Authentication Using The OPAQUE-3DH Protocol
Although some of the endpoints of the server is available without authentication, any client who wishes to access their files need to authenticate themselves with the server. Excalibur uses the OPAQUE-3DH protocol to authenticate users.
The OPAQUE-3DH protocol is a modern augmented password-authenticated key exchange (aPAKE) protocol that supports bilateral authentication of both the client and the server, as well as providing forward secrecy and the ability to hide the password from the server, even during registration.
The full OPAQUE-3DH process is described in RFC9807. Excalibur's implementation requires referencing RFC9496 (ristretto255 Elliptic Curve Group) and RFC9497 (Oblivious PRFs).
Logging In
Logging in uses a WebSocket connection to the /api/auth/opaque endpoint.
Registration
Registration uses a WebSocket connection to the /api/auth/opaque/register endpoint. The whole process is roughly as follows:
Editing Records
Sometimes, a user may want to change their username, password, or other details associated with their account. This endpoint allows the client to edit the user's record in the server's database.