Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add a way for premium extension to authenticate themselves to external service #131

Open
clarkwinkelmann opened this issue Mar 6, 2019 · 1 comment
Open

Add a way for premium extension to authenticate themselves to external service #131

clarkwinkelmann opened this issue Mar 6, 2019 · 1 comment
Labels
+flagrow.io +premium type: feature

Comments

@clarkwinkelmann
Copy link
Contributor

Considering the following use case:

A premium extensions uses a vendor-controlled API to perform some actions like monitoring, backup or other resource-intensive job. This API does not require registration, but it's only intended for use by valid premium extensions bought through flagrow.io The API might not have any publicly visible pages, with everything happening inside the extension itself.

The API needs to verify the extension is a valid copy of the premium extension.

Additionally, the API might want to check if a single purchase is being used on different forums.

Requiring the use of Bazaar for such a feature makes sense in my opinion. Here's what I'd suggest:

The extension needs a way to get a flagrow.io token to send along to whatever external resources they fetch. It could be an API token, a user ID or purchase ID. The external service can then use the vendor API as suggested in #124 to verify the validity of the purchase.

A more advanced solution could make use of cryptography. Flagrow.io could sign a purchase confirmation payload, send it to Bazaar, so extensions can then use it to authenticate with the vendor, and the vendor can simply use cryptography to verify the authenticity instead of needing an API call to flagrow.io

Right now it would already be possible to send the Bazaar token as a proof, but this would have some security implications, as it's a write-enabled token, and it would probably be wise to not share it outside of the forum. Also the API is not officially made for use by vendors.

Another solution that might work right now (I have not verified) is that the extension could use the Bazaar token to create a read-only token on flagrow.io, then send that read-only token to the external service.

I think Bazaar should include a method to facilitate this. In any case, we should decide on a recommended way to achieve it, or forbid it if we don't want vendors tinkering with the Bazaar tokens.

Any thoughts ?
@luceos
Copy link
Member

luceos commented Mar 6, 2019

I see some valid concerns, I also see several solutions. I'm not too sure crypto would make sense inside the current flow of app vs bazaar, especially related to paid functionality.

Right now the best way for vendors is probably to use the Bazaar token in some way. For flagrow.io it would certainly mean closing down functionality a little better.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
+flagrow.io +premium type: feature
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@luceos @clarkwinkelmann