fimidara is a file storage service for developers, like Google Drive but with a focus on developers. fimidara is a solution to the "rogue link" problem, where a link is accessible to anyone on the internet, when it shouldn't. If a file is accessible to someone, it should only be by design. fimidara extends this function to all resources present within, e.g. users, workspaces, folders, etc. Besides access control, fimidara provides other features for managing your files.
fimidara enforces access control through a combination of agent tokens, permission groups, and permission items.
Agent tokens are JWT access tokens created for programmatic access e.g. client-side and server-side applications. Besides agent tokens, a second part to the system is Permission groups. They group permissions, and can be assigned to Entities. Entities or permission entities can be users, agent tokens, or other permission groups. The third part of the system is Permission items. Permission items are the actual switch, allowing/denying access, and can be granted directly to entities or inherited through permissions groups, enabling reuse. fimidara also provides a default Public permission group that's automatically created in every workspace. It's used to grant access to the public/unauthenticated requests.
When API requests are made to fimidara (for example, to read a file), seeing it currently only supports HTTP, it checks the Authorization HTTP header for a JWT token, then attempts to decode and verify it. Upon authenticating the request (translating the JWT token to it's referenced agent token), it does an authorization check using the agent token's assigned and inherited permission items. It also appends permission items assigned to the Public permission group (remember the Public permission group houses permission items granting/denying access for public requests). If a permission item is found granting access, access is allowed to the resource/action, and an error is returned if there isn't one or there's an explicit deny permission. Public (unauthenticated) requests follow a similar flow, except there is no JWT token or agent token. Only the Public permission group permissions apply, and if a permission item is not found granting access, access is denied with an error.
fimidara can be used for the following usecases: