📝 docs: planning auth route

main
_ 2020-12-21 14:19:50 +00:00
parent 0d155a5b36
commit fa070ea7d0
1 changed files with 69 additions and 1 deletions

View File

@ -98,7 +98,7 @@ stronger is ready.
- (X) Clean up scraper endpoint
- (X) Add (almost) end-to-end tests for test scraper endpoint
- (X) Thread server endpoints through relay scraper auth
- ( ) Add tests for other scraper endpoints
- (don't care) Add tests for other scraper endpoints
- (don't care) Factor v1 API into v1 module
- (X) Add real scraper endpoints
- ( ) Manually create SQLite DB for scraper keys, add 1 hash
@ -139,6 +139,74 @@ These will all be JSON for now since Python, Rust, C++, C#, etc. can handle it.
For compatibility with wget spidering, I _might_ do XML or HTML that's
machine-readable. We'll see.
## DB / UI impl
Sprint 1:
- Look up keys by their hash
- not_before
- not_after
- name
- X-Email associated with key
Sprint 2:
- UI to generate / revoke keys
## SQL schema
Migration
```
create table scraper_keys (
hash text primary key, -- Using blake3 for this because it's not a password
not_before integer not null, -- Seconds since epoch
not_after integer not null, -- Seconds since epoch
name text not null, -- Human-friendly nickname
email text not null -- Email address that created the key
);
```
Look up hash
```
select not_before, not_after name, email
from scraper_keys
where
hash = $1 and
strftime ('%s') >= not_before and
strftime ('%s') < not_after
;
```
Create key
```
-- Generate entropy in app code
insert into scraper_keys (
hash,
not_before,
not_after,
name,
email
) values (
$1,
strftime ('%s'),
strftime ('%s') + 2592000,
$4,
$5
);
-- Respond to client with plaintext key and then forget it.
-- If a network blip causes the key to evaporate, the client should revoke it.
```
Revoke key
```
```
## Decision journal
**Who generates the API key? The scraper client, or the PTTH relay server?**