View Page

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revisionPrevious revision
Next revision		Previous revision
software:monolith:user-qr [2026/01/05 01:55] – define USER_ID diamondsoftware:monolith:user-qr [2026/01/05 02:22] (current) – run prettier diamond
Line 17: Line 17:
 - Encodes at minimum the user ID and username - Encodes at minimum the user ID and username
 - Robust at allowing users to change username - Robust at allowing users to change username
-- Allow insecure/non-critical systems to obtain embedded information *without* computation/verification if needed for low-power/embedded purposes+- Allow insecure/non-critical systems to obtain embedded information _without_ computation/verification if needed for low-power/embedded purposes
 - Allow secure verification using remote server to obtain additional, more secretive information about current user (e.g., list of groups or avatar URL) - Allow secure verification using remote server to obtain additional, more secretive information about current user (e.g., list of groups or avatar URL)
 - QR Code must be small (has at most 4 eyes in most cases, rather than 9 eyes or more) - QR Code must be small (has at most 4 eyes in most cases, rather than 9 eyes or more)
Line 63: Line 63:
 - The user's role is `admin`, meaning they belong in the `dma-admins` IdP group - The user's role is `admin`, meaning they belong in the `dma-admins` IdP group
 - The claims dates back to January 1st, 2026 - The claims dates back to January 1st, 2026
- 
  
 ### Signature Type and Part ### Signature Type and Part
Line 88: Line 87:
 ### Implementation and Example ### Implementation and Example
  
-The following function implements the algorithm in Go using a fake random source to generate the Ed25519 key (INSECURE):+The following function implements the algorithm in Go using a fake random source to generate the Ed25519 key (INSECURE) [aasadasds][asdasdasd]:
  
 ```go ```go
Line 123: Line 122:
 ### Frontend Server Design ### Frontend Server Design
  
-The frontend server must be able to handle `/QR` paths and perform a redirection to the Monolith API server's `GET /api/qr` endpoint.+The frontend server must be able to handle `/QR` paths and perform a redirection to the Monolith API server's `GET /api/qr` endpoint. The query string must be kept as-is.
  
 ### Verification Server Design ### Verification Server Design
  
 This section is not finalized. This section is not finalized.
 +
 +Proposed endpoints:
 +
 +- `/qr/*`: same as `/QR/*`
 +- `/QR/keys.json`: returns the public keys that are used to sign
 +- `/QR/<CODE>`: redirect to user-specific page or custom URL if we don't have this feature yet. This allows any user to scan this code as normal and be redirected to a nice webpage.
 +- `/QR/<CODE>/verify`: verify the signature ONLY (any client can verify themselves using the public key).
 +- `/QR/<CODE>/claims`: verify the signature and return the additional user claims.
  
 ```sh ```sh
-curl -X GET "https://dma.space/QR/LMYTAMBMEJWWK33XNVSW653NMVXXO3LFN53W2ZLPO4RCYITNMVWWEZLSEJOQ.ED25519:V2OZNQJDFNNUJ26XOFY5SEKIG73RNGJJ7AI7YDTHD77V7VGTSXQA4MYH2KZIJT6RB7WAFZUU5DCMFEAB2KL5HZQG27HD7AZZGLPUAAI"+curl -X GET "HTTPS://DMA.SPACE/QR/10:MRUWC3LPNZSA:ADMIN:2026-01-01.ED25519:7CSS7U7C2BJM3Z3MXYENYNSBUWZRS3BGT4YWX4DXTMDBOWUABFBT4REZSKJ4FCVTFXCFY6A2WNOUIMIR3HHGLQT5CNA5ZABNOBPBMBY/verify" 
 +
 +  "valid": true 
 +
 + 
 +$ curl -X GET "HTTPS://DMA.SPACE/QR/10:MRUWC3LPNZSA:ADMIN:2026-01-01.ED25519:7CSS7U7C2BJM3Z3MXYENYNSBUWZRS3BGT4YWX4DXTMDBOWUABFBT4REZSKJ4FCVTFXCFY6A2WNOUIMIR3HHGLQT5CNA5ZABNOBPBMBY/claims"
 { {
   "valid": true,   "valid": true,
-  "qr_claims": [10, "diamond", "admin"], +  "claims": {
-  "auth_claims": {+
     "sub": 10,     "sub": 10,
     "username": "diamond",     "username": "diamond",
Line 151: Line 162:
  
 However, the QR code can still be copied or stolen from others, so the whole system is not perfect and should not be used to gate access to critical things. However, the QR code can still be copied or stolen from others, so the whole system is not perfect and should not be used to gate access to critical things.
 +