1.1.0 • Published 3 years ago

tallylab-orbitdb-identity-provider v1.1.0

Weekly downloads
1
License
MIT
Repository
github
Last release
3 years ago

TallyLab's OrbitDB Identity Provider (tallylab-orbitdb-identity-provider)

TallyLab's OrbitDB plugins for Identity and Access Management

Tests

Table of Contents

Background

Building distributed applications (dapps) without a centralized blockchain presents significant difficulties with regard to keypair management: Storage, recovery, etc. Keypair management, ulitimately, is a UX problem - a tradeoff between security and user convenience.

Other approaches are effective but do not make it easy on the users:

  • Exporting and importing highly randomized keys
  • Deterministic keys based on a strong password or passphrase

Both of the above approaches rely on one or both of the following:

  • The user's own diligence in terms of saving their keys and recovering them, often utilizing a third party service such as Keybase or a password manager that supports keypairs.
  • The user's memory, having to recall a password or passphrase. Often times these are forgotten or simply required to be stored in the same place as the keypair itself.

To mitigate these issues, TallyLab opted to use a variant of the second approach, using a 32 byte seed to generate keys via the nacl encryption library. However, in TL, the seed is generated from highly personal, memory-based questions, similar to security questions. Each question, while seemingly knowable, combines with the others to produce a set of questions that would be very difficult for anybody else besides the primary user to know.

The answers are them summed together to create the 32 byte seed, and then passed into the TallyLab Identity Provider to allow the user to "authenticate via memory" in a reliable way.

This package does not contain the aforementioned questions and instead handles everything post-generation of the seed. Mainly, the two primary classes, TallyLabAccessController and TallyLabIdentityProvider act as glue between TallyLab and the underlying OrbitDB infrastructure.

Install

The primary focus for this package is browser usage. To generate the browser libraries:

$ git clone https://github.com/tallylab/tallylab-orbitdb-identity-provider
$ make build

The final files will then be available in the dist/ folder:

  • tallylab-orbitdb-identities.min.js (minified)
  • tallylab-orbitdb-identities.min.js.map (Source map for development purposes)

For a simple example, run npm run example and open your browser to the specified URL.

Usage

This package exposes two items: 1. TallyLabIdentityProvider 2. Identities (helper class from OrbitDB not normally exposed)

It is used in TallyLab, in the browser, similarly to the following. See it in action in the examples:

// Requirements: js-nacl, orbit-db-keystore

nacl_factory.instantiate(async (nacl) => {
  const tlIdentities = new TallyLabIdentities()
  console.log(tlIdentities)

  const keystore = Keystore.create()
  await keystore.open()

  // Generate keys, either with or without a seed
  const seed = 'thisisexactlythirtytwocharacters'
  const tlKeys = tlIdentities.TallyLabIdentityProvider.keygen(nacl, seed)
  console.log(tlKeys)

  // Pre-sign with the keystore
  const id = tlKeys.signing.signPk.toString()
  const key = await keystore.getKey(id) || await keystore.createKey(id)

  // Identities work on the basis of cross-signing the OrbitDB and your provided keys
  const idSignature = await keystore.sign(key, id)
  const tlSignature = nacl.crypto_sign(idSignature, tlKeys.signing.signSk)

  // Create an identity with the TallyLabIdentityProvider, and pass in the keystore
  const identity = await tlIdentities.Identities.createIdentity({
    type: 'TallyLab', id, tlSignature, keystore
  })
  console.log(identity)

  console.log(await tlIdentities.TallyLabIdentityProvider.verifyIdentity(identity))
})

Security

In order to test functionality, the automated tests intentionally expose the private signing and encryption keys for the following seeds. Thus, these should be considered fully compromised and should never be used for any users, ever.

  • thisisexactlythirtytwocharacters
  • xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
  • yyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyy
  • zzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzz

Maintainers

Contributing

Issues and PRs are welcome!

Development is streamlined through the make watch command which will watch files and generate documentation, lint, and run automated tests via the nodemon module.

$ git clone https://bitbucket.org/tallylab/tallylab-orbitdb-iam
$ make watch

The Makefile also provides other useful commands for development such as:

$ make docs       # builds jsdoc for this repo with config in .jsdoc.config.js
$ make link       # lints js files using standard.js
$ make test       # runs automated tests once
$ make clean      # nukes node_modules and package-lock.json
$ make build      # builds browser files and stores them in /dist
$ make rebuild    # nukes node_modules and package-lock.json, and re-installs dependencies

Future Work

  • Access granting and revocation to external keys using OrbitDB instead of IPFS

License

MIT Copyright © 2019-2020 TallyLab, LLC