Data transfer with auth

What is this?

Users should have at least one documented way to do authenticated data transfer along with examples on how to do so. Better if it’s not tied to peerIDs as those can be brittle.

Why is this a good idea?

There are user requests that come in, generally around kubo, for limiting if/when blocks are served to requesters.

A few examples:

  • The participants of
    • Peergos (which is using a custom Bitswap extension), Fission (at the time was not interested in running non-kubo code, but is now running a kubo with a plugin to handle CAR Mirror), n0, etc.
  • Other company requests (e.g. Block/TBD comes to mind)
  • A number of kubo users who use the “pnet” private networking feature from libp2p do so to stop their data from being served (anecdotally this tends to be the main use, as opposed to people being concerned about snooping on requests, performance, additionally layers of protection, etc.)

It would be convenient if we had simple examples to point them to for inspiration and even better if they can discover that on their own. Given that the primary difficulty associated with the combination of auth + content routing + p2p downloads is deciding how to hand out authentication to the many peers you may ask for your data this can make it easier for others to tackle the problem.

What we need to do

  • Add a comment in the (trustless) gateway spec that using arbitrary HTTP headers to convey extra information is reasonable for implementers to do, including auth based headers (e.g. bearer tokens)
  • Make a small boxo demo of this capability along with something a post (e.g. blog) describing it