feat: update access-api ucanto proxy to not need a signer #390

gobengo · 2023-01-23T23:38:58Z

… and not sign proxyInvocation. using features coming in ucanto 4.2.0

Motivation:

Unify UCAN API endpoints #325
simplify access-api ucanto proxy using features added to ucanto in feat: support execution of delegations ucanto#199
- previously, the technique used to proxy the invocation was to issue a new invocation (i.e. proxyInvocation) in the proxy server, and then send that to the upstream. This had at least two limitations:
  1. required the proxy server to be configured with a options.signer to sign the proxyInvocation
  2. for functional use in access-api and proxying upload-api, this proxy options.signer also had to be configured pretty much identically to the ucanto verifier with same did on the upstream, including requiring both to have the same private key
- now
  - you don't need an options.signer at all! so you definitely don't need one creating signatures with the same private key as the upstream

Steps

release ucanto 4.2.0 chore: release main ucanto#200
update this source branch package.json + pnpm locks to upgrade ucanto to 4.2.0
ensure tsc + tests pass here

…yInvocation. using features coming in ucanto 4.2.0

gobengo · 2023-01-28T00:34:12Z

note: this is a superset of #405 , which only does the upgrade to ucanto 4.2.3 that this depends on.

Gozala · 2023-01-28T02:21:33Z

packages/access-api/src/ucanto/proxy.js

-        [proxyInvocation],
-        /** @type {Client.ConnectionView<any>} */ (connection)
+        [await invocation.delegate()],
+        connection


I would expect you to be able to just pass invocation without having to call .delegate()

hugomrdias

LGTM can we remove the connections code in a follow up PR ? we should just need one single connection to upload api for these proxied invocations right ?

Motivation: * upgrade to latest ucanto * unblock #390

gobengo · 2023-01-30T22:33:03Z

can we remove the connections code in a follow up PR ? we should just need one single connection to upload api for these proxied invocations right ?

@hugomrdias Yes. I made this to echo back what I think you're asking for. #406
Let's align over there

🤖 I have created a release *beep* *boop* --- ## [4.9.0](access-api-v4.8.0...access-api-v4.9.0) (2023-01-30) ### Features * access-api handling store/info for space not in db returns failure with name ([#391](#391)) ([9610fcf](9610fcf)) * update @ucanto/* to ~4.2.3 ([#405](#405)) ([50c0c80](50c0c80)) * update access-api ucanto proxy to not need a signer ([#390](#390)) ([71cbeb7](71cbeb7)) ### Bug Fixes * make tests use did:web everywhere ([#397](#397)) ([c7d5c34](c7d5c34)) --- This PR was generated with [Release Please](https://github.com/googleapis/release-please). See [documentation](https://github.com/googleapis/release-please#release-please).

🤖 I have created a release *beep* *boop* --- ## [5.4.0](upload-client-v5.3.0...upload-client-v5.4.0) (2023-01-30) ### Features * update @ucanto/* to ~4.2.3 ([#405](#405)) ([50c0c80](50c0c80)) * update access-api ucanto proxy to not need a signer ([#390](#390)) ([71cbeb7](71cbeb7)) ### Bug Fixes * use nullish coalescing for audience ([#319](#319)) ([a1d5ecf](a1d5ecf)) --- This PR was generated with [Release Please](https://github.com/googleapis/release-please). See [documentation](https://github.com/googleapis/release-please#release-please).

🤖 I have created a release *beep* *boop* --- ## [2.2.0](capabilities-v2.1.0...capabilities-v2.2.0) (2023-01-30) ### Features * access-api forwards store/ and upload/ invocations to upload-api ([#334](#334)) ([b773376](b773376)) * **capabilities:** implement access/authorize and ./update caps ([#387](#387)) ([4242ce0](4242ce0)), closes [#385](#385) * embedded key resolution ([#312](#312)) ([4da91d5](4da91d5)) * update @ucanto/* to ~4.2.3 ([#405](#405)) ([50c0c80](50c0c80)) * update access-api ucanto proxy to not need a signer ([#390](#390)) ([71cbeb7](71cbeb7)) ### Bug Fixes * fix client cli service did resolve ([#292](#292)) ([6be9608](6be9608)) --- This PR was generated with [Release Please](https://github.com/googleapis/release-please). See [documentation](https://github.com/googleapis/release-please#release-please).

🤖 I have created a release *beep* *boop* --- ## [9.3.0](access-v9.2.0...access-v9.3.0) (2023-01-30) ### Features * access-api forwards store/ and upload/ invocations to upload-api ([#334](#334)) ([b773376](b773376)) * access-api handling store/info for space not in db returns failure with name ([#391](#391)) ([9610fcf](9610fcf)) * update @ucanto/* to ~4.2.3 ([#405](#405)) ([50c0c80](50c0c80)) * update access-api ucanto proxy to not need a signer ([#390](#390)) ([71cbeb7](71cbeb7)) ### Bug Fixes * remove unecessary awaits ([#352](#352)) ([64da6e5](64da6e5)) --- This PR was generated with [Release Please](https://github.com/googleapis/release-please). See [documentation](https://github.com/googleapis/release-please#release-please).

Motivation: * upgrade to latest ucanto * unblock #390

… and not sign proxyInvocation. using features coming in ucanto 4.2.0 Motivation: * #325 * simplify access-api ucanto proxy using features added to ucanto in storacha/ucanto#199 * previously, the technique used to proxy the invocation was to issue a new invocation (i.e. `proxyInvocation`) in the proxy server, and then send that to the upstream. This had at least two limitations: 1. required the proxy server to be configured with a `options.signer` to sign the `proxyInvocation` 2. for functional use in access-api and proxying upload-api, this proxy `options.signer` also had to be configured pretty much identically to the ucanto verifier with same did on the upstream, including requiring both to have the same private key * now * you don't need an `options.signer` at all! so you definitely don't need one creating signatures with the same private key as the upstream Steps * [x] release ucanto 4.2.0 storacha/ucanto#200 * [x] update this source branch package.json + pnpm locks to upgrade ucanto to 4.2.0 * [x] ensure `tsc` + tests pass here

🤖 I have created a release *beep* *boop* --- ## [4.9.0](access-api-v4.8.0...access-api-v4.9.0) (2023-01-30) ### Features * access-api handling store/info for space not in db returns failure with name ([#391](#391)) ([665dac9](665dac9)) * update @ucanto/* to ~4.2.3 ([#405](#405)) ([ec39443](ec39443)) * update access-api ucanto proxy to not need a signer ([#390](#390)) ([163fb74](163fb74)) ### Bug Fixes * make tests use did:web everywhere ([#397](#397)) ([00be288](00be288)) --- This PR was generated with [Release Please](https://github.com/googleapis/release-please). See [documentation](https://github.com/googleapis/release-please#release-please).

🤖 I have created a release *beep* *boop* --- ## [5.4.0](upload-client-v5.3.0...upload-client-v5.4.0) (2023-01-30) ### Features * update @ucanto/* to ~4.2.3 ([#405](#405)) ([ec39443](ec39443)) * update access-api ucanto proxy to not need a signer ([#390](#390)) ([163fb74](163fb74)) ### Bug Fixes * use nullish coalescing for audience ([#319](#319)) ([7e90085](7e90085)) --- This PR was generated with [Release Please](https://github.com/googleapis/release-please). See [documentation](https://github.com/googleapis/release-please#release-please).

🤖 I have created a release *beep* *boop* --- ## [2.2.0](capabilities-v2.1.0...capabilities-v2.2.0) (2023-01-30) ### Features * access-api forwards store/ and upload/ invocations to upload-api ([#334](#334)) ([6be7217](6be7217)) * **capabilities:** implement access/authorize and ./update caps ([#387](#387)) ([ebe1032](ebe1032)), closes [#385](#385) * embedded key resolution ([#312](#312)) ([45f367d](45f367d)) * update @ucanto/* to ~4.2.3 ([#405](#405)) ([ec39443](ec39443)) * update access-api ucanto proxy to not need a signer ([#390](#390)) ([163fb74](163fb74)) ### Bug Fixes * fix client cli service did resolve ([#292](#292)) ([45e7ad4](45e7ad4)) --- This PR was generated with [Release Please](https://github.com/googleapis/release-please). See [documentation](https://github.com/googleapis/release-please#release-please).

🤖 I have created a release *beep* *boop* --- ## [9.3.0](access-v9.2.0...access-v9.3.0) (2023-01-30) ### Features * access-api forwards store/ and upload/ invocations to upload-api ([#334](#334)) ([6be7217](6be7217)) * access-api handling store/info for space not in db returns failure with name ([#391](#391)) ([665dac9](665dac9)) * update @ucanto/* to ~4.2.3 ([#405](#405)) ([ec39443](ec39443)) * update access-api ucanto proxy to not need a signer ([#390](#390)) ([163fb74](163fb74)) ### Bug Fixes * remove unecessary awaits ([#352](#352)) ([2e8c1a1](2e8c1a1)) --- This PR was generated with [Release Please](https://github.com/googleapis/release-please). See [documentation](https://github.com/googleapis/release-please#release-please).

gobengo mentioned this pull request Jan 23, 2023

chore: release main storacha/ucanto#200

Merged

gobengo changed the title ~~update access-api ucanto proxy to not need a signer~~ feat: update access-api ucanto proxy to not need a signer Jan 23, 2023

gobengo mentioned this pull request Jan 23, 2023

access-api ucanto proxy services should make use of new ucanto connection support #383

Closed

gobengo requested a review from Gozala January 24, 2023 00:51

update @ucanto/* to ~4.2.3

0ea806a

gobengo mentioned this pull request Jan 28, 2023

feat: update @ucanto/* to ~4.2.3 #405

Merged

update access-api ucanto proxy to not need a signer and not sign prox…

35acf3d

…yInvocation. using features coming in ucanto 4.2.0

gobengo force-pushed the 1674516319-ucanto-upgrade-forproxy branch from 787d282 to 35acf3d Compare January 28, 2023 00:30

gobengo temporarily deployed to dev January 28, 2023 00:31 — with GitHub Actions Inactive

gobengo marked this pull request as ready for review January 28, 2023 00:32

gobengo requested a review from hugomrdias January 28, 2023 00:34

Gozala approved these changes Jan 28, 2023

View reviewed changes

hugomrdias approved these changes Jan 30, 2023

View reviewed changes

gobengo added a commit that referenced this pull request Jan 30, 2023

feat: update @ucanto/* to ~4.2.3 (#405)

50c0c80

Motivation: * upgrade to latest ucanto * unblock #390

gobengo mentioned this pull request Jan 30, 2023

upload-api-proxy should only proxy an environment specific invocation audience, not both staging and prod DIDs #406

Open

3 tasks

gobengo merged commit 71cbeb7 into main Jan 30, 2023

gobengo deleted the 1674516319-ucanto-upgrade-forproxy branch January 30, 2023 22:33

This was referenced Jan 30, 2023

chore(main): release access-api 4.9.0 #400

Merged

chore(main): release access 9.3.0 #346

Merged

chore(main): release upload-client 5.4.0 #396

Merged

chore(main): release capabilities 2.2.0 #299

Merged

gobengo mentioned this pull request Jan 30, 2023

feat: rm upload-api-proxy ability to route to separate environment audiences #407

Merged

it-dag-house mentioned this pull request Mar 23, 2023

chore(main): release access-api 11.0.0-rc.0 #620

Closed

gobengo added a commit that referenced this pull request Apr 11, 2023

feat: update @ucanto/* to ~4.2.3 (#405)

ec39443

Motivation: * upgrade to latest ucanto * unblock #390

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

feat: update access-api ucanto proxy to not need a signer #390

feat: update access-api ucanto proxy to not need a signer #390

gobengo commented Jan 23, 2023 •

edited

Loading

gobengo commented Jan 28, 2023

Gozala Jan 28, 2023

hugomrdias left a comment

gobengo commented Jan 30, 2023

feat: update access-api ucanto proxy to not need a signer #390

feat: update access-api ucanto proxy to not need a signer #390

Conversation

gobengo commented Jan 23, 2023 • edited Loading

gobengo commented Jan 28, 2023

Gozala Jan 28, 2023

Choose a reason for hiding this comment

hugomrdias left a comment

Choose a reason for hiding this comment

gobengo commented Jan 30, 2023

gobengo commented Jan 23, 2023 •

edited

Loading