This repository is an example of a very simple Node.js service that uploads images and adds a C2PA manifest to each image. It is written in plain Javascript, HTML, and CSS to be as generic as possible.
NOTE: This is NOT an example of the C2PA Javascript API. Rather, it demonstrates how a server application using Express can call c2patool to add content credentials in a C2PA manifest to an image. The client JavaScript code simply displays information from the manifests.
Follow these steps:
- Install Node.js and npm from https://nodejs.org/en/download.
- Clone this repo by entering this command in a terminal window:
git clone https://github.com/contentauth/c2patool-service-example.git - Download the latest version of c2patool for your platform from https://github.com/contentauth/c2patool/releases.
- Extract the zip file and put a copy of the
c2patoolexecutable in the root of this repo (c2pa_service_exampledirectory). NOTE: Depending on your operating system, you may need to take some extra steps to be able to run this file; for example on MacOS you have to follow the instructions to open a Mac app from an unidentified developer. - Open a terminal window and install the required packages. Enter these commands
cd <path_where_you_cloned_repo>/c2patool-service-example npm install - Start the service by entering this command:
You'll see this in your terminal:
npm start> [email protected] start > nodemon server.js [nodemon] 2.0.21 [nodemon] to restart at any time, enter `rs` [nodemon] watching path(s): *.* [nodemon] watching extensions: js,mjs,json [nodemon] starting `node server.js` CAI HTTP server listening on port 8000.
- Open a browser to http://localhost:8000.
- Click the Choose Files button and select one or more JPEG or PNG images in the native file chooser dialog.
The service uploads the selected images, stores them in theuploadsfolder, and then calls the C2PA Tool to add a C2PA manifest to each image and signs it with demo certificate and private key built-in to the C2PA Tool. The signed image is stored in theuploadsfolder. - Hover over the badge for information about the associated manifest.
- The service returns the full-sized image, not thumbnails.
- Right-click and download an image to view the credentials on https://verify.contentauthenticity.org/.
The code in server.js contains all the server-side logic. It defines three routes:
- GET
/versiondisplays the version of c2patool being used - POST
/uploaduploads a file, and calls out to C2PA Tool to add a C2PA manifest and sign the asset's Content Credentials. C2PA Tool signs the manifest using the built-in test certificate and key, because themanifest.jsonfile in this repository doesn't containprivate_keyandsign_certfields. See note below about handling keys and certificates securely. - GET
/, the default route, servesclient/index.html, which is a simple page with a user interface you can use to upload one or more files. The associated client JavaScript is inclient/index.js. Selecting files triggers a client JavaScript event listener that calls the/uploadroute for each file and then calls theaddGalleryItemfunction to display the returned image on the page.
WARNING: This application illustrates how to sign an asset using C2PA Tool's built-in test certificate and key for demonstration purposes. Using C2PA Tool in this way in production is not scalable. Additionally, for production use, you must purchase a valid certificate and key from a certificate authority (CA). Best practice is to then access them securely by using a hardware security module (HSM) or Key Management Service (KMS); for example as show in the C2PA Python Example.
The data added to the manifest is determined by the manifest.json file in the root folder. To modify the information added to the file, modify manifest.json.
For more information about c2patool and manifests, see the documentation.