slices.network / quickslice
Auto-indexing service and GraphQL API for AT Protocol Records quickslice.slices.network/
atproto gleam graphql
fork atom

docs: update deployment guide and example security notes

- Clarify that only the secret key value should be copied from goat output
- Add example lexicons link to tangled.org
- Add backfill duration and storage cost warnings
- Update statusphere example security notes for DPoP and localStorage

chadtmiller.com 6193857e e93ec246

options
unified split
Changed files
+25 -9
docs
guides
deployment.md
examples
01-statusphere
README.md
+21 -6
docs/guides/deployment.md
··· 21 21 goat key generate -t p256 22 22 ``` 23 23 24 - Paste the output into the `OAUTH_SIGNING_KEY` field in Railway, then click **Save Config**. 24 + This outputs: 25 + 26 + ``` 27 + Key Type: P-256 / secp256r1 / ES256 private key 28 + Secret Key (Multibase Syntax): z42tsQ4W... 29 + Public Key (DID Key Syntax): did:key:zDnaek... 30 + ``` 31 + 32 + Copy only the **Secret Key** value (starts with `z`) and paste it into the `OAUTH_SIGNING_KEY` field in Railway, then click **Save Config**. 25 33 26 34 ### 3. Configure Your Domain 27 35 ··· 53 61 From the homepage, go to **Settings**: 54 62 55 63 1. Enter your **Domain Authority** in reverse-domain format (e.g., `xyz.statusphere`) 56 - 2. Upload your Lexicons as a `.zip` file (JSON format, directory structure doesn't matter): 64 + 2. Upload your Lexicons as a `.zip` file (JSON format, directory structure doesn't matter). See [statusphere lexicons](https://tangled.org/slices.network/lexicon-sets/tree/main/statusphere) for an example. 57 65 ``` 58 66 lexicons.zip 59 67 └── lexicons/ 60 68 └── xyz/ 61 69 └── statusphere/ 62 - ├── status.json 63 - └── follow.json 70 + └── status.json 64 71 ``` 65 72 3. Click **Trigger Backfill** to import existing records from the network. The Quickslice logo enters a loading state during backfill and the page refreshes when complete. Check Railway logs to monitor progress: 66 73 ``` ··· 69 76 INFO [backfill] PDS worker 69/87 done (746 records) 70 77 ... 71 78 ``` 79 + Depending on the lexicon, this could take a few seconds (`xyz.statusphere.*`) to days (`app.bsky.*`) to complete. Be mindful of your available storage and associated cloud provider fees when backfilling large lexicons. 72 80 73 81 ## Environment Variables 74 82 ··· 100 108 101 109 [env] 102 110 DATABASE_URL = 'sqlite:/data/quickslice.db' 111 + EXTERNAL_BASE_URL=https://your-quickslice.fly.dev 103 112 HOST = '0.0.0.0' 104 113 PORT = '8080' 105 114 ··· 124 133 125 134 ```bash 126 135 fly secrets set SECRET_KEY_BASE=$(openssl rand -base64 48) 127 - fly secrets set OAUTH_SIGNING_KEY="$(goat key generate -t p256)" 136 + ``` 137 + 138 + Generate a signing key and copy only the **Secret Key** value (starts with `z`): 139 + 140 + ```bash 141 + goat key generate -t p256 142 + fly secrets set OAUTH_SIGNING_KEY="z42tsQ4W..." # paste your secret key here 128 143 ``` 129 144 130 145 ### 4. Deploy ··· 164 179 165 180 ```bash 166 181 SECRET_KEY_BASE=$(openssl rand -base64 48) 167 - OAUTH_SIGNING_KEY=$(goat key generate -t p256) 182 + OAUTH_SIGNING_KEY=z42tsQ4W... # paste your secret key here 168 183 ``` 169 184 170 185 Start:
+4 -3
examples/01-statusphere/README.md
··· 56 56 57 57 ## Security Notes 58 58 59 - - Tokens are stored in `sessionStorage` (cleared when tab closes) 60 - - No external dependencies - all code is inline 59 + - Uses the local `quickslice-client-js` SDK from `../../quickslice-client-js` 60 + - Tokens are stored in `localStorage` (shared across tabs, persisted across sessions) 61 + - Uses DPoP (Demonstrating Proof-of-Possession) for token binding 61 62 - Uses PKCE for secure OAuth flow 62 - - CSP header restricts connections to localhost:8080 63 + - CSP header restricts script sources and connections 63 64 64 65 ## Troubleshooting 65 66