You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Is your feature request related to a problem? Please describe.
I want to be able to make arbitrary http requests to the web. This will enable oracles, email, push notifications, other external apis, scraping website content, website screenshots, etc.
Describe the solution you'd like
Tarui has a built in http module that lets you make requests outside of the browser context to avoid cors restrictions.
This introduces security risk of agents being unintentionally used in a botnet or contribute to a ddos. To mitigate these risks we can:
Rate-limit all requests
Use an allow list to restrict which urls can be requested. This allow list can also use glob matching syntax for a range of urls i.e. https://api.weather.com/**
Restrict each allow list item to a single happ
Require agent signature to modify the allow list
Require manual user approval to add items to the allow list by clicking "Accept" on a dialog prompt
Optionally expire each allow list items after a predefined time
Optionally expire each allow list items after a predefined number of requests
I'm imagining something like this exposed to the frontend:
addToAllowlist(urlGlob: string,expiration_ms: number|null,expiration_requests_count: number|null): Promise<AllowList>// add a given url glob to the allowlist for the current happremoveFromAllowlist(urlGlob: string) : Promise<AllowList>// remove a given url glob from the allowlist for the current happgetAllowlist(): Promise<AllowList>// get the current list of allowed url globs for the current happfetch(...): Promise<Response>// make an http request, assuming the url is allowed, throw error if not allowed
Describe alternatives you've considered
If the conductor supported making http requests from coordinator zomes, that would make this feature unnecessary. It would also enable http requests from headless DNAs that don't rely on to tauri (as far as I understand). I'm not sure how the HC core team is thinking about this, but would be interested to hear if this is an option or completely off the table.
If we had a generic launcher plugin system (see Enable plugin system #42), we could create a "web request plugin" instead of using tauri's built-in http module. The plugin system would enable a much wider range of functionality and allow us to connect to other software like search databases, or media rendering integrated into happs. This has a lot more security considerations so it seems like just using tauri's http module may be a simpler step forward.
Additional context
The text was updated successfully, but these errors were encountered:
Is your feature request related to a problem? Please describe.
I want to be able to make arbitrary http requests to the web. This will enable oracles, email, push notifications, other external apis, scraping website content, website screenshots, etc.
Describe the solution you'd like
Tarui has a built in http module that lets you make requests outside of the browser context to avoid cors restrictions.
This introduces security risk of agents being unintentionally used in a botnet or contribute to a ddos. To mitigate these risks we can:
https://api.weather.com/**I'm imagining something like this exposed to the frontend:
Describe alternatives you've considered
Additional context
The text was updated successfully, but these errors were encountered: