Show HN: Auth intermediary that cannot authorize. By design (github.com)

2 points by sbw70 ↗ HN
What if your auth system had no admin override?

I built an authorization intermediary that cannot authorize.

How it works: • Hashes requests (opaque, can't see payload) • Forwards to provider (stateless, can't make decisions) • Provider validates everything (exclusive authority)

The intermediary holds no signing keys. The provider holds the only pen. Compromise the intermediary = you get nowhere.

200 lines. Zro dependencies. Apache 2.0.

Core- and basic extension demos Replit.com/@sbw70

Bundled demos Replit.com/@holiwood4420

Repo https://github.com/sbw70/verification-constraints/

Run it. Fork it. Fuck it up. If you can get it to authorize without provider consent, I'd love to see how.

0 comments

[ 2.7 ms ] story [ 7.7 ms ] thread

No comments yet.