Add security layer to avoid misuse

[acorbi]

Currently, only the URI where a profile is stored is needed to modify it, without the permission and knowledge of the profile's owner.

This issue should be addressed with some level of security in order to ensure that profiles are created/maintained only by their owner, guaranteeing data coherence and validity.

Personally, i would like to see some public/private key approach to this issue. Something that, analog to PGP (https://en.wikipedia.org/wiki/Pretty_Good_Privacy), ensures that some information has been signed by a particular person.

Relevant issues:

• https://github.com/hackers4peace/plp-provider/issues/3
• https://github.com/hackers4peace/plp-provider/issues/5
• https://github.com/hackers4peace/plp-directory/issues/9
• https://github.com/hackers4peace/plp-directory/issues/11

[elf-pavlik]

To keep it simple I would suggest just to base authentication on email address. We could use Mozilla Persona and possibly as alternative simply send confirmation email for update/move/delete

[almereyda]

Yeah, token based security. How long should such a token live; 15 minutes?

[almereyda]

@elf-pavlik As mentionned in the chat, this doesn't work anymore for shared profiles like Events, Places or Organizations.

[elf-pavlik]

@almereyda it can, one just needs to add more email addresses to non public whitelist of who can edit it... think something like share dialog in GDrive