X-Git-Url: https://git.squeep.com/?p=squeep-authentication-module;a=blobdiff_plain;f=README.md;h=6b4400ea56b2285729fd59e3c6fcf307d71a89d4;hp=d5feea6e6b748df0b0c3558c9b9db740bc59cafa;hb=HEAD;hpb=92658b114da01ab5537c53dee7ff5ad6385fe179

diff --git a/README.md b/README.md
index d5feea6..c4234f6 100644
--- a/README.md
+++ b/README.md
@@ -34,7 +34,39 @@ Class providing service handler functions for rendering and processing session l
   for local users, or redirecting to IndieAuth server and persisting transient state
   in session cookie.
 - `getAdminIA` interprets the returning redirect from the IndieAuth server.
+- `getAdminSettings` renders the HTML account settings form
+- `postAdminSettings` ingests and acts on account updates
+
+### Helpers
+
+- `sessionNavLinks` call from app templates to populate navLinks for account settings and logout
+
+### ResourceAuthenticator
+
+Class which fetches and validates resource identifiers and their secrets from database.
+
+Resources are assumed to be other services making API calls.
+
+This is just a time-gated pre-shared-secret HMAC Bearer token scheme.
+
+Default token format is a ':'-separated concatenation of:
+
+- resource identifier, which is a UUID, encoded as 24 bytes in base64url
+- current epoch, encoded as base10 string
+- salt value, randomness encoded as 28 bytes in base64url
+- sha256 HMAC digest of previous data, encoded in base64url
 
 ### Other Notes
 
-The logger used should be able to mask `ctx.parsedBody.credential` context field.
+For the moment, this imposes a web structure of /admin/* for authentication management paths.
+
+The logger used should be able to mask these context fields:
+
+- `ctx.parsedBody.credential`
+- `ctx.parsedBody.credential-old`
+- `ctx.parsedBody.credential-new`
+- `ctx.parsedBody.credential-new-2`
+- `ctx.otpKey`
+- `ctx.otpConfirmBox`
+- `ctx.otpConfirmKey`
+- `ctx.otpState`