# laseca docs

This is the documentation of laseca. It's targeted at devs and operators.

## Overview

laseca is a simple webapp. It follows a pretty standard setup:
* A postgres database holds the data of the application.
* A NodeJS+ExpressJS app serves both UI pages and API endpoints for the app.
* We suggest serving with Caddy, but any web server should do.

## Sessions, users and authentication

All users of laseca must have a nostr identity. Nostr identities consist on a public-private key pair.

Upon visiting any page, the requester gets a session cookie in the form of a UUID7 record. Sessions can be authenticated, which allow the users to enter the app itself. Unauthenticated users can only visit the login page and some exceptional pages, if they do have the URL.

Signups are not public: individual invites are provided, each identified with a UUID7. Users use invites by visiting an invite page and using it to signup with their Nostr keypair. The invite URLs are public, but since they hold a UUID7 in them, only people that have been given the URL can truly go in.

When the user signs up or logs in, they are asked to answer a challenge with their Nostr web extension. Successfully signing the challenge with their key identifies them with it, and also increases the privileges of the session.

Should a cookie expire, the user will get a new one, and will have to go through the login again to ensure it has enough privileges.

Invites can be created through the CLI.

## CLI 

The app comes with a CLI designed to be used by the laseca instance operator. The CLI is highly privileged and can perform powerful actions. Do not provide anyone with access to it.