This repository is an example of a very simple Node.js service that uploads images and adds a C2PA manifest to each image. It is written in plain Javascript, HTML, and CSS to be as generic as possible.
NOTE: This is NOT an example of the C2PA Javascript API. Rather, it demonstrates how a server application using Express can call c2patool to add content credentials in a C2PA manifest to an image. The client JavaScript code simply displays information from the manifests.
Follow these steps:
- Install Node.js and npm from https://nodejs.org/en/download.
- Clone this repo by entering this command in a terminal window:
git clone https://github.com/contentauth/c2patool-service-example.git
- Download the latest version of c2patool for your platform from https://github.com/contentauth/c2patool/releases.
- Extract the zip file and put a copy of the
c2patool
executable in the root of this repo (c2pa_service_example
directory). NOTE: Depending on your operating system, you may need to take some extra steps to be able to run this file; for example on MacOS you have to follow the instructions to open a Mac app from an unidentified developer. - Open a terminal window and install the required packages. Enter these commands
cd <path_where_you_cloned_repo>/c2patool-service-example npm install
- Start the service by entering this command:
You'll see this in your terminal:
npm start
> c2pa_serve@0.1.0 start > nodemon server.js [nodemon] 2.0.21 [nodemon] to restart at any time, enter `rs` [nodemon] watching path(s): *.* [nodemon] watching extensions: js,mjs,json [nodemon] starting `node server.js` CAI HTTP server listening on port 8000.
- Open a browser to http://localhost:8000.
- Click the Choose Files button and select one or more JPEG or PNG images in the native file chooser dialog.
The service uploads the selected images, stores them in theuploads
folder, and then calls the C2PA Tool to add a C2PA manifest to each image and signs it with demo certificate and private key built-in to the C2PA Tool. The signed image is stored in theuploads
folder. - Hover over the badge for information about the associated manifest.
- The service returns the full-sized image, not thumbnails.
- Right-click and download an image to view the credentials on https://verify.contentauthenticity.org/.
The code in server.js
contains all the server-side logic. It defines three routes:
- GET
/version
displays the version of c2patool being used - POST
/upload
uploads a file, and calls out to C2PA Tool to add a C2PA manifest and sign the asset's Content Credentials. C2PA Tool signs the manifest using the built-in test certificate and key, because themanifest.json
file in this repository doesn't containprivate_key
andsign_cert
fields. See note below about handling keys and certificates securely. - GET
/
, the default route, servesclient/index.html
, which is a simple page with a user interface you can use to upload one or more files. The associated client JavaScript is inclient/index.js
. Selecting files triggers a client JavaScript event listener that calls the/upload
route for each file and then calls theaddGalleryItem
function to display the returned image on the page.
WARNING: This application illustrates how to sign an asset using C2PA Tool's built-in test certificate and key for demonstration purposes. Using C2PA Tool in this way in production is not scalable. Additionally, for production use, you must purchase a valid certificate and key from a certificate authority (CA). Best practice is to then access them securely by using a hardware security module (HSM) or Key Management Service (KMS); for example as show in the C2PA Python Example.
The data added to the manifest is determined by the manifest.json
file in the root folder. To modify the information added to the file, modify manifest.json
.
For more information about c2patool and manifests, see the documentation.