-
Notifications
You must be signed in to change notification settings - Fork 7
Applications
DataPeps allows adding end-to-end encryption functionality into an application in a simple and concise manner. This is achieved by using Swarm, a dedicated set of SDK functions. There are three entities in the DataPeps' model that represent relations between users and applications: Application, User, and Device.
An application is an identity, created by another identity, the application's developer. Being in the application's sharing group the application developer has access to the application's resources.
A user accesses applications with the help of devices and one device can be used by multiple users. In DataPeps a device is an identity with the access group that consists of all the identities that use the device.
Creating an application is as simple as creating an identity:
let app = {
login: "[email protected]",
name: "My secure App",
payload: {
description: "An application with E2EE included"
}
}
await devSession.createApplication(app)
Identities cannot directly log in as applications, and the application resources are accessible via the application's sharing group. Identities from the application's sharing group can act on behalf of the application by getting the application's handler:
let applicationHandler = await devSession.getApplication("[email protected]")
Developers can get handler's of the created applications in bulk:
let devApplications = await devSession.getApplicationsOf(devLogin)
Application users are registered the same way as identities, except a function from Swarm is to be used:
let alice = {
login: "[email protected]",
name: "Allice as a user",
payload: {
firstname: "Alice",
lastname: "Liddell",
description: "Alice as a Swarm user"
}
}
let aliceSecret = "aliceP@ssw0rd"
await swarm.register(alice, aliceSecret)
Registering with an email token is done the same way as for identities. First, Alice requests an email with a registration token:
let aliceEmail: String = "[email protected]"
await sdk.getRegisteredEmail(aliceEmail)
After receiving the token Alice registers the user:
let token = "YSBmYW5jeSByZWdpc3RyYXRpb24gdG9rZW4="
let alice = {
login: "[email protected]",
...
}
let aliceSecret: String = "aliceP@ssw0rd"
await sdk.register(token, alice, aliceSecret)
After registering a user, Alice can either log in with its credentials or get the corresponding identity's handler directly, in case Alice has established a Swarm session already:
let aliceUser = aliceSwarmSession.getUser("[email protected]")
An identity should create a DataPeps device for every device it uses to access an application. Creating a new device is as simple as creating an identity, except a function from Swarm is to be used
let device = {
login: "[email protected]",
name: "Smartphone",
payload: {
description: "Alice's smartphone"
}
}
let deviceSecret = "deviceP@ssw0rd"
await aliceSwarmSession.createDevice(device, deviceSecret)
Now, when using her smartphone, Alice does not need to log in as her identity; instead she can log in as the device and get access to the resources of her identity.
Under the hood, the device owner adds the new device to the owner's sharing group. An owner can get the owned devices like this:
let aliceDevices = await aliceSwarmSession.getDevicesOf(aliceLogin)
Only an owner or a device sharer can add an identity to the device's sharing group, as it is done the same way as extending the device's sharing group:
await aliceSession.Identity.extendSharingGroup(device.login, [bobLogin])
An identity from the device's access group can revoke the access like this:
await aliceSwarmSession.revokeDevice(aliceLogin, deviceLogin)
To start using an application the user grants the access to the user's identity to the application. In the DataPeps model a user creates an identity, which is further called "a federated identity", for each application he accesses. In this way all federated identities are isolated from each other, so the applications cannot access other applications' resources. Applications normally get delegated access to the federated identities.
We illustrated this with the following example:
Alice wants to work with the Application A and the Application B. For that Alice creates two federated identities: Identity A and Identity B and shares them as described in the delegates access section. By organizing the relations between the user and the applications in this manner, the federated identities are isolated and the Application A can have access to the resources of only the federated identity that was shared with the application. You can find the source code for this example here.
An identity creates the federated identity using a Swarm function:
let aliceAppA = {
login: "[email protected]",
name: "Alice account for application A",
payload: {
application: "[email protected]"
}
}
await aliceSwarmSession.createFederated(aliceAppA)
An identity can get the owned federated identities like this:
let aliceDevices = await aliceSwarmSession.getFederatedOf(alice.login)