Total hours: 148.000

Top three:

1) Database design for key management

Currently the database design treated the operator and sign in as one identity. This way it’s easier to add further authentication and ensures that there’s multiple authentication vectors for an operator.

Furthermore it’s a v shape. There’s authentication which points to an operator along with keys that point to an operator. This allows us to select the key that the operator has along with the authentication methods the operator has.

Ensuring beautifully simple code and reducing the N+1 problem which would otherwise plague the code.

2) Implementing Design Migration

I’m still struggling with this mightily but I’m making quite good progress today was about learning how to properly do ecto associations and play within it’s walled garden.

I had a friend discuss pronouns and I really like that concept. However that’s not currently relevant so I won’t pursue that further in this schema design.

3) Designing Admin Panel

This was just paper design but quite important.

Gaya

Total hours: 246.150

Top one:

1) Domain transfer succeeded. Sapphire Pack is now on the correct. However the blog isn’t currently correctly setup. It’s still correctly accessible at listed.to/@Gaya but I want it also accessible to blog.sapphirepack.org

Total hours: 246.100

Total hours: 246.083

Total hours: 246.000

Top three:

1) Authentication

Split into three seperate levels to plan and design based on threat and security requirements instead of providing just one size fits all.

Despite that being what I wanted from the get go and to design an application with 0 settings or close to 0. But really wanted 0 settings options.

2) Authorization

This is different than than authentication. It’s designed to be a second layer of design for cautious or strict mode.

3) Key Management

Still not fully figured out.

Total hours: 245.650

Total hours: 245.633

Top three:

1) Experimenting with Key Derivation

This is tricky since it involves ensuring proper key provisioning while ensuring that Sapphire Pack has no access to your data at all.

2) Exploring Yubikey for security

I like the concept because I’d be able to use a several key derivation concept and using asymmetrical keys to design. ECC p384 which is secure till past 2031 which is extremely important.

3) Financial feasibility of using Yubikey

Not worth it at allx. Not because it’s not phenomenal but because it’s entry cost would change the market segment that I’m targeting.

Total hours: 244.750

Top three:

1) Website Migration

2) Email Migration

3) Security transition and e2e encrypted data.

Total hours: 243.650

Top two:

1) Authorization and Deployment Concept

This is very tricky but partially depends on not having a properly design threat scoping concept.

The idea is have access keys which are seperate from the account in the event of a compromised system nuke, and remove,

The problem though is it’s impossible to have a secure E2E encryption without a key being stored somewhere (like the persons brain or hardware key).

If it’s the first it’s adding the ‘just one more password fallacy’. If not then how is the password stored and derived?

In the event that the password is completely lost, how is it derived?????? What is the recovery mechanism?

I don’t know and requires rethinking.

2) Mac Firefox to database synchronization

Not started with fully, because the database, key-management and threat scope need to be reexamined.

Total hours: 243.150

Top three:

1) Planning goal for day 30

2) Reading Ecto

3) Planning website style and design

Total hours: 242.867

Top three:

1) Route redirection (Alpha versus not)

Failed since I had completely forgotten that everything underneath the route /operator is actually just fully protected which is good but at the same time means that I failed to think out the idea fully.

2) Session drop versus clear

When a session is dropped cookies aren’t set since they’re revoked. What I need instead is clear the session. Then since their’s a cookie I can put the correct flash there.

It’s not functioning correctly but it works physically at keeping the other operators out. They’re is still crud that needs to be cleaned manually but that’s something that’ll be fixed by dropping this gatekeeping feature within the year.

3) Design requirement

It’s less on figuring out the framework and more on the design now.

Total hours: 241.433

Top one:

1) Planning redirection.

It’s important in the early phase to have two seperate redirections. One for a unauthorized login/ provider failure and another if not enrolled within the Alpha program (which is currently closed to just me currently).

Total hours: 241.00

Top one:

1) Deployed operator locking so only certain operators can authenticate.

Total hours: 239.700

Top one:

1) Auth0 and linking into application along with testing deploy paths. (You’re now able to see the new paths and logging and logout).

I’m now working on the next crucial part of authentication which is controlling how operators are tied in to the system. You see currently the only person is me. However shortly afterwards it’ll open up and I’ll have a dashboard so that I can see operators and then from there I can tie in the email and such.

Code is just a monument to humans. It can either enslave us, overpower us, cripple and control us. Or it can empower us, support us, improve us and be a tool.

Total hours: 238.450

Top three:

1) Auth0 Logout Flow Design

I’ve done a really good job and actually collapsed everything underneath one endpoint. I’ve moved away from user to operator. Operator is someone that controls something. A user is used. Gaya’s built from the ground up with a different but subtle mindset. This mindset is critical in ensuring the project remains for the operator and not for the user.

I’m not here to manipulate, I’m here to create something that can help join things together. The authentication occurs under /operator/session/establish and /operator/session/disconnect

So what happens is that if you go to /operator/session (in a few days, these changes haven’t been pushed to remote yet). It’ll automatically redirect you to /operator/session/establish if you’re not authenticated. Once you’re authenticated it’ll bop you back to /operator/session/establish/callback. This callback extracts the profile and ties to the local state.

Once you’ve been authenticated you know can access /operator/session stuff.

To disconnect it goes thru a similar flow. The reason that there’s the /operator/session/disconnect/callback is to ensure that any message flashes that are needed can be intercepted and handled here. This is because a flash may not survive a double redirection and this ensures that the message is properly routers!!

2) Documentation Update

Pretty minor stuff here

3) Update CI

The CI now supports all of the required special deployment requirements along with updating the build process. The build process now properly supports all the core parts.

The biggest part is the non flexible authentication provider link. I need to ensure that the allowed callback and start flow match URL directly for the already discussed security implications.

Total hours: 235.633

Top one:

1) Setting up remote environment on Gitlab

Nothing more. Quite frustrating mainly because I don’t know what I’m doing. However that’s how any learning starts.