Idea/Proposal: Permissions for Api Keys and Pre signed upload urls.

[kelindi]

Idea/Proposal: Build permissions for Api Keys and Pre signed upload urls.

Contributors	@kelindi
Status	Draft
Revision

Proposal

NOTE: This is a draft and is not finalize yet. We'll have to polish it until we all agreed on the approach.

Only give api keys the necessary permissions.

• Read
• Write
• Read/Write
• User defined limits for certain actions (ex: "An Api key limited to only upload one file")
  • This could be used to implement a temporary pre signed url/api-key for serverless uploads
  • User requests to upload a file a file from the frontend -> frontend receives a temporary api key from Estuary -> Frontend uses the temporary api key to directly upload the file to Estuary

[snissn]

This is cool! Right now it's easy to make a new API key with a short time expiration date. Could we augment that to also limit the number of times a key can be used? If we can that should allow us to make one time keys. It doesn't necessarily let us make keys with a singular use though. I think we can also add in for a key specific endpoints or verbs (get vs post) that we want to allow. I like this idea overall a lot! I believe we want to change auth in the near future to use meta mask type logins but I can't think of any future plans that this proposal conflicts with

[alvin-reyes]

This is good. We can create a ACL and permission rules and define the rules using echo middleware to detect the user permissions. We can define functions for each permission and we can write the logic for each permission and ID them so we can assign multiple permission rules per user.

I imagine we will have the following permission types.

• readOnlyPerm
• writeOnlyPerm
• readWritePerm
• uploadOnlyPerm
• oneTimeUseTempKeyPerm
• tempKeyGeneratorPerm
• uploadFromSignedPerm
• yourCustomFuncWithYourLimitLogicPerm

and the api key table will have a permission column with an array of permissions.

When a user wants to upload, estuary sends a new API key for the user with an "upload one file only" permission. API key is passed from frontend and directly upload it to estuary.