Skip to content
New issue

Have a question about this project? # for a free GitHub account to open an issue and contact its maintainers and the community.

#

By clicking “#”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? # to your account

Jump to bottom

Update the w3up-client to send a UCAN request to save the delegation in Cloudflare #193

Closed
Tracked by #158
fforbeck opened this issue Nov 27, 2024 · 1 comment
Closed
Tracked by #158

Update the w3up-client to send a UCAN request to save the delegation in Cloudflare #193

fforbeck opened this issue Nov 27, 2024 · 1 comment
Assignees
@fforbeck

Comments

@fforbeck
Copy link
Member

fforbeck commented Nov 27, 2024
edited
Loading

Gateway Authorization Flow

flowchart TD
    subgraph Client Side
        A[User] -->|Creates Space & Authorizes Gateway| B[w3up-client]
    end
    
    subgraph Cloudflare Workers
        C[Access/Delegate Endpoint]
        F[Freeway Worker]
    end
    
    subgraph KV Storage
        D[Delegations Store]
    end

    B -->|UCAN: access/delegate| C
    C -->|Validates Space & Proof Chain| E[Validate Space Exists & Capability]
    E -->|Stores Valid Delegation| D
    F -->|Retrieves Delegation| D[Delegations Store]
Loading

Explanation

  1. User Interaction: The user interacts with the w3up-client to create a space and authorize the gateway to serve content.

  2. UCAN Invocation: The w3up-client invokes the access/delegate UCAN handler, providing the delegation details ({ space, proofs }). The request is sent to the Cloudflare Access/Delegate Endpoint.

  3. Validation Steps:

    • The endpoint checks whether the space referenced in the delegation has been provisioned.
    • It validates that the delegation matches the expected capability (space/content/serve/*).
    • It ensures the proof chain is valid.

  4. Relevance Check: Only delegations associated with a provisioned space are accepted to prevent unnecessary resource usage and mitigate the risk of DoS attacks.

  5. Storing Delegation: After successful validation, the delegation is stored in the KV Store (Delegations Store) for further use.

  6. Freeway Worker Retrieval: The Freeway Worker retrieves the validated delegations from the KV Store to serve content for authorized spaces.

Key Considerations

  • Mitigating DoS Attacks: By verifying that the space is provisioned before accepting the delegation, we can reduce the risk of abuse from unauthorized or irrelevant requests.
  • Efficiency: This additional validation ensures only relevant delegations are processed and stored, minimizing resource waste.
  • Implementation: Adding a check against the space provisioning status in the Access/Delegate Endpoint can be done efficiently by querying the space registry or relevant provisioning database. I will probably tackle that in a second iteration.
@fforbeck fforbeck mentioned this issue Nov 27, 2024
Closed
2 tasks
@fforbeck fforbeck changed the title (Felipe) Update the w3up-client to save the new delegation in the Delegations Store Update the w3up-client to save the new delegation in the Delegations Store Nov 27, 2024
@fforbeck fforbeck self-assigned this Nov 27, 2024
@fforbeck fforbeck moved this to In Progress in Storacha Project Planning Nov 27, 2024
@fforbeck fforbeck changed the title Update the w3up-client to save the new delegation in the Delegations Store Update the w3up-client to send a UCAN request to save the delegation in Cloudflare Nov 27, 2024
@fforbeck fforbeck mentioned this issue Dec 2, 2024
Closed
@fforbeck
Copy link
Member Author

Done.

# for free to join this conversation on GitHub. Already have an account? # to comment
Assignees

@fforbeck fforbeck

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@fforbeck