Skip to content
This repository has been archived by the owner on Jul 31, 2020. It is now read-only.

Authorization API

Jump to bottom
Marshall T. Rose edited this page Sep 28, 2019 · 1 revision

The Authorization server is a Web application written in node.js running at AWS.

Recall from earlier discussion that the public key for the Ed22519 keypair associated with a "Sync Chain" is encoed as a userId.

The client makes the POST /{userId}/credentials request, with a body consisting of an integer-valued timestamp. The request is then signed with the private key for the Ed22519 keypair.

The server verifies the signature (using nacl.sign.open) and, if valid, ensures that the timestamp is not too far in the past.

On success, the server returns:

{
  aws: {
    accessKeyId: string,
    secretAccessKey: string,
    sessionToken: string,
    expiration: string
  }
  s3Post: {
    // This is POST form data to be included with writes to S3.
    // For details see AWS docs:
    // https://docs.aws.amazon.com/AmazonS3/latest/API/sigv4-post-example.html
    postData: {
      AWSAccessKeyId: string,
      policy: string,
      signature: string,
      acl: string
    },
    bucket: string
  }
}

which contains credentials, valid for 36 hours, allowing:

  • S3 ListBucket: /brave-sync/{version}/{userId}/*
  • S3 DeleteObject: /brave-sync/{version}/{userId}
  • S3 DeleteObject: /brave-sync/{version}/{userId}/*
  • S3 GetObject, PutObject: /brave-sync/{version}/{userId}/{collection}/*

If the userId has never been seen by the application, then the corresponding bucket is created.

Clone this wiki locally