Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Update flow "Sign Twitter" to avoid reuse in another session but reuse in currect session #223

Open
oleggrib opened this issue Dec 22, 2021 · 6 comments
Open

Update flow "Sign Twitter" to avoid reuse in another session but reuse in currect session #223

oleggrib opened this issue Dec 22, 2021 · 6 comments
Assignees
@foxgem @SmartLayer

Comments

@oleggrib
Copy link
Collaborator

oleggrib commented Dec 22, 2021
edited
Loading

As @colourful-land mention in the #203 , we have to avoid reuse of that flow and ask for single IDAttestations per twitter login session.

My suggestion:

  • when user auth with twitter through Auth0 then he receives some token (frontend adds it in the header as x-ac: e2WyLe6rNyXNxTSAIv2XdJIxweeeeSd9ud)
  • we can update message to sign to the format like "Please sign this message to acquire your public attestation. (e2WyLe6rNyXNxTSAIv2XdJIxweeeeSd9ud)", just add that Auth0 token or this token hash or bit cropped hash to the message to sign
  • we can save signature for the current Auth0 session and reuse it for next IDAttestations for this session and no need to ask user to sign it again.
  • in that case flow will be simplified for multiple autographs inside single Auth0 session, but nobody can reuse it for another session

as option: we can sign EIP712 message instead of text string if its supported my most of the wallets. Anyway we use EIP712 for attestation.id attestRequest, so if wallet doesnt support EIP712 when it cant sign attestRequest too :-)

that flow require updates for attestation.id backend and autographnft.io frontend. no need to update smartcontract.
@foxgem , @colourful-land does it make sense?

cc @AW-STJ
@foxgem
Copy link
Collaborator

foxgem commented Dec 22, 2021
edited
Loading

the expiration of access token is very short and signing actually is not a high frequency action for the same user. so I agree to cache the public attestation, but:

  • signing message not changed.
  • caching public attestation and using ${twitter_id}-${screen_name} as the cache key.

because public attestation has not time limit and ${twitter_id}-${screen_name} can live for a long time, we can reuse the same attestation later.

@oleggrib
Copy link
Collaborator Author

@foxgem , do you remeber why IdAttestation has unlimited TTL? what is purpose for that?

@foxgem
Copy link
Collaborator

foxgem commented Dec 22, 2021

sorry, I don't know. maybe @colourful-land can answer this.

@oleggrib
Copy link
Collaborator Author

I am afraid that it can be some security issue if user has unlimited twitter attestation.
lets imagine that PersonX has TwitterX account and created twitterIdAttestation(TwitterX) for autographNFT. That attestation will be saved in the blockchain.
then PersonX sold his TwitterX account to PersonY
in that case PersonX still can use TwitterX account because of unlimited attestation
@colourful-land , what do you think about that?

@SmartLayer
Copy link
Collaborator

@colourful-land , what do you think about that?

https://community.tokenscript.org/t/what-if-inet-identifer-such-as-twitter-handle-is-sold/492

@oleggrib
Copy link
Collaborator Author

@colourful-land , do we have any benefits because of unlimited IDattestation? do you remeber why we don't limit IDattestation with expiration?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@foxgem foxgem

@SmartLayer SmartLayer

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@foxgem @SmartLayer @oleggrib