npm package discovery and stats viewer.

Discover Tips

  • General search

    [free text search, go nuts!]

  • Package details

    pkg:[package-name]

  • User packages

    @[username]

Sponsor

Optimize Toolset

I’ve always been into building performant and accessible sites, but lately I’ve been taking it extremely seriously. So much so that I’ve been building a tool to help me optimize and monitor the sites that I build to make sure that I’m making an attempt to offer the best experience to those who visit them. If you’re into performant, accessible and SEO friendly sites, you might like it too! You can check it out at Optimize Toolset.

About

Hi, 👋, I’m Ryan Hefner  and I built this site for me, and you! The goal of this site was to provide an easy way for me to check the stats on my npm packages, both for prioritizing issues and updates, and to give me a little kick in the pants to keep up on stuff.

As I was building it, I realized that I was actually using the tool to build the tool, and figured I might as well put this out there and hopefully others will find it to be a fast and useful way to search and browse npm packages as I have.

If you’re interested in other things I’m working on, follow me on Twitter or check out the open source projects I’ve been publishing on GitHub.

I am also working on a Twitter bot for this site to tweet the most popular, newest, random packages from npm. Please follow that account now and it will start sending out packages soon–ish.

Open Software & Tools

This site wouldn’t be possible without the immense generosity and tireless efforts from the people who make contributions to the world and share their work via open source initiatives. Thank you 🙏

© 2024 – Pkg Stats / Ryan Hefner

tallylab-orbitdb-identity-provider

v1.1.0

Published

TallyLab's OrbitDB plugins for Identity and Access Management

Downloads

5

Readme

TallyLab's OrbitDB Identity Provider (tallylab-orbitdb-identity-provider)

TallyLab's OrbitDB plugins for Identity and Access Management

Tests

Table of Contents

Background

Building distributed applications (dapps) without a centralized blockchain presents significant difficulties with regard to keypair management: Storage, recovery, etc. Keypair management, ulitimately, is a UX problem - a tradeoff between security and user convenience.

Other approaches are effective but do not make it easy on the users:

  • Exporting and importing highly randomized keys
  • Deterministic keys based on a strong password or passphrase

Both of the above approaches rely on one or both of the following:

  • The user's own diligence in terms of saving their keys and recovering them, often utilizing a third party service such as Keybase or a password manager that supports keypairs.
  • The user's memory, having to recall a password or passphrase. Often times these are forgotten or simply required to be stored in the same place as the keypair itself.

To mitigate these issues, TallyLab opted to use a variant of the second approach, using a 32 byte seed to generate keys via the nacl encryption library. However, in TL, the seed is generated from highly personal, memory-based questions, similar to security questions. Each question, while seemingly knowable, combines with the others to produce a set of questions that would be very difficult for anybody else besides the primary user to know.

The answers are them summed together to create the 32 byte seed, and then passed into the TallyLab Identity Provider to allow the user to "authenticate via memory" in a reliable way.

This package does not contain the aforementioned questions and instead handles everything post-generation of the seed. Mainly, the two primary classes, TallyLabAccessController and TallyLabIdentityProvider act as glue between TallyLab and the underlying OrbitDB infrastructure.

Install

The primary focus for this package is browser usage. To generate the browser libraries:

$ git clone https://github.com/tallylab/tallylab-orbitdb-identity-provider
$ make build

The final files will then be available in the dist/ folder:

  • tallylab-orbitdb-identities.min.js (minified)
  • tallylab-orbitdb-identities.min.js.map (Source map for development purposes)

For a simple example, run npm run example and open your browser to the specified URL.

Usage

This package exposes two items:

  1. TallyLabIdentityProvider
  2. Identities (helper class from OrbitDB not normally exposed)

It is used in TallyLab, in the browser, similarly to the following. See it in action in the examples:

// Requirements: js-nacl, orbit-db-keystore

nacl_factory.instantiate(async (nacl) => {
  const tlIdentities = new TallyLabIdentities()
  console.log(tlIdentities)

  const keystore = Keystore.create()
  await keystore.open()

  // Generate keys, either with or without a seed
  const seed = 'thisisexactlythirtytwocharacters'
  const tlKeys = tlIdentities.TallyLabIdentityProvider.keygen(nacl, seed)
  console.log(tlKeys)

  // Pre-sign with the keystore
  const id = tlKeys.signing.signPk.toString()
  const key = await keystore.getKey(id) || await keystore.createKey(id)

  // Identities work on the basis of cross-signing the OrbitDB and your provided keys
  const idSignature = await keystore.sign(key, id)
  const tlSignature = nacl.crypto_sign(idSignature, tlKeys.signing.signSk)

  // Create an identity with the TallyLabIdentityProvider, and pass in the keystore
  const identity = await tlIdentities.Identities.createIdentity({
    type: 'TallyLab', id, tlSignature, keystore
  })
  console.log(identity)

  console.log(await tlIdentities.TallyLabIdentityProvider.verifyIdentity(identity))
})

Security

In order to test functionality, the automated tests intentionally expose the private signing and encryption keys for the following seeds. Thus, these should be considered fully compromised and should never be used for any users, ever.

  • thisisexactlythirtytwocharacters
  • xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
  • yyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyy
  • zzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzz

Maintainers

Contributing

Issues and PRs are welcome!

Development is streamlined through the make watch command which will watch files and generate documentation, lint, and run automated tests via the nodemon module.

$ git clone https://bitbucket.org/tallylab/tallylab-orbitdb-iam
$ make watch

The Makefile also provides other useful commands for development such as:

$ make docs       # builds jsdoc for this repo with config in .jsdoc.config.js
$ make link       # lints js files using standard.js
$ make test       # runs automated tests once
$ make clean      # nukes node_modules and package-lock.json
$ make build      # builds browser files and stores them in /dist
$ make rebuild    # nukes node_modules and package-lock.json, and re-installs dependencies

Future Work

  • Access granting and revocation to external keys using OrbitDB instead of IPFS

License

MIT Copyright © 2019-2020 TallyLab, LLC