Comments (9)
when using redirect an application loses all non-persistent state
we can extend redirect approach providing developers conventional library with async methods
const address = await wallet.auth()
using cross tab communication
https://github.com/pubkey/broadcast-channel
library on page A opens wallet's redirect url on new tab B
on B wallet eventually redirects back to callback url
library listens to location change and once it is callback url, emits data to other tabs (A) and self close (B)
on page A library receives the crosstab event and returns the response to the app
so we can implement conventional wallet connect interfaces like
https://github.com/WalletConnect/walletconnect-monorepo
from one-wallet.
@polymorpher for the redirect option, I recommend borrowing concepts from OAuth2 protocol by making the handshake a multi-step process. Like OAuth, the redirect should obtain a temporary request token and then the client can use that to exchange with an access token to complete the transaction. It is obviously not identical but I see many "man in the middle" security holes if the redirect flow is not implemented correctly.
from one-wallet.
@polymorpher for the redirect option, I recommend borrowing concepts from OAuth2 protocol by making the handshake a multi-step process. Like OAuth, the redirect should obtain a temporary request token and then the client can use that to exchange with an access token to complete the transaction. It is obviously not identical but I see many "man in the middle" security holes if the redirect flow is not implemented correctly.
I thought about using OAuth2. The problems are the following. It would require the application developer to register the app with a central authority which manages and generates secrets for each application. The app would also be forced to bind with a particular client instead of the wallet, since the confidential OAuth token cannot be stored on the wallet - it has to be stored at the wallet client and has a short-lifespan.
A major difference between OAuth flow and the use cases here is that neither the app nor the wallet would be expected to do anything offline - the user is involved in every step, and no authorization token is issued to allow either the wallet or the app to do anything without the user's involvement. I think Redirect should be secure against attacks for the following reasons:
- The first redirect from the app to the wallet is secured by HTTPS. If the app redirects to a malicious URL, the malicious URL would not be able to perform use case (2)(4)(5)(6) because it cannot access the storage and state of the wallet which are associated with 1wallet.crazy.one.
- For use case (1), if the malicious URL creates a tampered wallet, the client library can detect the wallet's code hash is incorrect by retrieving and hashing the code using the returned wallet address. We cannot prevent a malicious URL from creating a untampered wallet, but neither can OAuth, and this scenario would be harmless.
- At the wallet, the user can inspect the request and verify the requested parameters. This and step 1 ensure the request is not tampered with.
- If the request generates a signature, the signature committed, produced, and stored on-chain will be only valid for the request. This applies to use case (2)(5)(6). The signature can also be validated by the app by performing read-only operation on-chain via the library.
- If the request performs some action and produces a transaction id (use case (4)) or an address (use case (1)), the transaction id can be validated similarly to step 3.
- Use case (3) does not require Redirect.
from one-wallet.
Would be great to create a data flow diagram for the redirect solution.
from one-wallet.
let's focus first on just the use case 6 (authorize a request). a tip jar demo as a single-page web app will be useful for our hackathon – even as dao peer bonus like yearn's https://coordinape.com. a helpful feature: no reauthorize for 30 mins for total 100 ONE tokens.
for ux or security flow, google "ethereum login" or "ethereum authentication" or "ethereum iframe". https://github.com/burner-wallet/burner-wallet-2 is a good reference, too.
from one-wallet.
Coordinape restricts access but the article linked on the site is informative: https://medium.com/iearn/decentralized-payroll-management-for-daos-b2252160c543
Yes, we can start with a quick tip jar demo based on (5) request authorization and (4) transfer
from one-wallet.
@polymorpher have you checked out Atheneum app connection libraries? https://docs.authereum.com/integration
from one-wallet.
Note: work is underway in various PRs. Also see documentation in https://github.com/polymorpher/one-wallet/wiki/App-Integration
from one-wallet.
This is a great project, I'm starting to develop an application based on Harmony and I'd really love to be able to integrate such a feature. Will follow this thread with lot of curiosity. Good luck!
from one-wallet.
Related Issues (20)
- Self-explanatory tests, test libraries, and documentations for high-frequency operations HOT 2
- Same-address upgrade based proxies with protections using beacon, recovery address, and OTP authentication
- Self-hosted RPC nodes with fast confirmations, health and performance monitoring, and service guarantees HOT 1
- Smart contract test framework HOT 1
- Smart contract tests with 90% operation coverage HOT 1
- Domain transfer from old wallet is failing silently in v16, and reclaim does not work
- Relayer analytics and metric reporting endpoints HOT 3
- MultiSig Withdrawal HOT 18
- Satellite wallets - enabling transfer to exchange accounts and importing existing wallets (such as MetaMask)
- 1Wallet transaction to exchange account . How can they retrieve it? HOT 1
- Relayer stats visualizations and more granular error classification
- Improve accuracy of Number of Wallets and Balance on ONEWallet SideBar HOT 3
- Recovery is repeatedly showing error (Money stuck) HOT 11
- Can't request contract call HOT 2
- Updating Wallet & missing ONE Tokens HOT 11
- ONE tokens did not arrive to 1wallet HOT 4
- Emergency!! About to lose all funds in wallet due to expiration on an older version wallet. HOT 5
- Funds Not Unstake on Recovery from Recovery Address HOT 4
- can't send my tokens HOT 1
- How to recover funds when 1Wallet is expired? HOT 15
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from one-wallet.