ago

Possible implementation:

When you login with twitter, you see a token generated for you (stored in the DB?)
Use JWT for this? https://supabase.com/docs/guides/auth/jwts
how does revoking work? just go in the supabase dashboard and edit the DB? Or make this "user directory" view have an extra button if the logged in user is @TheExGenesis ? https://www.community-archive.org/user-dir

timothyylim commented 4 weeks ago

Given the current stage of development CA is at right now, it might even be smart to have a waitlist for access and issue tokens manually.