Skip to content

feat: TC-1368 Add signed KV URLs #60

Merged
skgbafa merged 2 commits into
mainfrom
tc-1368-signed-url
May 13, 2026
Merged

feat: TC-1368 Add signed KV URLs #60
skgbafa merged 2 commits into
mainfrom
tc-1368-signed-url

Conversation

@skgbafa
Copy link
Copy Markdown
Contributor

@skgbafa skgbafa commented May 12, 2026

Summary

  • Add signed KV URL creation via POST /signed/kv after normal invocation verification for an exact tinycloud.kv/get scope.
  • Add signed KV fetch via GET /signed/kv/<space>/<key..>?token=..., scoped to the token space/path and bounded by token, invocation, and parent delegation expiry.
  • Advertise signed-urls in node features and document the endpoint in README.

Security / tradeoffs

  • Creation accepts only exact KV get invocations for the requested object before running auth verification, so verification cannot execute write/delete capabilities as a side effect.
  • Tokens are stateless HMAC-signed with a node-derived key and expire after at most 300 seconds.
  • maxUses is explicitly rejected for now; correct limited-use URLs need durable server-side state to work across restarts and multi-node deployments.

Tests

  • rustfmt --edition 2021 --check tinycloud-node-server/src/lib.rs tinycloud-node-server/src/routes/mod.rs tinycloud-node-server/src/signed_urls.rs
  • cargo test -p tinycloud-node signed_urls -- --nocapture
  • cargo test -p tinycloud-node
  • cargo check -p tinycloud-node

@skgbafa
Copy link
Copy Markdown
Contributor Author

skgbafa commented May 12, 2026

Implemented the TC-1368 architecture change on this branch and pushed commit c878b32.

Summary:

  • Replaced the long SunCave-style /signed/kv/<space>/<path>?token=... HMAC URL with a short opaque bearer URL: /signed/kv/<ticketId>.
  • Minting now verifies the invocation through normal TinyCloud auth first, then persists an attenuated KV read ticket for exactly one {space,path} and tinycloud.kv/get.
  • Authorization accepts a suitable broader KV get capability that can be attenuated via the existing TinyCloud resource subset semantics; it no longer requires every invocation capability to be an exact KV get.
  • Tickets are stored durably in the node DB with issuer/subject, scope, service/ability, timestamps, invocation/parent expiry metadata, optional content hash/ETag binding, and parent proof metadata.
  • Reads load the persisted ticket, validate expiry/scope/hash binding, then perform a private KV read via the core KV read path. This no longer relies on public-space route semantics.
  • maxUses remains rejected in v1 because durable counters/replay protection are not implemented.
  • README updated for the short-ticket model and caveats.

Checks run:

  • cargo check -p tinycloud-node
  • cargo test -p tinycloud-node signed_urls --lib
  • cargo test -p tinycloud-core signed_kv --lib
  • git diff --check

No implementation blockers remain from my side.

@skgbafa skgbafa changed the title TC-1368 Add signed KV URLs feat: TC-1368 Add signed KV URLs May 13, 2026
@skgbafa skgbafa merged commit 44ef18c into main May 13, 2026
15 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@skgbafa