Is your feature request related to a problem? Please describe.
Would be great to edit deck cards and the like collaboratively
Describe the solution you'd like
Allow creating a collaborative editor without a file id.
Describe alternatives you've considered
Different design decisions in terms of api and authorization - but no fundamentally different approach.
Identifier
Currently collaborative editing sessions are identified by the file id of the document. This won't work if there's no file behind the session.
Authorization
We need to make sure:
- Only users who were granted access can join the session.
- Only visitors with access to the right tokens can join the session.
- Read only access is respected (i.e. does not grant editing abilities).
- The architecture is flexible and works with different apps.
Token based
- Each session is identified with a token.
- The token has enough entropy to not be guessed and is treated as a secret.
Pros:
- Easy to implement the happy path.
- Access management is delegated to the apps in question
Cons:
- Harder to implement readonly access (second token, how to identify the doc?)
- Harder to revoke access - token has been leaked, need to use a new one.
Permission Request Event based
- When someone tries to access a document a server side event is emitted.
- The apps granting access handle the event and react accordingly
Pros:
- Responsibility of apps to handle permissions is made explicit
Cons:
- Only works with access to server php code. (Not a limitation for now)
- App responsibilities are not clearly separated. What if another app handles the event instead?
Two events (Query and update)
- When someone tries to access a document a server side event is emitted.
- The apps granting access handle the event and react accordingly
- When permissions are revoked from a user an event for that user is triggered by the app in question and text knows it needs to ask again.
Cryptographic signatures (JWT and the like)
Is your feature request related to a problem? Please describe.
Would be great to edit deck cards and the like collaboratively
Describe the solution you'd like
Allow creating a collaborative editor without a file id.
Describe alternatives you've considered
Different design decisions in terms of api and authorization - but no fundamentally different approach.
Identifier
Currently collaborative editing sessions are identified by the file id of the document. This won't work if there's no file behind the session.
Authorization
We need to make sure:
Token based
Pros:
Cons:
Permission Request Event based
Pros:
Cons:
Two events (Query and update)
Cryptographic signatures (JWT and the like)