@m-ld/m-ld - v0.8.2
Options
All
  • Public
  • Public/Protected
  • All
Menu

The m-ld Access Control List (m-ld ACL) extensions provide authorisation controls on a m-ld domain using principals (users) and permissions registered in the domain data.

Domain Installation

The extensions are installed in a domain by writing metadata into the domain using the provided static declaration. This only needs to be done once, typically by the app instance that creates the domain, having instantiated a 'genesis' clone. The metadata includes a global AES secret key used to encrypt operation messages.

For example, assuming a m-ld clone object:

await clone.write(MeldAclExtensions.declare(0, 'test.m-ld.org', randomBytes(16)));

The @m-ld/m-ld/dist/security code module must be available to a global CommonJS-style require method in all clones using the Javascript engine.

  • In Node.js, the module is packaged in @m-ld/m-ld; no additional configuration is required.
  • In the browser, require is typically provided by the bundler. Since the module will be loaded dynamically, the bundler may need to be configured to guarantee the module is bundled, since it may not be referenced statically by any code.

🚧 ES6 modules will be supported in a future release.

Clone Initialisation

For every clone, the following must be provided to the clone initialisation function as members of the MeldApp:

  1. An instance of the MeldAclTransportSecurity class, as the transportSecurity member (this is because transport security must be available to the clone before it can connect to an access-controlled domain).
  2. An AppPrincipal object as the principal member, which represents the current logged-in user. This object will sign data using RSASSA-PKCS1-v1_5 on the extension's request.

In the example code in the Principals section, this would be performed using aliceKeys.privateKey:

sign = (data: Buffer) => createSign('RSA-SHA256')
  .update(data).sign(aliceKeys.privateKey)

Registering Principals (Users)

This extension requires each authorised principal to be written into the domain, having an identity and RSA public key.

The following illustrates how to register a principal, using the Node.js crypto module:

const aliceKeys = generateKeyPairSync('rsa', {
  modulusLength: 2048,
  publicKeyEncoding: { type: 'spki', format: 'der' },
  privateKeyEncoding: { type: 'pkcs1', format: 'pem' }
});
await clone.write(MeldAclExtensions.registerPrincipal(
  'https://alice.example/profile#me', aliceKeys.publicKey));
experimental

Hierarchy

  • MeldAclExtensions

Implements

Index

Methods

Methods

Static declare

  • declare(priority: number, domainName: string, aesKey: Buffer): Write

  • Extension declaration. Insert into the domain data to install the extension. For example (assuming a m-ld clone object):

    clone.write(MeldAclExtensions.declare(0, 'test.m-ld.org', randomBytes(16)));

    Parameters

    • priority: number

      the preferred index into the existing list of extensions (lower value is higher priority).

    • domainName: string

      as declared in the MeldConfig of the clone

    • aesKey: Buffer

      a raw AES key, e.g. randomBytes(32)

    Returns Write

Static registerPrincipal

  • registerPrincipal(principalIri: Iri, rsaPublicKeySpki: Buffer): Write

  • Use to register each principal with access to the domain, for example (assuming a m-ld clone object):

    clone.write(MeldAclTransportSecurity.registerPrincipal(
  'https://alice.example/profile#me', alicePublicKeySpki));

    Parameters

    • principalIri: Iri

      the principal's identity. As for all domain data, the principal's IRI can be relative (e.g. 'fred').

    • rsaPublicKeySpki: Buffer

      DER & SPKI encoded public key belonging to the principal

    Returns Write

Legend

  • Constructor
  • Property
  • Method
  • Constructor
  • Property
  • Method
  • Inherited constructor
  • Inherited property
  • Protected method
  • Static method

Generated using TypeDoc. Delivered by Vercel. @m-ld/m-ld - v0.8.2 Source code licensed MIT. Privacy policy