Authentication without private key

[Remo]

I probably know where I'm heading to, I want to use this library in the browser which according to its description, is an option. The only way to authenticate is through public/private keys. That's fine if I was using node or another server side technology, but I don't want to expose the private key in my browser to each and everyone.

My goal is to upload images directly to imbo. Uploading them to my server and then to imbo seems to have no benefit except a higher CPU load ;-)

[rexxars]

This really is a question that belongs in the imbo repo since it basically deals with access control. Having said that, it is possible to create a public/private key pair that only has access to upload images but not delete them or change metadata and similar. This can be done with the access control functionality.

I think @matslindh has also been talking about being able to generate "upload tickets" or something similar, where the server basically creates a temporary ticket/key that allows a user to upload images within a given time frame, but I'm not sure if that plan/idea has been progressed any further.

[matslindh]

Upload tickets / authentication allowing x uploads or similar are still on the drawing board. What kind of authentication are you looking for @Remo? Using OAuth2 or SAML could be an option, but I'm not sure how we'd go about authenticating / validating / limiting client url generation under those conditions. Any suggestions are welcome :-)

[Remo]

@rexxars I'm aware that I can restrict the permissions of an access key, but that would still mean that the key is public and could be used by anyone. It would be easy to fill the server till it runs out of space for example. That's not something I can put in my design.

@matslindh In my case I wouldn't want to use OAuth or SAML, if I coul dcreate a temporary ticket token through a serverside script it would already be enough. Having just written that, I could use an access control method that pull the tokens from a database and temporarily creates them using a single serverside call and then kills them after a certain amount of time. I might have to renew them from time to time though. Feels a bit hacky, but it should be okay in my case.

[matslindh]

@Remo OK, that's exactly what the feature I've thinking about would be; the server side app would pass a set of tokens to the client that the client can use for uploading photos directly to Imbo. I'm a bit busy with my newborn son right now, but I'll add a ticket to the Imbo issue tracker to keep track of the feature at least.

[matslindh]

I've added Imbo#560 to track this issue.

[rexxars]

Thanks for pinging us about this - it would be a great addition to Imbo and a fairly common use case. Closing this as it is not directly related to the JS client.

[Remo]

sure thing, just posted it here because I thought that the backend might already support something like it!