Egress is authorized with UCAN (stubbed) #126
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
fforbeck
reviewed
Nov 5, 2024
| // Look up delegations that might authorize us to serve the content. | ||
| const relevantDelegationsResult = await ctx.delegationsStorage.find({ | ||
| audience: ctx.gatewayIdentity.did(), | ||
| can: 'space/content/serve', |
There was a problem hiding this comment.
Suggestion: Importing the definition from the capability directly simplifies future refactoring:
Suggested change
| can: 'space/content/serve', | |
| can: [serve.can], |
fforbeck
reviewed
Nov 5, 2024
| expect(error.message).to.equal('Not Found') | ||
| }) | ||
|
|
||
| it('should serve a found CID when stored in multiple Spaces', async () => { |
`Buffer` is not available in the worker
fforbeck
reviewed
Nov 5, 2024
| * operations related to serving content owned by the Space, including actually | ||
| * serving it and recording egress charges. | ||
| */ | ||
| export const star = capability({ |
There was a problem hiding this comment.
suggestion: I've released the new version of the w3up capabilities package in case you want to use the new space/content/serve/* from that lib.
fforbeck
pushed a commit
that referenced
this pull request
Nov 6, 2024
Implements the UCAN validation for egress, except: can't yet get Spaces from the Indexing Service or get/store delegations, but both are stubbed so we can build from here. 1. Start with a Freeway URL, like `https://bafybeib7l5an3dsnr65gvei4n3x64ihlqkhg4iytcrlyxkbse6m5e6zufm.ipfs.w3s.link`. * To test on localhost, convert from a subdomain gateway URL to a path gateway URL—eg, `http://localhost:8787/ipfs/bafybeib7l5an3dsnr65gvei4n3x64ihlqkhg4iytcrlyxkbse6m5e6zufm` 2. Grab the Space's DID. (This doesn't actually have to be the correct Space, as long as it's consistent, since we're stubbing the Space lookup *and* the delegation store.) 3. Make sure you're logged into the `w3` CLI. 4. Run `node scripts/delegate-serve.js <space-did> | pbcopy` to copy a `base64url` delegation string. * Or, use `node scripts/delegate-serve.js <space-did> <token> | pbcopy` to require a token. 5. Add `?stub_space=<space-did>&stub_delegation=<delegation>` to the URL. * Add `authToken=<token>` if a token was required. 6. The content should load! * If the token does not match, it shouldn't load. * If the Space does not match, it shouldn't load. * If the delegation is missing, it shouldn't load. * If additional delegations are provided, it should still load. * **`stub_space`:** The Space DID to "find" the content in. The lookup will really locate the content, but will add the given Space to whatever results it gets back. * **`stub_delegation`:** A delegation to add to the "delegation store" for the request, `.archive()`ed to a CAR and `base64url`ed. May be given multiple times to add multiple delegations. Every call to `delegationsStore.find()` will find all given delegations. - [x] Update to new ability names and wildcard delegation
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Implements the UCAN validation for egress, except: can't yet get Spaces from the Indexing Service or get/store delegations, but both are stubbed so we can build from here.
To test/use:
https://bafybeib7l5an3dsnr65gvei4n3x64ihlqkhg4iytcrlyxkbse6m5e6zufm.ipfs.w3s.link.http://localhost:8787/ipfs/bafybeib7l5an3dsnr65gvei4n3x64ihlqkhg4iytcrlyxkbse6m5e6zufmw3CLI.node scripts/delegate-serve.js <space-did> | pbcopyto copy abase64urldelegation string.node scripts/delegate-serve.js <space-did> <token> | pbcopyto require a token.?stub_space=<space-did>&stub_delegation=<delegation>to the URL.authToken=<token>if a token was required.The Stubs
stub_space: The Space DID to "find" the content in. The lookup will really locate the content, but will add the given Space to whatever results it gets back.stub_delegation: A delegation to add to the "delegation store" for the request,.archive()ed to a CAR andbase64urled. May be given multiple times to add multiple delegations. Every call todelegationsStore.find()will find all given delegations.Remaining