Skip to content

Add a simple public-key-based authenticator #79

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
TheBlueMatt wants to merge 2 commits into
base: main
Choose a base branch
from
Open

Add a simple public-key-based authenticator #79

TheBlueMatt wants to merge 2 commits into from

Conversation

@TheBlueMatt
Copy link

@TheBlueMatt TheBlueMatt commented Dec 29, 2025 

JWT-based authentication is currently largely the default due to
its integration in `ldk-node` indirectly via LNURL-auth. This is
great, but massively over-engineered (and requiring yet another
service devs have to set up and maintain) for just authenticating
to a storage service (and maybe an LSP).

Here we add a much simpler authentication scheme, based simply on
proof-of-knowledge of a private key. This allows for a simple VSS
install without requiring any additional services. It relies on
some higher-level authentication to limit new account registration,
but that can be accomplished through more traditional anti-DoS
systems like Apple DeviceCheck.

@TheBlueMatt
Move JWT-based authentication behind a (default) feature flag
0ace158 
JWT-based authentication is currently largely the default due to
its integration in `ldk-node` indirectly via LNURL-auth. This is
great, but massively over-engineered (and requiring yet another
service devs have to set up and maintain) for just authenticating
to a storage service (and maybe an LSP).

In the next commit, we'll add an option for a much simpler
authentication scheme, based simply on proof-of-knowledge of a
private key and the service using the signing pubkey to identify
where to store data.

This then leaves authentication of installs to a higher-level (e.g.
a web proxy that validates Apple DeviceCheck attestations before
passing requests through to VSS).
@TheBlueMatt
Add a simple public-key-based authenticator
f64f6bd 
JWT-based authentication is currently largely the default due to
its integration in `ldk-node` indirectly via LNURL-auth. This is
great, but massively over-engineered (and requiring yet another
service devs have to set up and maintain) for just authenticating
to a storage service (and maybe an LSP).

Here we add a much simpler authentication scheme, based simply on
proof-of-knowledge of a private key. This allows for a simple VSS
install without requiring any additional services. It relies on
some higher-level authentication to limit new account registration,
but that can be accomplished through more traditional anti-DoS
systems like Apple DeviceCheck.
@ldk-reviews-bot
Copy link

ldk-reviews-bot commented Dec 29, 2025
edited
Loading

I've assigned @valentinewallace as a reviewer!
I'll wait for their review and will help manage the review process.
Once they submit their review, I'll check if a second reviewer would be helpful.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@valentinewallace valentinewallace Awaiting requested review from valentinewallace

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@TheBlueMatt @ldk-reviews-bot