Open tahpot opened 2 years ago
The following endpoints are implemented with working unit tests:
generateAuthJwt()
authenticate()
get()
The request validator has been updated.
Endpoints remaining:
invalidateDeviceId()
regenerateRefreshToken()
Other remaining:
Other changes also made that require client-ts
updates:
/user/deleteDatabase()
endpoint. Requires adding support in client-ts
storage-node
then hashes the database name. This is for increased security to prevent a malicious user creating database operations on databases not linked to their DID. Requires updating in client-ts
to send the database name, not the hash./user/get
to `/user/connect'/auth
out from /user
for better clarityregenerateRefreshToken()
invalidateDeviceId()
invalidDeviceId()
support
The current auth flow is as follows:
context
using the private key for the DID (this happens in the Vault).The key issue is at step (2).
We require the following capabilities:
Verida Vault
I can sign a consent message using my private key to obtain arefresh token
andaccess token
to gain access to a storage node server for a givenapplication context
.Verida Vault
I can store therefresh token
, linked to a givenapplication context
andVerida dApp
so that I can track all the applications I have logged intoVerida dApp
I can send a message to theVerida Vault
and receive arefresh token
andaccess token
so that I can gain access to a storage node server for a givenapplication context
Verida dApp
I can use theaccess token
to make requests to the storage node server so that I can manage databasesVerida dApp
I can use theaccess token
to make requests directly to CouchDB so that I can read / write database dataVerida dApp
I can use therefresh token
to obtain a new access token if it expires so that the user isn't logged out of the applicationVerida dApp
I can use therefresh token
to obtain a new refresh token if it is getting close to expire so that the user isn't logged out of the applicationVerida Vault
I can revoke arefresh token
, linked to a givenapplication context
andVerida dApp
so that I can revoke database access to an applicationThe proposed new flow is as follows:
context
using the private key for the DID (this happens in the Vault).refresh token
andaccess token
via a newauthenticate()
endpointrefresh token
expires after (30?) daysapp_connections
database, linked to theapplication context
anddomain name
that made the SSO requestaccess token
make requests to the storage node or the couchdb serverrefresh token
to obtain a newaccess token
/refresh token
from the storage node server, if theaccess token
/refresh token
expiresrefresh token
granted to anyVerida dApp
at any timeNote:
access tokens
can't be revoked in couchdb, so we don't support revoking them at all. Instead they are short lived (5 minutes).This requires the following updates to storage node:
generateAuthJwt(did:string, contextName: string)
-- Begin the auth flow. Storage node generates a JWT containing a unique string that must be signed by the DID to complete authentication. Expires after 60 seconds.authenticate(authJwt: string, did: string, contextName: string, signature: string, deviceId: string)
-- Authenticate access to the storage node and couchdb server. Verifies a signature is signed for a given contextName and contains the unique string from a valid JWT. Returns a newrefresh token
andaccess token
. Stores therefresh token
on the server.get(contextName: string, refreshToken: string)
-- Update the existingget()
method to accept a refresh token and return an access token with the database hostname.invalidateDeviceId(deviceId: string)
-- Invalidates all refresh tokens that have been generated for a givendeviceId
. This allows the Vault to sign out a particular device.regenerateRefreshToken(refreshToken: string, contextName: string)
-- Invalidates an existing refresh token and generates a new one. This enables an application to update the refresh token with a more recent expiry.request validator
middleware must be updated to validate all requests against a suppliedaccess token
.