1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
|
// maybe motif instead of thread?
// Email Address validation example
thread = start_thread(EmailAddressValidation, "b@g.com");
thread = advance_thread(AddressValidation, token, code);
session = complete_thread(thread.id);
// Sms validation example
thread = start_thread(SmsAddressValidation, "12133447460");
thread = advance_thread(SmsAddressValidation, token, code);
// New passphrase
credential = create_credential(Passphrase, "b@g.com", "p4ssw0rd");
thread = start_thread(Passphrase, "b@g.com", "p4ssw0rd");
session = complete_thread(thread.id);
// New Totp
credential = create_credential(Totp);
thread = start_thread(Totp, code);
session = complete_thread(thread.id);
// New OneTimeCodes
credential = create_credential(OneTimeCode);
thread = start_thread(OneTimeCodes, code);
session = complete_thread(thread.id);
// MFA example which requires totp after email
thread = start_thread(Passphrase, "b@g.com", "p4ssw0rd");
Thread { Proof: { credential: [totp] } }
thread = advance_thread(Totp, code);
session = complete_thread(thread.id);
// REST entities
Identity
Credential
Address
Motif
Session
// example
POST /api/auth/email-validation
motif = start_motif(EmailAddress, "b@g.com", None)
--> an email has been sent with this motif.id + code and stuff
user clicks on email
GET /api/auth/email-validation/complete?motif_id=1234
session = complete_thread(motif_id)
under the hood, it looks up the thread_id, sees that it belongs to an email validation, validates the email, creates a new identity if it's not already attached, creates a session and returns that session.
GET /oidc/provider?state=123444 -- state validated by client
POST /api/auth/oidc { data ... }
motif = start_motif(Oidc, access_token, data)
session = complete_motif(motif.id)
ref = secd.write(User(user, 1), (doc, 3), "editor");
secd.attach_computed_property(ref, "property_name");
secd.check(User(user, 1), (doc, 3), "editor")
secd.compute\_check(User(user, 1), (doc, 3), "editor", ["property", args...], ["property", args...])
e.g.
secd.compute\_check("User(user, 1), (doc, 3), "editor", ["readable_row", 2134], ["property2", args...])
.....NO: A computed property should just be a domain things, and if any data is needed, it can be attached to the auth store for that identity!!!!!!!!!!!!!!!!
## Namespace stuff...
use file/path/1
use file/path/2
namespace user { }
namespace role {
relation member {
user | group#member
}
computed_property (t: timestamp, s: timestamp) {
perform a computation here...
}
computed_property (s: string) {
s.starts_with("b")
}
}
namespace group {
relation member {
user | this.admin
}
relation admin {
user
}
}
namespace doc {
relation owner { user }
relation editor { user | this.owner }
relation viewer { user | this.editor | this.parent#viewer | all(user) }
relation auditor { editor - this.owner }
relation parent { this.doc }
}
so, basically it's just:
namespace N {
relation R {
N#R | N#R & N#R - N#R
}
}
These are `.iam` files. Any `.iam` file can be specified as the main file, and then each use statement will be followed.
|
