search

extiverse / bazaar

The extension marketplace for your Flarum forum.
https://discuss.flarum.org/d/5151
MIT License
59 stars 14 forks source link

Add a way for premium extension to authenticate themselves to external service #131

Open clarkwinkelmann opened 5 years ago

clarkwinkelmann commented 5 years ago

Considering the following use case:

A premium extensions uses a vendor-controlled API to perform some actions like monitoring, backup or other resource-intensive job. This API does not require registration, but it's only intended for use by valid premium extensions bought through flagrow.io The API might not have any publicly visible pages, with everything happening inside the extension itself.

The API needs to verify the extension is a valid copy of the premium extension.

Additionally, the API might want to check if a single purchase is being used on different forums.

Requiring the use of Bazaar for such a feature makes sense in my opinion. Here's what I'd suggest:

The extension needs a way to get a flagrow.io token to send along to whatever external resources they fetch. It could be an API token, a user ID or purchase ID. The external service can then use the vendor API as suggested in #124 to verify the validity of the purchase.

A more advanced solution could make use of cryptography. Flagrow.io could sign a purchase confirmation payload, send it to Bazaar, so extensions can then use it to authenticate with the vendor, and the vendor can simply use cryptography to verify the authenticity instead of needing an API call to flagrow.io

Right now it would already be possible to send the Bazaar token as a proof, but this would have some security implications, as it's a write-enabled token, and it would probably be wise to not share it outside of the forum. Also the API is not officially made for use by vendors.

Another solution that might work right now (I have not verified) is that the extension could use the Bazaar token to create a read-only token on flagrow.io, then send that read-only token to the external service.

I think Bazaar should include a method to facilitate this. In any case, we should decide on a recommended way to achieve it, or forbid it if we don't want vendors tinkering with the Bazaar tokens.

Any thoughts ?

luceos commented 5 years ago

I see some valid concerns, I also see several solutions. I'm not too sure crypto would make sense inside the current flow of app vs bazaar, especially related to paid functionality.

Right now the best way for vendors is probably to use the Bazaar token in some way. For flagrow.io it would certainly mean closing down functionality a little better.