Serving secrets

Hey, this is kind of a specific question, apologies. So i have a need to serve a public/private key pair, but only to someone who knows the right password. Thinking about this in fauna, I could make a collection secrets that contains the keys, then create a role that gives permission to read just a single document in secrets, then the user would enter a password and they would have that role… i think that’s right. Is that an ok way to go about this? The part between entering a password and getting read permission is confusing to me. I’m not sure how that maps to FQL statements

You could reuse components of Fauna’s login building blocks for that with some creativity.

Store the password:

In this case, I would suggest you look at credentials in the docs which allow you to put a password on any document. Credentials are encrypted and never returned.

Verify the password & create a token

verifying a password of a document can be done with Identify/Identity. You would then create a Token for that document (either by using the identity() or by creating the token manually after using identify())

Provide privileges to the token with a role

Then you would write a role with membership (take a look at membership in the docs). Membership defines which documents (and therefore the tokens linked to a document) receive the privileges of the role. In the privileges you can use a custom Lambda that specifies that it can only read itself. Something in the vein of:

CreateRole({
  name: "can_read_keypair",
  membership: [
    // ...
  ],
  privileges: [
    {
      resource: Collection("..your collection.."),
      actions: {
        read: Query(Lambda(ref=>
          Equals(ref, Identity())
        )),
      }
    }
  ]
})

Use the token

Then use the token to get access to the keypair (by creating a fauna client with that specific secret). If you will have multiple keypairs accessible by the same user with same password you would add a second collection ‘accounts’ and would then link accounts to keypairs… in which case you have a regular login system.