We remove the local<->eauth switching tabs entirely. The only way to see
the eauth login page is if the url contains an "eauth" query parameter.
(Entering the local ship name into the eauth form still brings you to
the normal login screen.)
The "proceed as guest" blurp no longer shows the guest identity, and we
clarify the language to indicate that it is not guaranteed to result in
access to content.
Both of those changes help simplify the look and feel of the login page.
Various users had complained that it was confusing, given that logging
into your own ship is still the common case, and not everyone knows what
"euauth" is.
For applications redirecting to the login page, it is still recommended
to add the ?eauth GET parameter if non-local sessions are supported. For
applications that don't it should now be more obvious that logging in
through eauth won't do anything (since it's not presented as an option).
We also remove some debugging prints that somehow remained in the
javascript.
We remove the local<->eauth switching tabs entirely. The only way to see
the eauth login page is if the url contains an "eauth" query parameter.
(Entering the local ship name into the eauth form still brings you to
the normal login screen.)
The "proceed as guest" blurp no longer shows the guest identity, and we
clarify the language to indicate that it is not guaranteed to result in
access to content.
Both of those changes help simplify the look and feel of the login page.
Various users had complained that it was confusing, given that logging
into your own ship is still the common case, and not everyone knows what
"euauth" is.
For applications redirecting to the login page, it is still recommended
to add the ?eauth GET parameter if non-local sessions are supported. For
applications that don't it should now be more obvious that logging in
through eauth won't do anything (since it's not presented as an option).
We also remove some debugging prints that somehow remained in the
javascript.
XML files can have only one <?xml ... ?> declaration, however they may have more than one <?xml-... ... ?> tag.
Commonly, there will be an <?xml-stylesheet ... ?> tag on RSS feeds.
This commit allows for that.
Contrary to the argument made by 4affae8, this is the _actually correct_
behavior. Not creating server-side resources in response to GETs
respects the expected method semantics, and more importantly, serving a
404 is an important signal for clients trying to connect to a channel
they were using previously. Without that, they have no way of telling
whether, when reconnecting, if their channel was reaped in the mean time
or not.
The "empty PUT" affordance provided by 34148f9 makes requiring a PUT
request for channel creation more reasonable.
We leave the general refactoring done by #6789 in place, but do
emphasize the reasoning given here with a few additional comments.
Instead of auto-redirecting the login page if we're already logged in,
we simply present it as normal. If we're logged in as the local
identity, we present just a "continue" button in place of the +code
input field. If we're authenticated through eauth, or as a guest, we
present a smaller "proceed as" link underneath the login form.
This way, when apps redirect to the login page because the visitor isn't
_sufficiently_ authenticated, eyre doesn't just throw them right back
into the app with still insufficient creds.
Previously, we would reject this with a 400 error. Considering the
request body is expected to contain "array of requests" and that arrays
may be empty, we really should not be rejecting the requests.
Prior to 156ca21472, sending the empty array would have been convenient
for channel creation. Empty arrays getting rejected forced clients to
inject a faux poke (commonly hi-ing oneself). With that recent change,
the most common case for wanting to PUT the empty list of requests is
largely obsolete, but one can still imagine it being useful for clients
that want to keep their channel alive without necessarily being
connected to it. This also implements sloppier clients from running into
400 responses when they submit an empty "command queue" for whatever.
Regardless, there seems to be no clear reason why the empty request list
_shouldn't_ be accepted and processed as normal.
We add a small test to ensure eyre accepts this.
Previously, a channel could only be created by sending a PUT request,
and a GET request to receive the channel's stream would only succeed
after channel creation had happened that way. This forces client
libraries, that generally have an explicit "set up" step before allowing
normal operation, to do strange things, like sending faux pokes
(commonly hi-ing oneself) before connecting to the channel's stream as
normal.
Here, we update the GET request handling for channels to allow requests
for non-existent channels. When this happens, the channel will be
created, and eyre tracks the request as normal.
We do some... gentle restructuring... of +on-get-request:by-channel to
let the new creation case share code with the "already exists" codepath.
In the process, we find that duct-to-key was never getting updated in
the case where we replace the original channel request/connection with
the new incoming one. We fix this, it's trivial. We also identify two
other areas with vaguely-incorrect behavior, but consider them less
important and out of scope.
We also add a test case for "create channel through GET".
Previously, for endpoints bound to agents, we would pass the request
onto the agent even if the agents wasn't currently running.
Here, we make eyre check to see if the agent is actually running, before
passing the request on. If the bound agent is not running, eyre serves a
503 synchronously instead.
This way, we avoid cluttering up the gall queue for the bound agent.
- let users disable automatic OTA merging for a sync or globally
- a sync can be set to manual, automatic or global default
- unapproved non-auto updates must be approved by the user
This commit adds `%tend` `%germ` and `%snip` to the notes that gall can
pass. `%tend` is analogous to `%grow`, except with a security group defined
by .coop.
### The coop system
A `$coop` is a path, which defines a security context for the portion of
the namespace that it prefixes. Each `$coop` receives a symmetric key,
which is used to encrypt requests and responses for any key-value pair
belonging to a coop.
### Network overview
This design requires a single handshake over ames to inform clients what
key is to be used. However, this handshake can be made less frequent by
including all paths underneath the `%coop` in the response, such that if
the user is requesting sibling paths under the same `%coop`, only one
handshake is required.
### Naming
I am utterly detached to all new names introduced, just trying to get
something down
### API Design
The most contentious part of this proposal will likely be the split
between `%grow` and `%tend`. I assert (rather weakly mind you) that this
is more ergonomic for the end user, although there's a strong argument
to be made that `%grow` should just take a `(unit coop)`. If this were
the case, however, it would muddy the semantics. If the value is
encrypted, then the ship,desk,case will be in the coop, else it will be
specified in the path. Worth noting that specifying the
`%coop` and the rest of the path seperately seems like it could be
unintuitive because the path that it will be bound to is actually
`(welp coop path)`
The lifecycles for coops seem straightforward, although worth revisiting
the invariants it maintains, and how it handles those invariants. A list of such:
- No nesting (obviously good)
- Crashing on binding publically into a private coop (crashing is bad,
do we want to deliver a notification? (See footnote 1))
- Crashing on binding into a coop that doesn't exist (same notes as above)
### Key generation
Current implementation is obviously stupid, how should i do it?
### Footnotes
1. Why are the remote scry datastructures notes and not gifts? Forgive
me being out of the loop, but we don't actually use the wire for
anything anywhere, and remote scry is giving gift anyway.
2. It's so good to be back
Instead of setting a new timer every time, we wait to hear a new %nack
for a %leave to do so, accumulating any unacked %leaves in the state for
up to ~m2. When the timers comes back, we re-send all outsanting %leaves
and skipp setting up a new timer.
