documentation: Adding README.md and LICENSE · ngerakines.me/magazi@ec03e90

Magazi is a content distribution platform that gates access to files using ATProtocol (Bluesky) identity and cryptographic proofs. download.ngerakines.me/

atprotocol appview atprotocol-attestations

fork atom

documentation: Adding README.md and LICENSE

Nick Gerakines 1 month ago ec03e906 f2a185c4

+127

2 changed files

expand all

unified split

LICENSE

README.md

LICENSE

··· 1 + MIT License 2 + 3 + Copyright (c) 2026 Nick Gerakines 4 + 5 + Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the "Software"), to deal in the Software without restriction, including without limitation the rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software, and to permit persons to whom the Software is furnished to do so, subject to the following conditions: 6 + 7 + The above copyright notice and this permission notice shall be included in all copies or substantial portions of the Software. 8 + 9 + THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.

+118

README.md

··· 1 + # Magazi 2 + 3 + Magazi is a content distribution platform that gates access to files using ATProtocol (Bluesky) identity and cryptographic proofs. Users authenticate via ATProtocol OAuth, and file access is controlled through flexible JSONLogic rules that can require authentication, supporter status, or specific proof records. 4 + 5 + ## Attestations 6 + 7 + This project uses [atproto-attestation](https://tangled.org/smokesignal.events/atproto-identity-rs/tree/main/crates/atproto-attestation) to verify cryptographic proofs and builds on top of the attestation implementation from [ATProtoFans](https://atprotofans.com/). 8 + 9 + Attestations in ATProtocol are CID-first: records are prepared with signature metadata, serialized to DAG-CBOR, and the resulting content identifier is signed with elliptic curve cryptography. The signature includes a repository binding that prevents replay attacks across repositories. 10 + 11 + When a user authenticates, Magazi fetches their `com.atprotofans.supporter` records and verifies the embedded attestations. Each supporter record contains StrongRef pointers to proof records signed by the creator and broker. These proofs are transparent and auditable—anyone can verify that support relationships are genuine. 12 + 13 + ## Getting Started 14 + 15 + ### Prerequisites 16 + 17 + - Rust 1.75+ 18 + - An ATProtocol identity (DID) for the creator 19 + - OAuth client credentials registered with your PDS 20 + 21 + ### Running 22 + 23 + 1. Clone the repository 24 + 2. Create a `catalog.json` file defining your content (see Configuration) 25 + 3. Set required environment variables 26 + 4. Run the server: 27 + 28 + ```bash 29 + cargo run 30 + ``` 31 + 32 + ## Configuration 33 + 34 + Configuration is environment-variable driven: 35 + 36 + | Variable | Description | 37 + |----------|-------------| 38 + | `HTTP_PORT` | Server port (required) | 39 + | `HTTP_EXTERNAL` | External domain for OAuth callbacks (e.g., `magazi.example.com`) | 40 + | `HTTP_COOKIE_KEY` | Base64-encoded 64+ byte key for session cookies | 41 + | `OAUTH_CLIENT_CREDENTIALS` | Private signing key for OAuth client | 42 + | `CREATOR_IDENTITY` | Creator's DID (e.g., `did:plc:abc123`) | 43 + | `BROKER_IDENTITY` | Broker's DID for proof verification | 44 + | `DOWNLOAD_KEY` | Private key for JWT download tokens | 45 + | `FILES` | Filesystem path to stored files | 46 + | `CATALOG` | Path to `catalog.json` file | 47 + 48 + ### Catalog Format 49 + 50 + The catalog is a JSON array of entries: 51 + 52 + ```json 53 + [ 54 + { 55 + "id": "bafkreif2gmzhha...", 56 + "name": "My File", 57 + "description": "Description of the file", 58 + "content_type": "application/pdf", 59 + "requirements": {} 60 + } 61 + ] 62 + ``` 63 + 64 + ## Access Rules 65 + 66 + Each catalog entry has a `requirements` field containing a JSONLogic rule evaluated against the user's entitlement context. The context includes: 67 + 68 + - `authenticated` - Boolean, true if user is logged in 69 + - `did` - User's decentralized identifier 70 + - `handle` - User's handle 71 + - `supporter` - Supporter record data 72 + - `supporterProof` - Cryptographic proof from creator 73 + - `brokerProof` - Cryptographic proof from broker 74 + 75 + ### Examples 76 + 77 + **Anyone can access** (no requirements): 78 + ```json 79 + { 80 + "requirements": {} 81 + } 82 + ``` 83 + 84 + **Only logged in users can access**: 85 + ```json 86 + { 87 + "requirements": { 88 + "!!": [{ "var": "authenticated" }] 89 + } 90 + } 91 + ``` 92 + 93 + **Only supporters can access** (requires both proofs): 94 + ```json 95 + { 96 + "requirements": { 97 + "and": [ 98 + { "!!": [{ "var": "supporterProof" }] }, 99 + { "!!": [{ "var": "brokerProof" }] } 100 + ] 101 + } 102 + } 103 + ``` 104 + 105 + **Only a specific identity can access**: 106 + ```json 107 + { 108 + "requirements": { 109 + "==": [{ "var": "did" }, "did:plc:specificuser123"] 110 + } 111 + } 112 + ``` 113 + 114 + ## License 115 + 116 + MIT License 117 + 118 + Copyright 2026 Nick Gerakines