AKIRA-MIYAKE/owner-centric-datastore

Proof of concept for a serverless datastore that allows data owners to manage access

TypeScriptMIT

owner-centric-datastore

Proof of concept for a serverless datastore that allows data owners to manage access

Concept

Data belongs to the owner
Owner controls access to data by group

In scope

Optimized for data generated over time (health data, etc.)
Minimize performance degradation as the number of data increases

Out of scope

User authentication (using OAuth2)
Decentralized data store
Relations between data

Architecture overview

Data are created under the user.
- These data can only be accessed by the user himself.
If the user belongs to a group as a provider, a duplicate is created for each group at creation time.
- This process is triggered by DynamoDB Stream.
- This method is adopted to avoid N + 1 query problem and access control complexity.
When a user is removed from a group to which they belong as a provider, or when a group is removed, all duplicate data will be removed.
- Therefore, users who belonged to the group as consumers cannot access the data.

TBD

Conditions for data to be duplicated for a group (specific type, etc.)
Duplicate past data when joining a group
Change the created data
- Reflect user data changes in duplicated data
Leave a group or delete a group
- Delete duplicate data when excluding a user from a group or deleting a group

API

User

`GET /user`

Get the authenticated user

`POST /user`

Create the authenticated user

Data

`GET /user/data`

List data for the authenticated user

`POST /user/data`

Create a data for the authenticated user

`PATCH /user/data/:data_id`

Update the data for the authenticated user

`DELETE /user/data/:data_id`

Delete the data for the authenticated user

`GET /user/data/types/:type`

List data of specific type for the authenticated user

`GET /groups/:group_id/data`

List group data
Authenticated user must be a consumer of the group

`GET /groups/:group_id/data/types/:type`

List group data of specfic type
Authenticated user must be a consumer of the group

Groups

`POST /groups`

Create a group owned by an authenticated user

`GET /groups/:group_id`

Get a group
Authenticated user must be a member of the group

Members

`GET /user/members`

List group members for the authenticated user

`DELETE /groups/:group_id/members/:member_id`

Delete a group member
Authenticated user must be a owner of the group

Invitations

`GET /groups/:group_id/invitations`

List group invitations
Authenticated user must be a owner of the group

`POST /groups/:group_id/invitations`

Create a group invitation
Authenticated user must be a owner of the group

`POST /groups/:group_id/invitations/:invitation_id/accept`

Accept the invitation

`POST /groups/:group_id/invitations/:invitation_id/decline`

Decline the invitation

`GET /user/invitations`

List invitations for the authenticated user