Add a simple public-key-based authenticator #79
+405
−210
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
TheBlueMatt
commented
Dec 29, 2025
TheBlueMatt
commented
JWT-based authentication is currently largely the default due to its integration in `ldk-node` indirectly via LNURL-auth. This is great, but massively over-engineered (and requiring yet another service devs have to set up and maintain) for just authenticating to a storage service (and maybe an LSP). In the next commit, we'll add an option for a much simpler authentication scheme, based simply on proof-of-knowledge of a private key and the service using the signing pubkey to identify where to store data. This then leaves authentication of installs to a higher-level (e.g. a web proxy that validates Apple DeviceCheck attestations before passing requests through to VSS).
JWT-based authentication is currently largely the default due to its integration in `ldk-node` indirectly via LNURL-auth. This is great, but massively over-engineered (and requiring yet another service devs have to set up and maintain) for just authenticating to a storage service (and maybe an LSP). Here we add a much simpler authentication scheme, based simply on proof-of-knowledge of a private key. This allows for a simple VSS install without requiring any additional services. It relies on some higher-level authentication to limit new account registration, but that can be accomplished through more traditional anti-DoS systems like Apple DeviceCheck.
|
👋 I see @valentinewallace was un-assigned. |
tnull
requested review from
tankyleo
and removed request for
valentinewallace
tnull
reviewed
Dec 30, 2025
Contributor
There was a problem hiding this comment.
Here we add a much simpler authentication scheme, based simply on
proof-of-knowledge of a private key.
I'm a bit skeptical of this approach right now. Generally there is no harm in supporting different authentication schemes, but we so far failed to establish a single standard authentication mechanism.
For that reason I'm afraid that adding more different authentication schemes could result in an even more complicated/confusion support matrix for users.
Any thoughts on that? Wouldn't it be preferable to commit to one scheme for now to finally establish a standard? Could you expand on why you couldn't just use the existing JWT auth for your usecase?
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
3 participants
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.