I have a server application, where a user can register and create a list of favorite places.
This user can invite friends to see his favorite places. Let’s call it PlaceBook.
First time a user connects to the app, he logs though his solid POD WebId, and authorizes PlaceBook to read and write his pod.
For all subsequent connections to PlaceBook, the user is no more asked if he authorizes PlaceBook to access his pod, because authorization is already given, and stored in the user POD.
First question : how does the SOLID Pod know that the request is from an authorized app ? just by checking the url referrer ? is this safe (meaning : can’t the url referrer tampered with ?) ?
So any time the user creates a new places, through PlaceBook, PlaceBook creates this place in the user pod, which it is authorized to.
With one user, all is still pretty clear. Now with several users :
I am user B. Through PlaceBook, user A has invited me as one of his friends. This means, inside PlaceBook, that user B can see the places visited by user A.
When user B connects through PlaceBook, it authorizes PlaceBook to access his pod. But also : user B wants to see the list of his friends (ok) and also the list of places visited by his friends. The list of places visited by user B ‘s friends are stored in the friends PODs, which is ok because PlaceBook has access to them (as they are part of PlaceBook and gave authorization).
Therefore : I am connected as user B, and PlaceBook with access files in user A’s POD. How this work ? Just because PlaceBook will emit an http request to user A’s pod and this request is coming from a authorized url ? or is there any certificate / token to be used as well ? and if so : is this certificate / token unique for PlaceBook as an App Token, or there will be one certificate / token for every actual user of the app ? which means that the first time a user connects to PlaceBook and authorizes access, PlaceBook should store this user token to its own database in order to use it anytime it needs to access the POD ?
Thank you for help !