Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Client should authorize Gateway to space/content/serve Spaces by default #158

Closed
2 tasks done
Tracked by #135
hannahhoward opened this issue Oct 9, 2024 · 2 comments
Closed
2 tasks done
Tracked by #135

Client should authorize Gateway to space/content/serve Spaces by default #158

hannahhoward opened this issue Oct 9, 2024 · 2 comments
Assignees
@fforbeck

Comments

@hannahhoward
Copy link
Member

hannahhoward commented Oct 9, 2024
edited by fforbeck
Loading

The Uploader says, "I generally want people to access the files I upload, so now that the Gateway will require authorization, I need to authorize it.

Acceptance Criteria

  1. If a user creates a space, then the gateway must be authorized to serve the content of this space. So a new delegation space/content/serve/* must be stored in the Delegations Store (Freeway can learn about space/content/serve/* delegations #160), so the Gateway can find it, validate, and authorize the request.
  2. If the content is served, an egress event must be stored in the egress-traffic-events store in DynamoDB each time the content is requested. Without the proper space/content/serve/* delegation the egress event is not generated.

Main Tasks

Open Questions
@hannahhoward hannahhoward converted this from a draft issue Oct 9, 2024
@hannahhoward hannahhoward changed the title Private Data Initial Steps Delegation Logic in Client for space/content/serve Oct 9, 2024
@hannahhoward hannahhoward changed the title Delegation Logic in Client for space/content/serve Logic in Client to store delegations for space/content/serve Oct 9, 2024
@hannahhoward hannahhoward mentioned this issue Oct 21, 2024
Closed
8 tasks
@Peeja Peeja changed the title Logic in Client to store delegations for space/content/serve Client should authorize Gateway to space/content/serve Spaces by default Oct 29, 2024
@fforbeck fforbeck mentioned this issue Nov 25, 2024
Open
13 tasks
@fforbeck fforbeck self-assigned this Nov 25, 2024
@fforbeck fforbeck moved this from Sprint Backlog to In Progress in Storacha Project Planning Nov 25, 2024
@fforbeck fforbeck mentioned this issue Nov 26, 2024
Merged
@fforbeck
Copy link
Member

fforbeck commented Nov 27, 2024
edited
Loading

Gateway Content Serve Authorization Flow

flowchart TD
    subgraph Client Side
        A[User] -->|Creates Space & Authorizes Gateway| B[w3up-client]
    end
    
    subgraph Cloudflare Workers
        C[Access/Delegate Endpoint]
        F[Freeway Worker]
    end
    
    subgraph KV Storage
        D[Delegations Store]
    end

    B -->|UCAN: access/delegate| C
    C -->|Validates Space & Proof Chain| E[Validate Space Exists & Capability]
    E -->|Stores Valid Delegation| D
    F -->|Retrieves Delegation| D[Delegations Store]
Loading

Explanation

  1. User Interaction: The user interacts with the w3up-client to create a space and authorize the gateway to serve content.

  2. UCAN Invocation: The w3up-client invokes the access/delegate UCAN handler, providing the delegation details ({ space, proofs }). The request is sent to the Cloudflare Access/Delegate Endpoint.

  3. Validation Steps:

    • The endpoint checks whether the space referenced in the delegation has been provisioned.
    • It validates that the delegation matches the expected capability (space/content/serve/*).
    • It ensures the proof chain is valid.

  4. Relevance Check: Only delegations associated with a provisioned space are accepted to prevent unnecessary resource usage and mitigate the risk of DoS attacks.

  5. Storing Delegation: After successful validation, the delegation is stored in the KV Store (Delegations Store) for further use.

  6. Freeway Worker Retrieval: The Freeway Worker retrieves the validated delegations from the KV Store to serve content for authorized spaces.

Key Considerations

  • Mitigating DoS Attacks: By verifying that the space is provisioned before accepting the delegation, we can reduce the risk of abuse from unauthorized or irrelevant requests.
  • Efficiency: This additional validation ensures only relevant delegations are processed and stored, minimizing resource waste.
  • Implementation: Adding a check against the space provisioning status in the Access/Delegate Endpoint can be done efficiently by querying the space registry or relevant provisioning database. I will probably tackle that in a second iteration.

@Peeja Peeja mentioned this issue Nov 29, 2024
Closed
@fforbeck fforbeck assigned fforbeck and unassigned fforbeck and Peeja Dec 2, 2024
@fforbeck fforbeck mentioned this issue Dec 4, 2024
Merged
travis pushed a commit to storacha/w3up that referenced this issue Dec 4, 2024
@fforbeck
feat!: content serve authorization (#1590)
8b553a5 
### Context
To enable a gateway to serve content from a specific space, we must
ensure that the space owner delegates the `space/content/serve/*`
capability to the Gateway. This delegation allows the Gateway to serve
content and log egress events appropriately.

I created a new function `authorizeContentServe` for this implementation
and included it in the `createSpace` flow. This is a breaking change
because now the user is forced to provide the DIDs of the Content Serve
services, and the connection, or skip the authorization flow.

Additionally, with the `authorizeContentServe` function, we can
implement a feature in the Console App that enables users to explicitly
authorize the Freeway Gateway to serve content from existing/legacy
spaces.

### Main Changes
- **New Functionality:** Added a new function, `authorizeContentServe`,
in the `w3up-client` module to facilitate the delegation process.
Integrated it with the `createdSpace` flow.
- **Testing:** Introduced test cases to verify the authorization of
specified gateways.
- **Fixes:** Resolved issues with previously broken test cases (Egress
Record).

### Related Issues
- storacha/project-tracking#158
- storacha/project-tracking#160
@travis travis moved this from In Progress to Done in Storacha Project Planning Dec 4, 2024
@fforbeck
Copy link
Member

fforbeck commented Dec 4, 2024

Done.

@fforbeck fforbeck closed this as completed Dec 4, 2024
fforbeck added a commit to storacha/freeway that referenced this issue Dec 11, 2024
@fforbeck
feat: ucan invocation handler (#133)
b199bfa 
### Context
To enable the gateway to serve content from a specific space, the space
owner must delegate the `space/content/serve/*` capability to the
Gateway. This delegation ensures the Gateway has the authority to serve
the content and log egress events accurately.

This PR introduces a new handler to process POST requests to the
server's root path. The handler acts as a UCAN Invocation handler,
processing `access/delegate` invocations and extracting relevant
delegation proofs. If a delegation proof is valid, it is stored in
Cloudflare KV, allowing other handlers to retrieve and verify the proof
to determine whether content should be served and egress logged.

Note: It doesn't cover the token verification.

### Main Changes
#### **New Functionality**
- Added `withUcanInvocationHandler.js` to process `access/delegate`
invocations:
  - Validates delegation proofs.
- Stores valid proofs in a Cloudflare KV namespace dedicated to `content
serve` delegations.
- Feature Flag: `FF_DELEGATIONS_STORAGE_ENABLED` if enabled, the new
`withDelegationsStorage.js` handler will be used to find delegations in
KV, and the existing `withDelegationsStubs.js` will be disabled.

### Related Issues
- storacha/project-tracking#158
- storacha/project-tracking#160
fforbeck added a commit to storacha/upload-service that referenced this issue Dec 11, 2024
@fforbeck
feat!: content serve authorization (storacha#1590)
0d4513d 
To enable a gateway to serve content from a specific space, we must
ensure that the space owner delegates the `space/content/serve/*`
capability to the Gateway. This delegation allows the Gateway to serve
content and log egress events appropriately.

I created a new function `authorizeContentServe` for this implementation
and included it in the `createSpace` flow. This is a breaking change
because now the user is forced to provide the DIDs of the Content Serve
services, and the connection, or skip the authorization flow.

Additionally, with the `authorizeContentServe` function, we can
implement a feature in the Console App that enables users to explicitly
authorize the Freeway Gateway to serve content from existing/legacy
spaces.

- **New Functionality:** Added a new function, `authorizeContentServe`,
in the `w3up-client` module to facilitate the delegation process.
Integrated it with the `createdSpace` flow.
- **Testing:** Introduced test cases to verify the authorization of
specified gateways.
- **Fixes:** Resolved issues with previously broken test cases (Egress
Record).

- storacha/project-tracking#158
- storacha/project-tracking#160
@fforbeck fforbeck mentioned this issue Dec 11, 2024
Merged
fforbeck added a commit to storacha/upload-service that referenced this issue Dec 11, 2024
@fforbeck
feat!: content serve authorization (storacha#1590)
6f42347 
To enable a gateway to serve content from a specific space, we must
ensure that the space owner delegates the `space/content/serve/*`
capability to the Gateway. This delegation allows the Gateway to serve
content and log egress events appropriately.

I created a new function `authorizeContentServe` for this implementation
and included it in the `createSpace` flow. This is a breaking change
because now the user is forced to provide the DIDs of the Content Serve
services, and the connection, or skip the authorization flow.

Additionally, with the `authorizeContentServe` function, we can
implement a feature in the Console App that enables users to explicitly
authorize the Freeway Gateway to serve content from existing/legacy
spaces.

- **New Functionality:** Added a new function, `authorizeContentServe`,
in the `w3up-client` module to facilitate the delegation process.
Integrated it with the `createdSpace` flow.
- **Testing:** Introduced test cases to verify the authorization of
specified gateways.
- **Fixes:** Resolved issues with previously broken test cases (Egress
Record).

- storacha/project-tracking#158
- storacha/project-tracking#160
@fforbeck fforbeck mentioned this issue Dec 13, 2024
Merged
fforbeck added a commit to storacha/upload-service that referenced this issue Dec 19, 2024
@fforbeck
feat: content serve authorization (storacha#1590) + set default gatew…
6cbb202 
…ay (#99)

To enable a gateway to serve content from a specific space, we must
ensure that the space owner delegates the `space/content/serve/*`
capability to the Gateway. This delegation allows the Gateway to serve
content and log egress events appropriately.

I created a new function `authorizeContentServe` for this implementation
and included it in the `createSpace` flow. This is a breaking change
because now the user is forced to provide the DIDs of the Content Serve
services, and the connection, or skip the authorization flow.

Additionally, with the `authorizeContentServe` function, we can
implement a feature in the Console App that enables users to explicitly
authorize the Freeway Gateway to serve content from existing/legacy
spaces.

- **New Functionality:** 
- Added a new function, `authorizeContentServe`, in the `w3up-client`
module to facilitate the delegation process. Integrated it with the
`createdSpace` flow.
- It also sets the Storacha Gateway as the default content server
service in case the user doesn't provide any in the `createSpace` call,
and doesn't use the `skipGatewayAuthorization=true` flag.
- **Testing:** Introduced test cases to verify the authorization of
specified gateways.
- **Fixes:** Resolved issues with previously broken test cases (Egress
Record).

### Related Issues
- storacha/project-tracking#158
- storacha/project-tracking#160
- storacha/project-tracking#207
- storacha#1604
- Resolves storacha/project-tracking#196
fforbeck added a commit to storacha/w3cli that referenced this issue Dec 19, 2024
@fforbeck
feat: content serve authorization (#205)
34efff2 
### Context
We must ensure that the space owner delegates the
`space/content/serve/*` capability to the Gateway. This delegation
allows the Gateway to serve content and log egress events appropriately.

### Changes
I've updated the CLI to enable the new gateway content serve
authorization flow when creating a space. This is a breaking change
because now the user is forced to provide the DIDs of the Content Serve
services, and the service endpoint, or skip the authorization flow.

### Related Issues
- storacha/project-tracking#158
- storacha/project-tracking#160
- storacha/project-tracking#207
- Resolves storacha/project-tracking#196
This was referenced Jan 9, 2025
Closed
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@fforbeck fforbeck

Labels
None yet
Projects
Storacha Project Planning
Status: Done
Milestone
No milestone
Development

No branches or pull requests
3 participants
@Peeja @fforbeck @hannahhoward