Worker authorization

[rndquu]

Depends on #92

The cloudflare worker implemented in #92 does not have any authentication mechanic.

Right now calling the permit generation worker in a secure way should be supported by:

• pay.ubq.fi worker backend
• kernel worker backend

[ubiquity-os-beta]

Note

The following contributors may be suitable for this task:

whilefoo

80% Match ubiquity-os/ubiquity-os-kernel#43

rndquu

75% Match ubiquity/pay.ubq.fi#343

[Keyrxng]

I had in mind that we'd

1. Verify direct kernel reqs using the same handshake other plugins do
2. UI reqs could be tld bound or IP bound (I'm sure you had to make a static one for reloadly yeah?)

[gentlementlegen]

If we verify the signature, only our kernel would be able to run the worker, wouldn't that be enough for authentication?

Maybe at this time it would be problematic for pay.ubq.fi, however, because we should make it work through the kernel which seems odd.

[rndquu]

If we verify the signature, only our kernel would be able to run the worker, wouldn't that be enough for authentication?

Maybe at this time it would be problematic for pay.ubq.fi, however, because we should make it work through the kernel which seems odd.

As far as I understand right now there're no clear specs that the kernel should be able to generate permits. But pay.ubq.fi backend will definitely generate them by calling the permit generation worker.

[0x4007]

Why don't we just make it redundant for this one off use case?

It seems a lot simpler and we don't change that code much if ever.

It seems nice that the auth works well for our kernel via GitHub built-ins. It would be a shame to compromise its integrity by trying to mix the use cases for being called by our ui as well.