owned this note
owned this note
Published
Linked with GitHub
# Egress Billing
After blob is uploaded user agent will receive a [location commitment] like this
```mermaid
flowchart LR
site[(asia.w3s.link)]
space(["🪣 zAlice"])
site --delegate--> space
```
```json
{ // bafy..site
// Storage node authorize access to the stored resource
"iss": "did:web:asia.web3.storage",
// To an Alice
"aud": "did:key:zAlice",
// Indefinitely
"exp": null,
"cmd": "/assert/location",
// Subject is storage node because they own that resource
"sub": "did:web:asia.web3.storage",
"pol": [
// multihash must match an uploaded blob
["==", ".content", { "/": { "bytes": "mEi...sfKg" } }],
// must be available from this url
["==", ".url", "https://asia.w3s.link/ipfs/bafk...7fi"],
]
}
```
> ℹ️ Note that commitment is to `did:key:zAlice` and they can exercise themself or delegate that to someone else.
### Enable Gateway Reads
User could authorize gateway reads by re-delegating location commitment & imposing additional limits. In the example below Alice restricted reads from `f0.io` origin and with `?token=zrptvx` query parameter.
> ℹ️ User can makeup whatever restrictions they want to limit reads.
```mermaid
flowchart LR
site[(asia.w3s.link)]
space(["🪣 zAlice"])
gateway((🌐 w3s.link))
user(👩💻 Alice)
subgraph w3up
site -- delegate --> space
space -- delegate --> gateway
gateway -. invoke .-> site
end
user --/ipfs/bafy..stuff?toke=zrptvx --> gateway
```
```json
{ // bafy..auth
"iss": "did:key:zAlice",
"aud": "did:web:w3s.link",
"exp": 1716235987 // restrict to a month
"cmd": "/assert/location",
// Subject is storage node because they own that resource
"sub": "did:web:asia.web3.storage",
"pol": [
// Request origin header must be f0.io
["==", ".headers['origin']", "f0.io"],
["==", ".query.token", "zrptvx"]
],
"meta": { "proof": { "/": "bafy..site" } }
}
```
### Better Access Control
Delegating access to gateway directly can be inconvenient if user want to disable read on content in bulk. Core UCAN functionality could be leveraged to make access control in bulk more convenient. In that case user just needs to introduce intermediary principal representing a group and make it part of the delegation chain
```mermaid
flowchart RL
site[(asia.w3s.link)]
eu[(eu.w3s.link)]
space(["🪣 zAlice"])
group([🔑 zGroup])
gateway((🌐 w3s.link))
user(👩💻 Alice)
subgraph w3up
eu --> delegate --> space
site --delegate--> space
space --delegate--> group
group --delegate--> gateway
gateway -. invoke .-> site
gateway -. invoke .-> eu
end
user -- /ipfs/bafy..stuff?toke=zrptvx --> gateway
```
```json
{ // bafy..group
"iss": "did:key:zAlice",
"aud": "did:key:zGroup",
"exp": 1716235987 // restrict to a month
"cmd": "/assert/location",
// Subject is storage node because they own that resource
"sub": "did:web:asia.web3.storage",
"pol": [
// Request origin header must be f0.io
["==", ".headers['origin']", "f0.io"],
["==", ".query.token", "zrptvx"]
],
"meta": { "proof": { "/": "bafy..site" } }
}
```
Then re-delegate access to gateway from the group itself
```json
{ // bafy..access
"iss": "did:key:zGroup",
"aud": "did:web:w3s.link",
"exp": 1716235987 // restrict to a month
"cmd": "/assert/location",
// Subject is storage node because they own that resource
"sub": "did:web:asia.web3.storage",
"pol": [
// Request origin header must be f0.io
["==", ".headers['origin']", "f0.io"],
["==", ".query.token", "zrptvx"]
],
"meta": { "proof": { "/": "bafy..group" } }
}
```
To canel access for a created group user last delegation `bafy..access` could be revoked
```mermaid
flowchart LR
eu[(eu.w3s.link)]
site[(asia.w3s.link)]
space(["🪣 zAlice"])
group([🔑 zGroup])
gateway((🌐 w3s.link))
eu --delegate-->space
site --delegate--> space
space --delegate--> group
group -. ⛔️ revoked .-> gateway
```
[location commitment]:https://github.com/w3s-project/specs/blob/main/w3-blob.md#location-commitment