Differences

This shows you the differences between two versions of the page.

--- software:monolith:user-qr [2026/01/05 01:50] – fix subheading link diamond
+++ software:monolith:user-qr [2026/01/05 02:22] (current) – run prettier diamond
@@ Line 1: / Line 1: @@
-# User QR Protocol
+# User QR Encoding
 This document formally defines a QR Code format that encodes the minimum identifiable user information for use by other services.
@@ Line 17: / Line 17: @@
 - Encodes at minimum the user ID and username
 - Robust at allowing users to change username
-- Allow insecure/non-critical systems to obtain embedded information *without* computation/verification if needed for low-power/embedded purposes
+- Allow insecure/non-critical systems to obtain embedded information _without_ computation/verification if needed for low-power/embedded purposes
 - Allow secure verification using remote server to obtain additional, more secretive information about current user (e.g., list of groups or avatar URL)
 - QR Code must be small (has at most 4 eyes in most cases, rather than 9 eyes or more)
-## QR Code Design
+## Designs
+### QR Code
 The QR Code encodes a string encoded in Alphanumeric mode. The string must implement this syntax:
@@ Line 39: / Line 41: @@
 ```
 CLAIMS_PART := USER_ID ':' USERNAME_BASE32 ':' USER_ROLE ':' ISSUED_DATE
+USER_ID     := /[0-9]+/
 USER_ROLE   := 'ADMIN' | 'MEMBER' | '_'
 ISSUED_DATE := YEAR '-' MONTH '-' DATE
@@ Line 60: / Line 63: @@
 - The user's role is `admin`, meaning they belong in the `dma-admins` IdP group
 - The claims dates back to January 1st, 2026
 ### Signature Type and Part
@@ Line 85: / Line 87: @@
 ### Implementation and Example
-The following function implements the algorithm in Go using a fake random source to generate the Ed25519 key (INSECURE):
+The following function implements the algorithm in Go using a fake random source to generate the Ed25519 key (INSECURE) [aasadasds][asdasdasd]:
 ```go
@@ Line 118: / Line 120: @@
 ```
-## Frontend Server Design
+### Frontend Server Design
-The frontend server must be able to handle `/QR` paths and perform a redirection to the Monolith API server's `GET /api/qr` endpoint.
+The frontend server must be able to handle `/QR` paths and perform a redirection to the Monolith API server's `GET /api/qr` endpoint. The query string must be kept as-is.
-## Verification Server Design
+### Verification Server Design
 This section is not finalized.
+Proposed endpoints:
+- `/qr/*`: same as `/QR/*`
+- `/QR/keys.json`: returns the public keys that are used to sign
+- `/QR/<CODE>`: redirect to user-specific page or custom URL if we don't have this feature yet. This allows any user to scan this code as normal and be redirected to a nice webpage.
+- `/QR/<CODE>/verify`: verify the signature ONLY (any client can verify themselves using the public key).
+- `/QR/<CODE>/claims`: verify the signature and return the additional user claims.
 ```sh
-curl -X GET "https://dma.space/QR/LMYTAMBMEJWWK33XNVSW653NMVXXO3LFN53W2ZLPO4RCYITNMVWWEZLSEJOQ.ED25519:V2OZNQJDFNNUJ26XOFY5SEKIG73RNGJJ7AI7YDTHD77V7VGTSXQA4MYH2KZIJT6RB7WAFZUU5DCMFEAB2KL5HZQG27HD7AZZGLPUAAI"
+$ curl -X GET "HTTPS://DMA.SPACE/QR/10:MRUWC3LPNZSA:ADMIN:2026-01-01.ED25519:7CSS7U7C2BJM3Z3MXYENYNSBUWZRS3BGT4YWX4DXTMDBOWUABFBT4REZSKJ4FCVTFXCFY6A2WNOUIMIR3HHGLQT5CNA5ZABNOBPBMBY/verify"
+{
+  "valid": true
+}
+$ curl -X GET "HTTPS://DMA.SPACE/QR/10:MRUWC3LPNZSA:ADMIN:2026-01-01.ED25519:7CSS7U7C2BJM3Z3MXYENYNSBUWZRS3BGT4YWX4DXTMDBOWUABFBT4REZSKJ4FCVTFXCFY6A2WNOUIMIR3HHGLQT5CNA5ZABNOBPBMBY/claims"
 {
   "valid": true,
-  "qr_claims": [10, "diamond", "admin"],
+  "claims": {
-  "auth_claims": {
     "sub": 10,
     "username": "diamond",
@@ Line 148: / Line 162: @@
 However, the QR code can still be copied or stolen from others, so the whole system is not perfect and should not be used to gate access to critical things.