feat: content serve authorization (#205)

### Context We must ensure that the space owner delegates the `space/content/serve/*` capability to the Gateway. This delegation allows the Gateway to serve content and log egress events appropriately. ### Changes I've updated the CLI to enable the new gateway content serve authorization flow when creating a space. This is a breaking change because now the user is forced to provide the DIDs of the Content Serve services, and the service endpoint, or skip the authorization flow. ### Related Issues - storacha/project-tracking#158 - storacha/project-tracking#160 - storacha/project-tracking#207 - Resolves storacha/project-tracking#196
storacha · Dec 19, 2024 · 34efff2 · 34efff2
1 parent 49dd5bd
commit 34efff2
Show file tree

Hide file tree

Showing 8 changed files with 247 additions and 185 deletions.
diff --git a/bin.js b/bin.js
@@ -131,7 +131,29 @@ cli
   .option('-c, --customer <email>', 'Billing account email')
   .option('-na, --no-account', 'Skip account setup')
   .option('-a, --account <email>', 'Managing account email')
-  .action(Space.create)
+  .option('-ag, --authorize-gateway-services <json>', 'Authorize Gateways to serve the content uploaded to this space, e.g: \'[{"id":"did:key:z6Mki...","serviceEndpoint":"https://gateway.example.com"}]\'')
+  .option('-nga, --no-gateway-authorization', 'Skip Gateway Authorization')
+  .action((name, options) => {
+    let authorizeGatewayServices = []
+    if (options['authorize-gateway-services']) {
+      try {
+        authorizeGatewayServices = JSON.parse(options['authorize-gateway-services'])
+      } catch (err) {
+        console.error('Invalid JSON format for --authorize-gateway-services')
+        process.exit(1)
+      }
+    }
+
+    const parsedOptions = {
+      ...options,
+      // if defined it means we want to skip gateway authorization, so the client will not validate the gateway services
+      skipGatewayAuthorization: options['gateway-authorization'] === false || options['gateway-authorization'] === undefined,
+      // default to empty array if not set, so the client will validate the gateway services
+      authorizeGatewayServices: authorizeGatewayServices || [],
+    }
+
+    return Space.create(name, parsedOptions)
+  })
 
 cli
   .command('space provision [name]')

diff --git a/can.js b/can.js
@@ -37,11 +37,11 @@ export async function blobAdd(blobPath) {
   }
 
   spinner.start('Storing')
-  const { multihash } = await client.capability.blob.add(blob, {
+  const { digest } = await client.capability.blob.add(blob, {
     receiptsEndpoint: client._receiptsEndpoint.toString()
   })
-  const cid = Link.create(raw.code, multihash)
-  spinner.stopAndPersist({ symbol: '⁂', text: `Stored ${base58btc.encode(multihash.bytes)} (${cid})` })
+  const cid = Link.create(raw.code, digest)
+  spinner.stopAndPersist({ symbol: '⁂', text: `Stored ${base58btc.encode(digest.bytes)} (${cid})` })
 }
 
 /**

diff --git a/index.js b/index.js
@@ -110,7 +110,9 @@ export async function authorize(email, opts = {}) {
 export async function upload(firstPath, opts) {
   /** @type {import('@web3-storage/w3up-client/types').FileLike[]} */
   let files
+  /** @type {number} */
   let totalSize // -1 when unknown size (input from stdin)
+  /** @type {import('ora').Ora} */
   let spinner
   const client = await getClient()
   if (firstPath) {
@@ -246,7 +248,9 @@ export async function remove(rootCid, opts) {
  */
 export async function createSpace(name) {
   const client = await getClient()
-  const space = await client.createSpace(name)
+  const space = await client.createSpace(name, {
+    skipGatewayAuthorization: true
+  })
   await client.setCurrentSpace(space.did())
   console.log(space.did())
 }