As a User I can create a new Project

[krainboltgreene]

Projects have:

• Name
• Description
• When they did the project

www: https://github.com/lacqueristas/www/pull/160 origin: https://github.com/lacqueristas/origin/pull/5

[krainboltgreene]

This is also where we figure out how to handle authentication and authorization.

So here's what the server knows:

• On a request to an authenticated service it will:
  • Pass through the Rack-AuthenticationBearer middleware.
    • It will look at the Authentication or Authorization header.
    • Parse the value, expecting a Bearer style pattern Authentication: Bearer xyz123.
    • Pass the token part of the Bearer pattern to the block in middleware.rb.
    • Whatever the result of that function is will get stored in rack.authentication, on the rack environment object.
  • The controller for the rack environment key: rack.authentication.
  • The code expects the value of that key to be like:

    {
    "session" => {
    "id" => "..."
    }
    }

  • It will dig to ["session", "id"] and use that to initialize a new Session model.
  • That Session model will then determine what account the request comes from.
  • The Session is stored in the controller method current_session.
  • The Account is stored in the controller method current_account.
  • JSONAPI Resources gets it's authentication information from the controller method context which returns this:

    {
    current_account: ...
    }

Here's what we have to figure out:

• How we're sending it over (Current assumption is Bearer token)
• What we're sending over (I'm thinking JWT, but the js libraries look traaaash)
• What the client gets in terms of keys
• If we're doing HTTP signatures (I'd love to, and the ruby side is done)
• If I'm even creating the session ids in a secure way.

[btamayo]

On it! I know, I really wanna use JWT because I want to push it forward for other projects but I haven't settled on a library. :/ @krainboltgreene

[krainboltgreene]

@btamayo In the meantime I've gone with a really simple scheme.

1. Create a session with email/password, receive "token" (encrypted account id of the session)
2. Put the "token" in the Authentication header Authentication: Bearer {{token}}, decrypt the token to get the account id, authorize based on that.

As long as anyone has a token that decrypts to a account id, they are that account. It's essentially just a password. Not the most secure and subject to replay attacks and I can't kill individual sessions.