From fa070ea7d0aa0b39bbc11ac20ea09227d779eff7 Mon Sep 17 00:00:00 2001 From: _ <> Date: Mon, 21 Dec 2020 14:19:50 +0000 Subject: [PATCH] :pencil: docs: planning auth route --- issues/2020-12Dec/auth-route-YNQAQKJS.md | 70 +++++++++++++++++++++++- 1 file changed, 69 insertions(+), 1 deletion(-) diff --git a/issues/2020-12Dec/auth-route-YNQAQKJS.md b/issues/2020-12Dec/auth-route-YNQAQKJS.md index 2fdd142..b490601 100644 --- a/issues/2020-12Dec/auth-route-YNQAQKJS.md +++ b/issues/2020-12Dec/auth-route-YNQAQKJS.md @@ -98,7 +98,7 @@ stronger is ready. - (X) Clean up scraper endpoint - (X) Add (almost) end-to-end tests for test scraper endpoint - (X) Thread server endpoints through relay scraper auth -- ( ) Add tests for other scraper endpoints +- (don't care) Add tests for other scraper endpoints - (don't care) Factor v1 API into v1 module - (X) Add real scraper endpoints - ( ) Manually create SQLite DB for scraper keys, add 1 hash @@ -139,6 +139,74 @@ These will all be JSON for now since Python, Rust, C++, C#, etc. can handle it. For compatibility with wget spidering, I _might_ do XML or HTML that's machine-readable. We'll see. +## DB / UI impl + +Sprint 1: + +- Look up keys by their hash +- not_before +- not_after +- name +- X-Email associated with key + +Sprint 2: + +- UI to generate / revoke keys + +## SQL schema + +Migration + +``` +create table scraper_keys ( + hash text primary key, -- Using blake3 for this because it's not a password + not_before integer not null, -- Seconds since epoch + not_after integer not null, -- Seconds since epoch + name text not null, -- Human-friendly nickname + email text not null -- Email address that created the key +); +``` + +Look up hash + +``` +select not_before, not_after name, email +from scraper_keys +where + hash = $1 and + strftime ('%s') >= not_before and + strftime ('%s') < not_after +; +``` + +Create key + +``` +-- Generate entropy in app code +insert into scraper_keys ( + hash, + not_before, + not_after, + name, + email +) values ( + $1, + strftime ('%s'), + strftime ('%s') + 2592000, + $4, + $5 +); + +-- Respond to client with plaintext key and then forget it. +-- If a network blip causes the key to evaporate, the client should revoke it. +``` + +Revoke key + +``` + +``` + ## Decision journal **Who generates the API key? The scraper client, or the PTTH relay server?**