Open Gozala opened 4 years ago
One extra thought that would go along with a general sentiment here:
It might be vice to embrace existing PKI and sign API requests with the peer key. That would remove need for secret tokens (that users need to enter), although users would need to authorize specific IPFS node with a pinning service. Although that could be fairly simple, webui or cli would just have to pass peer id to the pinning service endpoint, where pinning service could perform necessary authorization (if necessary) onboarding etc...
I think there is yet another reason to prefer device level granularity over user level. When you query for all user pins it would be useful to:
From what I understand currently API user token is going to be used to identify who requested a pin. However user may have multiple devices and sharing same token across those has few problems:
Pins could be added removed from different devices and who wins is unclear:
Does that mean CID-A should be removed or does that mean it should not because device B still holds a pin ?
For above reason I think it would be vice to move away from manual endpoint + token entry and instead perform device link / unlink flow similar to how e.g keybase does this. While under the hood that could still use tokens (although signing requests would be better option IMO) it could provide a better solution for above listed problems and provide better UX as described below: