Serving secrets

Help
,
1

Hey, this is kind of a specific question, apologies. So i have a need to serve a public/private key pair, but only to someone who knows the right password. Thinking about this in fauna, I could make a collection secrets that contains the keys, then create a role that gives permission to read just a single document in secrets, then the user would enter a password and they would have that role… i think that’s right. Is that an ok way to go about this? The part between entering a password and getting read permission is confusing to me. I’m not sure how that maps to FQL statements

2

You could reuse components of Fauna’s login building blocks for that with some creativity.

Store the password:

In this case, I would suggest you look at credentials in the docs which allow you to put a password on any document. Credentials are encrypted and never returned.

Verify the password & create a token

verifying a password of a document can be done with Identify/Identity. You would then create a Token for that document (either by using the identity() or by creating the token manually after using identify())

Provide privileges to the token with a role

Then you would write a role with membership (take a look at membership in the docs). Membership defines which documents (and therefore the tokens linked to a document) receive the privileges of the role. In the privileges you can use a custom Lambda that specifies that it can only read itself. Something in the vein of:

CreateRole({
  name: "can_read_keypair",
  membership: [
    // ...
  ],
  privileges: [
    {
      resource: Collection("..your collection.."),
      actions: {
        read: Query(Lambda(ref=>
          Equals(ref, Identity())
        )),
      }
    }
  ]
})

Use the token

Then use the token to get access to the keypair (by creating a fauna client with that specific secret). If you will have multiple keypairs accessible by the same user with same password you would add a second collection ‘accounts’ and would then link accounts to keypairs… in which case you have a regular login system.

3

This topic was automatically closed 2 days after the last reply. New replies are no longer allowed.