#Making a Open Source Convex app, for those who dont want to write any code, and just want a website.

17 messages · Page 1 of 1 (latest)

strange sinew
#

Yeah! I'd add a page like this to your project site.

#

Right now this script uses Node.js APIs but similar APIs exist in the browser.

#

The security worry here is that you could e.g. give out the same key to everyone, and then anyone could pretend to be anyone on any of these sites.

#

so it's important that you don't do that, that you actually generate these.

#

And on that same page (I'm imagining you'll have a whole page of instructions about how create your own instance of this, because there are going to be a lot of steps) you could offer as an option running the script

#

for more security-concious folks who would rather do that

#

but yeah totally works to do it on that page

#

jose, the library used there, works in a browser

# 
import { exportJWK, exportPKCS8, generateKeyPair } from "jose";

export async function generateKeys() {
  try {
    const keys = await generateKeyPair("RS256");
    const privateKey = await exportPKCS8(keys.privateKey);
    const publicKey = await exportJWK(keys.publicKey);
    const jwks = JSON.stringify({ keys: [{ use: "sig", ...publicKey }] });
    return {
      JWT_PRIVATE_KEY: `${privateKey.trimEnd().replace(/\n/g, " ")}`,
      JWKS: jwks,
    };
  } catch (error) {
    console.error(
      "Could not generate private and public key, are you running this command using Node.js?\n",
      error,
    );
    process.exit(1);
  }
}
#

so you might wire up a button to run this code and show the two values in the brwoser

#

oops missed this question,

what are the possible vulnerabilities with making a website that with a click of a button, generates the keys, and copies them into the users systems clipboard?
the possible vulnerability is that you're running code that could send that token to someone else (probably the person who made the website) or could hand out the same keys to everyone

#

The bigger picture is "what is someone forks your project and changes the code to do this, now Mathalogical is secure, but the copy Logimathical isn't, so we better not encourage it in general"

#

but for your own project you can decide the risks here

#

yeah seems fine!

#

Just like anytime you run code written by someone else, yeah

#

Sounds like a cool project! Let us know if there are steps that are hard to walk people through like this, being able to set up a COnvex project just by clicking isn't something we've designed for much so there might be some little things missing but we can probably fix them.

strange sinew
#

oh hah, yeah I'm a fan