o-sai - HackMD

# o-sai * U - user * A - app * P - pod ## Sign Up * U@A: Click 'Sign up' in the app * A: Redirect to the pod * U@P: Enter email, passoword, podname ## Bootstrap * P: create authorization agent Client ID * P: create WebID outside of the storage * include `solid:oidcIssuer` * include `interop:hasAuthorizationAgent` * P: create an account * P: save password * P: create storage using the WebID (NoCheckOwnershipValidator) * sets restrictive ACP for owner + authorization agent * P: create registry set and registratons ## Authorize * P: display authorization screen * fetch app's access needs * U@P: authorize app to access Stories, Videos, Photos and raw media * simplifed authorization screen with only authorize / deny interaction * ??? should they authorize access to their and shared with them already? in case friends-only etc. stories will be addeed in the future? If we start with only their only, it will require re-authorization later on to access data shared with them by others. * P: create data registrations * authorization agent neeeds to have pre-configured source of trusted shape trees e.g. https://scopes.shaperepo.com * U@P: ??? when sets read permission on those registries to public? What if users want to store more data in those registries without making it public read? ## Considerations * [x] hosting WebID outside of the storage * e.g. `https://id.example.org/elf-pavlik` * [ ] using subdomains for storages instead of paths * e.g. `https://elf-pavlik.example.org/` * [ ] using custom SPA as pod UI * mobile friendly * hide possibly confusing features offered by CSS * can show preview of user's WebID and storage root * [ ] extending CSS instead of forking * similar to https://github.com/SolidLabResearch/user-managed-access/ * https://github.com/light-over/lightover-community-solid-server * how to keep up to date with new CSS releases * adds few components for easier bootstrapping * some changes are unrelated due to IDE config * bunch of commits for docker and nginx changes ### Misc * ??? lightover's commitment for long term hosting of pods, what if another app gets more popular and hosting pods will need to sustain itself? * ??? is all the social feeds discovery managed by that SQL based hub? * access to lightover app for testing * define manual test which proves expected behaviour * define manual test which proves threats mitigated, eg. log in to penny and mess things up ### Plan for building - Start in September and work through October - $5000 - Behavior tests: - With one login ask for only "Stories" and "Media." I cannot access anything else on the Pod. I am allowed to create Stories and Media and change access to them, but nothing else. - Another app that has not asked for "Stories" or "Media" cannot access or change "Stories" or "Media" - Another app that has asked for "Stories" or "Media" can access or change "Stories" or "Media"