From mboxrd@z Thu Jan  1 00:00:00 1970
Authentication-Results: mail.toke.dk; spf=pass (mailfrom) smtp.mailfrom=protonmail.com (client-ip=185.70.43.16; helo=mail-4316.protonmail.ch; envelope-from=jvanveen@protonmail.com; receiver=<UNKNOWN>)
Authentication-Results: mail.toke.dk;
	dkim=pass (1024-bit key) header.d=protonmail.com header.i=@protonmail.com header.b=oCrlGLS2
Received: from mail-4316.protonmail.ch (mail-4316.protonmail.ch [185.70.43.16])
	by mail.toke.dk (Postfix) with ESMTPS id 2FE4A8D9EC4
	for <galene@lists.galene.org>; Fri, 29 Oct 2021 11:10:31 +0200 (CEST)
Date: Fri, 29 Oct 2021 09:10:28 +0000
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=protonmail.com;
	s=protonmail; t=1635498629;
	bh=A+/jX2huDIDhcOUQ1MA3pMmRR6GV6Op+JNrZiEFQiXA=;
	h=Date:To:From:Cc:Reply-To:Subject:In-Reply-To:References:From;
	b=oCrlGLS2RngEW17PR8fkzi+5wqicEsGald69FHJIhNzRH32xU32mmyXWGkrPvjAWO
	 6SkMqRpQ5bzp4Mos50xkz8yJ36Wuk0AVx8tjXjl4NBqolrm3tfY72aLe2mVR4uwiXD
	 IbOCT0HTYBmzy9jH0HSFWALUr9tbcjK0xke5ZYOU=
To: Juliusz Chroboczek <jch@irif.fr>
From: Jeroen van Veen <jvanveen@protonmail.com>
Message-ID: <zzuHw2_1IXSlCQlDREK-3EYX4vVrPGKLOJBorvh74FUkxYw3fKBxGHF8R7A5mvilO50XPApU6UEsjmUSpt4laulapLNajzyOBJU6OefpP1c=@protonmail.com>
In-Reply-To: <8735on1ues.wl-jch@irif.fr>
References: <9SCVvWIB9TfyEmG6di6LYCmoEeeJ_2Fsqzh8Y58_q0wSF1hRxJ_2I3YKATYXSCnaZQMJ6CdhvseVnbHsDmnSheS5b9SvRk1f9xhna0e2Y5Q=@protonmail.com> <87pmsp3qnx.wl-jch@irif.fr> <CfzPY0tX6BXhwGTwZf9ptbt5s-j5T3MZc42ab3BzwupCqcl924sDIhI_jA0HvLUPNoLFxmZpzIBNVsiWXIq5RCceYqWVaeceuoNa3q7k8Dk=@protonmail.com> <8735on1ues.wl-jch@irif.fr>
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: quoted-printable
X-Spam-Status: No, score=-1.2 required=10.0 tests=ALL_TRUSTED,DKIM_SIGNED,
	DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,FREEMAIL_FROM shortcircuit=no
	autolearn=disabled version=3.4.4
X-Spam-Checker-Version: SpamAssassin 3.4.4 (2020-01-24) on
	mailout.protonmail.ch
Message-ID-Hash: TDF4J2RDSX4HGVAO6242DQYX4MBPE4PH
X-Message-ID-Hash: TDF4J2RDSX4HGVAO6242DQYX4MBPE4PH
X-MailFrom: jvanveen@protonmail.com
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
CC: "galene@lists.galene.org" <galene@lists.galene.org>
X-Mailman-Version: 3.3.4
Precedence: list
Reply-To: Jeroen van Veen <jvanveen@protonmail.com>
Subject: [Galene] Re: Config branch [was: User management]
List-Id: =?utf-8?q?Gal=C3=A8ne_videoconferencing_server_discussion_list?= <galene.lists.galene.org>
Archived-At: <https://lists.galene.org/galene/zzuHw2_1IXSlCQlDREK-3EYX4vVrPGKLOJBorvh74FUkxYw3fKBxGHF8R7A5mvilO50XPApU6UEsjmUSpt4laulapLNajzyOBJU6OefpP1c=@protonmail.com/>
List-Archive: <https://lists.galene.org/galene/>
List-Help: <mailto:galene-request@lists.galene.org?subject=help>
List-Owner: <mailto:galene-owner@lists.galene.org>
List-Post: <mailto:galene@lists.galene.org>
List-Subscribe: <mailto:galene-join@lists.galene.org>
List-Unsubscribe: <mailto:galene-leave@lists.galene.org>

Hi Juliusz,

I checked your config branch and the new multiple admins feature.
Nice feature! It allows me to directly map the admin privilege
in Pyrite's users.json to a Galene admin, so multiple users can directly
access an endpoint like stats.json. It may be possible to use the single
admin user in Pyrite's Node.js service to proxy the request, but it's
better to have this directly in Galene I think(less dependencies).

How would JWT authentication impact the storage of credentials in Galene? I=
 encountered
JWT authentication recently and noticed it contains user information payloa=
d. Would that
impact where the user's credentials may be stored? For instance, would Gale=
ne call a
configurable HTTP endpoint that will do the authentication and return a JWT=
?
What user information will be stored by Galene? The JWT? I don't have
a solid understanding of how that's supposed to work yet. Would it make sen=
se to
have user deduplication with the current file/authentication scheme like th=
is?

data/users.json
[
    {"id": "3930b479-e669-432c-b163-8a3c79475820", "username": "root", "pas=
sword": "secret"},
    {"id": "b0fba23a-4441-47dc-97ca-545a5b6b9142", "username": "foo", "pass=
word": "bar"}
]

data/config.json
{
    "admin": [
        "3930b479-e669-432c-b163-8a3c79475820"
    ]
}

data/groups/my-group.json
{
    "op": ["3930b479-e669-432c-b163-8a3c79475820"],
    "presenter": ["b0fba23a-4441-47dc-97ca-545a5b6b9142"]
}

One last thing; in case a central users.json makes sense; would it be helpf=
ul to allow
Galene to permit unknown fields, to be able to store additional arbitrary u=
ser
information? e.g.

data/users.json
[
    {"id": "3930b479-e669-432c-b163-8a3c79475820", "username": "root", "pas=
sword": "secret", "profile": {"email": "root@domain.org"}},
    {"id": "b0fba23a-4441-47dc-97ca-545a5b6b9142", "username": "foo", "pass=
word": "bar", "profile": {"email": "foo@bar.org"}}
]

Kind regards,

Jeroen

=E2=80=90=E2=80=90=E2=80=90=E2=80=90=E2=80=90=E2=80=90=E2=80=90 Original Me=
ssage =E2=80=90=E2=80=90=E2=80=90=E2=80=90=E2=80=90=E2=80=90=E2=80=90

Op dinsdag 26 oktober 2021 om 9:02 PM schreef Juliusz Chroboczek <jch@irif.=
fr>:

> Jeroen,
>
> I've just pushed a new branch
>
> git checkout -b config https://github.com/jech/galene
>
> which implements a global configuration file and removes the data/passwd
>
> file. Please review, and let me know what you think.
>
> (I'm going to use the global config file to hold shared secrets and publi=
c
>
> keys as I implement third party authentication with JWTs, so while it's
>
> not overly urgent, please do review, since we'll be stuck with it once
>
> people start developing auth servers for Galene.)
>
> -- Juliusz