Auth

Currently the Graft backend is authenticated using PASETO. A simple token based authentication system.

Caution

In this guide, keys are shown with portions masked. This is to ensure that you do not use the keys or tokens in this document. Authentication secrets should be generated in a secure environment and stored correctly.

To configure PASETO, you first need to generate a 32-byte hex-encoded secret key:

$ just run tool secret-key
86d94c08c767...d74c5a8282f81367886255

This key must be specified in the PageStore and MetaStore config:

[auth]
key = "86d94c08c767...d74c5a8282f81367886255"

You can also specify the key with the environment variables PAGESTORE_AUTH__KEY and METASTORE_AUTH__KEY.

Once configured, all requests must include a PASETO token generated using the same key. You can generate a token for a particular subject like so:

$ SK=86d94c08c767...d74c5a8282f81367886255
$ just run tool token --sk $SK subject-name
v4.local.PxdyJ4TwdDIWRUp0C...kgr8Ha11PHD_j9OAUeupqJ_bWa0UJ56nVMk7U

Subjects are just metadata attached to the token to differentiate between who is accessing Graft. Graft will eventually associate permissions with subjects in order to enable fine-grained Authorization.

The first token you generate should be for the PageStore to communicate with the MetaStore. You can use any subject, but I like to use graft-pagestore. The token can be provided to the PageStore via the config (token = "...") or environment variable: PAGESTORE_TOKEN=....

Once PASETO authentication is configured, all Graft clients must use a valid token. See the Graft SQLite config for more information on configuring the token to use with the Graft SQLite extension.