API RFC

[alexng353]

• organizations
• teams
• services
• sharing between teams, organizations and users
• Server side multi-party encryption

structure

• organizations
  • teams
    • users
    • services
  • services
• users
  • services
  • sharing to other users

[ImLunaHey]

Thoughts on moving the endspoints to something like this?

/envs/:namespace/:id/:key

Where these could be the namespace + id.

service/c7001d79-9803-448e-af21-bee8b494d9e6
user/c7001d79-9803-448e-af21-bee8b494d9e6
team/c7001d79-9803-448e-af21-bee8b494d9e6
org/c7001d79-9803-448e-af21-bee8b494d9e6

This would allow access to either a user's personal keys, a single services, a teams or org wide envs.

[ImLunaHey]

When a user authenticates let's use the user's ID + password for the auth via basic auth header.

When we get the userId + password use them to lookup the encrypted password for the namespace + key they're accessing.

Something like this.

const userId = '123';
const password = '123';
const namespace = 'service';
const namespaceId = 'c7001d79-9803-448e-af21-bee8b494d9e6';
const key = 'NODE_ENV';

const namespacePassword = db
    .selectFrom('namespace_passwords')
    .select('iv')
    .select('salt')
    .select('data')
    .where('userId', '=', userId)
    .where('namespace', '=', namespace)
    .where('namespaceId', '=', namespaceId)
    .executeTakeFirst();

// Now that we have the password for the service we can decrypt it.

const encryptedEnv = await db
    .selectFrom('envs')
    .select('iv')
    .select('salt')
    .select('data')
    .where('namespace', '=', namespace)
    .where('namespaceId', '=', namespaceId)
    .where('key', '=', key)
    .executeTakeFirst();

if (!encryptedEnv) throw new Error('Not found');

const decryptedEnv = {
    key,
    value: decryptEnv(encryptedEnv, namespacePassword),
};

[ImLunaHey]

Hmm, issue with the above is how do we share keys to the other user without knowing their password in advance. 🤔

[ImLunaHey]

Okay, new plan.

[ImLunaHey]

@alexng353

[ImLunaHey]

Thoughts? 🤔

I haven't added anything about encryption since it's all client side now.

// Create user[body:username] -> { username, password }
// Create token[body:username,body:password]  -> { token }
// Create namespace[header:username,header:token] -> { namespaceId }
// Create env[header:username,header:token,param:namespace,param:namespaceId,param:key,body:value] -> 201
// Get env[header:username,header:token,param:namespace,param:namespaceId,param:key] -> { [key]: { namespaceKey, encryptedValue } }
// Create org[header:username,header:token] -> { namespaceId }
// Create team[header:username,header:token] -> { namespaceId }
// Add team to org[header:username,header:token,body:username] -> 201
// Add user to org[header:username,header:token,body:username] -> 201
// Add user to team[header:username,header:token,body:username] -> 201

[alexng353]

// Create token[body:username,body:password] -> { token }
Should this not be header as well? What's different about this route?