[X3D-Ecosystem] local first db with syncing…securely.

[John Carlson]

I’ve been wondering about keeping persistent state locally in my web
browser as well as networking in the Metaverse.  There is a recent
movement, called “local-first,” which keeps a local database, a WASM one
like Postgres for example, in the web-browser, and syncs with a remote
database.  This seems like a good way to keep some data private, but I’m
not sure it could be realized securely on the network without some kind of
object-capability security.   That is, you give someone a unforgeable token
which incorporates both a resource and a task which is exchanged over a
secure channel (perhaps in a crypto wallet).

Current techniques seem like they use ReST/GraphQL and venerable SQL or
ORM.  Michalis showed a mORMot 2 exchange between live CGE editors.

The question is, are query languages secure behind load balancers.  Last I
heard, in many cases, they are not, which is why I’ve not pursued JSONverse
security.  I don’t have a end-to-end encryption for bearer tokens.

I’ve not gotten https:, wss: or WebTransport with DTLS working end-to-end.
I’ve not really tried very hard, and I have other servers which use
self-signed https, which I could copy.

So I’m thinking I want to do some kind of OAuth, OAuth2, or blockchain.

AFAIK, all SQL databases use role-based access control, but I’ve not seen
any of that in X3D.  HTTPS with JavaScript and sessions is likely not a
good way to receive someone’s private avatar wearables—you might use some
kind of glTF which can’t be reversed engineered, or some kind of hardware
encryption.

So perhaps we should offer access with a token to wearables (with a suit up
task) temporarily, or grant access to one of our Sensors (such as wearable
visibility) which represents the object-capability—permission to do a task
on the wearable.

I think the key is to use a field where you provide an object-capability
token as a field value (or metadata).   If one tries to employ the token,
it is done securely by the language runtime.

So typical tasks in a database are query, insert, update, and delete.  I
welcome feedback on how to secure data manipulation over  the client/server
network.  Meteor did it.

Should we really continually transfer the UI information across the
network?  Or do we just do app upgrades?

I believe that this is doable, because I’ve transferred single joint level
information across the network and also have been working updating joint
rotations in a pre-existing UI.

John
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://web3d.org/pipermail/x3d-ecosystem_web3d.org/attachments/20250425/e0b93af0/attachment.html>