SpacetimeDB icon indicating copy to clipboard operation
SpacetimeDB copied to clipboard
verified publisher icon clockworklabs

Using `spacetime login` with `--server-issued-login` has no checks

Open Donach opened this issue 9 months ago • 2 comments

I've installed the SpacetimeDB on my VPS, however I'm a bit short on how exactly should I secure the DB so that noone else can publish modules but me?

When I use spacetime login --server-isssued-login <myserver>, it simply authenticates me - without me having to provide "anything".

On the server, I also found no way to specify which users can login and which not etc.

Am I missing something, or is "this" missing from the self-hosted version?

Donach avatar Mar 12 '25 23:03 Donach

The whole identity concept is really confusing, especially when thinking distributedly.

However, I recall seeing docs that says the same as these comments:

https://github.com/clockworklabs/SpacetimeDB/blob/master/crates/client-api/src/routes/database.rs#L478-L479

I.e. you can only publish when database identity matches yours, i.e. you created it. But it's a bit unclear if database means "SpacetimeDB ecosystem running in port 3000" or "a specific module you have already published" or perhaps something else?

It's an important distinction between "only you can spacetime publish to your server" and "only you can spacetime publish over your previous spacetime publish but anyone can spacetime publish a new module(database? server?) on a SpacetimeDB (server? host? database? module?)". The terminology can be quite confusing in this kind of amalgamation of technologies :)

I am guessing, but in your case I think the command would return a new "anonymous" identity that only your server recognizes (there is a private/public key pair in the server data folder), but it is not the servers identity that you require to take actions (if I had to guess, this comes from said key pairs private portion...? or maybe it is based on the user logged in when starting the server?).

The documentation and I guess especially the self-hosting guide really should go deep into security and explain everything in great detail. Before that happens, no serious projects will come up I imagine (imagine putting up a production database but not understanding who and what can access which parts of it).

Do we need a "Set up a reverse proxy with an authentication layer towards the /database endpoints" or perhaps that is completely unnecessary and the actual thing to add is a "How SpacetimeDB identities work: Deep dive" to understand why it is unnecessary?

Something else to add might be the handling of key pairs, what you have to secure, what not, what you have to backup etc. general operating instructions.

puttehi avatar Mar 15 '25 13:03 puttehi

Thanks for filing an issue!

Yes, once a user publishes a database, no other user can publish that database. However, any user can publish a different module.

This page has some more details on how to restrict that behavior on a self-hosted SpacetimeDB instance: https://spacetimedb.com/docs/deploying/spacetimedb-standalone.

bfops avatar Apr 02 '25 18:04 bfops