#10: Bearer authentication for socket.io, generated in subdomain config

m-ld · Nov 5, 2023 · a6938dd · a6938dd
1 parent 48a6b99
commit a6938dd
Show file tree

Hide file tree

Showing 27 changed files with 433 additions and 243 deletions.
diff --git a/architecture/api/admin/admin.use-case.puml b/architecture/api/admin/admin.use-case.puml
@@ -7,22 +7,32 @@ left to right direction
 user <|-- root : is a
 
 package "User End-Point" {
-  user --> (change details) : self
-  note right: PATCH /user/:user {emails, keyids}
-  note bottom of "change details": including revoke key
-  (get activation) #lightgreen
-  user --> (get activation)
-  note right of "get activation": sends code by email
-  note right of "get activation": POST /user/:user/activation {email}
-  (get user key) #lightgreen
-  user --> (get user key) : self; can use\nactivation
-  note top of "get user key": must use activation\nfor self-service create
-  note right of "get user key": create user account\nif not exists
-  note right of "get user key": POST /user/:user/key
-  root --> (get user key) : any user
-  user --> (delete user) : self
-  root --> (delete user) : any user
-  note right: DEL /user/:user
+  usecase changeDetails as "=== change details
+  PATCH /user/:user {emails, keyids}"
+  user --> (changeDetails) : self
+  note right: including revoke key
+
+  usecase getActivation #lightgreen as "=== get activation
+  POST /user/:user/activation {email}"
+  user --> (getActivation)
+  note right: sends code by email
+
+  usecase mintUserKey #lightgreen as "=== mint user key
+  POST /user/:user/key"
+  user --> mintUserKey : self; can use\nactivation
+  note right of mintUserKey: must use activation\nfor self-service create
+  note right of mintUserKey: create user account\nif not exists
+  root --> mintUserKey : any user
+
+  usecase deleteUser as "=== delete user
+  DEL /user/:user"
+  user --> deleteUser : self
+  root --> deleteUser : any user
+
+  usecase getPublicKey as "=== get public key
+  GET /user/:user/publicKey/:keyid"
+  user --> getPublicKey : self
+  root --> getPublicKey : any user
 }
 
 @enduml
diff --git a/architecture/api/admin/img/admin.use-case.svg b/architecture/api/admin/img/admin.use-case.svg
diff --git a/architecture/api/domain/account-domain.seq.puml b/architecture/api/domain/account-domain.seq.puml
@@ -5,16 +5,20 @@ hide footbox
 title App with Gateway account
 
 participant "App\nClient" as client
+participant "Identity Provider" as idp
 participant "App Service\nor lambda" as service
 
-service -> Gateway: PUT /domain/<<account>>/<<name>> ""{authKey}""
+client <--> idp: Authenticate user (or anon)
+client -> service ++ : get config for subdomain {userId}
+service -> Gateway ++: PUT /domain/<<account>>/<<name>>\n{authKey, userId}
+Gateway -> Gateway: Create user JWT,\nsign with authKey
 return config for new clones
 note left
 <code>
 {
   @domain:"<<name>>.<<account>>.<<hostname>>",
   genesis:true,
-  io
+  io: { auth: { jwt } }
 }
 </code>
 end note
@@ -23,9 +27,7 @@ if backup clone
 or domain exists,
 genesis is false
 end note
-client <--> service: Authenticate user (or anon)
-service -> service: Create client JWT,\nsign with authKey
-service -> client: ""{config, jwt}""
+return config
 client -> client ++: Create clone
 client <--> Gateway: socket.io remotes ""{jwt}""
 

diff --git a/architecture/api/domain/img/account-domain.seq.svg b/architecture/api/domain/img/account-domain.seq.svg
diff --git a/architecture/api/domain/img/public.seq.svg b/architecture/api/domain/img/public.seq.svg
diff --git a/architecture/api/domain/public.seq.puml b/architecture/api/domain/public.seq.puml
@@ -4,7 +4,7 @@ hide footbox
 
 title App with anonymous users using Gateway public messaging
 
-anon -> Gateway: POST /domain/public ☆
+anon -> Gateway: POST /domain/public
 return config for new clones
 note left
 <code>
@@ -15,7 +15,7 @@ note left
 }
 </code>
 end note
-note right: no backup clone created ☆
+note right: no backup clone created
 anon -> anon ++: Create genesis clone
 <-- anon: Tell other app instances
 anon <--> Gateway: socket.io remotes (rate limited)

diff --git a/architecture/gateway design.mm b/architecture/gateway design.mm
@@ -320,7 +320,7 @@
 </node>
 </node>
 <node TEXT="deployment" ID="ID_1093246398" CREATED="1669713904042" MODIFIED="1669713906788">
-<node TEXT="native" ID="ID_1357853973" CREATED="1669917664941" MODIFIED="1669917682875">
+<node TEXT="native" ID="ID_1357853973" CREATED="1669917664941" MODIFIED="1696846339222">
 <icon BUILTIN="bookmark"/>
 <arrowlink SHAPE="CUBIC_CURVE" COLOR="#000000" WIDTH="1" TRANSPARENCY="200" FONT_SIZE="9" FONT_FAMILY="SansSerif" DESTINATION="ID_435682791" STARTINCLINATION="672;0;" ENDINCLINATION="672;0;" STARTARROW="NONE" ENDARROW="NONE"/>
 </node>

diff --git a/src/ably/AblyCloneFactory.ts b/src/ably/AblyCloneFactory.ts
@@ -1,8 +1,8 @@
 import * as ablyModule from '@m-ld/m-ld/ext/ably';
-import { BaseGatewayConfig, CloneFactory, Env, GatewayPrincipal } from '../lib/index.js';
+import {
+  BaseGatewayConfig, CloneFactory, ConfigContext, Env, GatewayPrincipal
+} from '../lib/index.js';
 import * as xirsys from '@m-ld/io-web-runtime/dist/server/xirsys';
-import { Who } from '../server/index.js';
-import { RemotesAuthType } from '../server/Account.js';
 
 type AblyGatewayConfig = BaseGatewayConfig & ablyModule.MeldAblyConfig;
 
@@ -32,13 +32,9 @@ export class AblyCloneFactory extends CloneFactory {
       return ablyModule.AblyRemotes;
   }
 
-  async reusableConfig(
-    config: BaseGatewayConfig,
-    remotesAuth: RemotesAuthType[],
-    who?: Who
-  ): Promise<Partial<BaseGatewayConfig>> {
+  async reusableConfig(config: BaseGatewayConfig, context: ConfigContext) {
     const { ably } = config;
-    return Env.mergeConfig(super.reusableConfig(config, remotesAuth, who), { ably }, {
+    return Env.mergeConfig(super.reusableConfig(config, context), { ably }, {
       ably: { key: false, apiKey: false } // Remove Ably secrets
     });
   }