Details

Reviewers

varun
tomek
ginsu
• derek
atul

Summary

keep the devices' crypto key stored as part of the cookie. linear task depends on D5603

Test Plan

create an account/login & have social proof embedded in the cookie record

Diff Detail

Repository

rCOMM Comm

Branch

derek/siwe-client-key

Lint

No Lint Coverage

Unit

No Test Coverage

Event Timeline

There are a very large number of changes, so older changes are hidden. Show Older Changes

Herald added a subscriber: • abosh. · View Herald TranscriptNov 15 2022, 1:19 PM

• derek edited the summary of this revision. (Show Details)Nov 15 2022, 1:19 PM

added types

Harbormaster returned this revision to the author for changes because remote builds failed.Nov 15 2022, 1:22 PM

Harbormaster failed remote builds in B13446: Diff 18444!

Harbormaster failed remote builds in B13447: Diff 18445!

updated public key types

Harbormaster returned this revision to the author for changes because remote builds failed.Nov 16 2022, 9:08 AM

Harbormaster failed remote builds in B13482: Diff 18485!

fixed flow types

added social proof & public key to login cookie creation

Harbormaster completed remote builds in B13488: Diff 18495.Nov 16 2022, 9:51 AM

Harbormaster completed remote builds in B13489: Diff 18496.Nov 16 2022, 9:57 AM

• derek requested review of this revision.Nov 16 2022, 9:57 AM

Please annotate the diff with the correct parent / child relationships with other diffs. I can't see your stack

keyserver/src/creators/account-creator.js
74 ↗	(On Diff #18496)	I think the plaintext of the signed message should contain the public key, so shouldn't be a need to transmit it separately... we just need to parse it out
106 ↗	(On Diff #18496)	Where does this end up getting used again? Is it currently not used? (Fine if not, just need a reminder) Unrelated – wanted to find the relevant diff, but couldn't because you didn't list your stack, so leaving here – we should make sure a user is only associated with a single ETH address, a single ETH address is only associated with a single user
native/account/siwe-panel.react.js
57 ↗	(On Diff #18496)	Why are we sending the same thing up twice?
native/schema/CommCoreModuleSchema.js
21–24 ↗	(On Diff #18496)	Thanks for typing this. I think you'll need to rerun codegen now

This revision now requires changes to proceed.Nov 16 2022, 8:07 PM

• derek edited the summary of this revision. (Show Details)Nov 17 2022, 9:20 AM

• derek added a parent revision: D5603: [keyserver/types] SIWE endpoint: types & native server call.

• derek marked 2 inline comments as done.Nov 18 2022, 8:17 AM

• derek added inline comments.

keyserver/src/creators/account-creator.js
74 ↗	(On Diff #18496)	we removed the public key from users/sessions table, i was under the impression every new account was registering with the public key from their device
106 ↗	(On Diff #18496)	public key isn't getting used yet: We need this for SIWE because the "social proof" should have this key, and it's easier for us to make sure it's there from the start then to go back and have to rethink things later ^link added the diff to the stack (i wrote `depends on [link]` instead of `depends on [diff#]`) - regarding single eth address, i'm confident that's covered in D5603, but there's definitely more work to be done in that category (making sure normal usernames don't overlap, ens resolution etc.)
native/account/siwe-panel.react.js
57 ↗	(On Diff #18496)	it's really a placeholder pending more discussion on what the social proof actually consists of. i removed it and marked it as optional in the flow types. i'll add a comment to the linear task linking back to this diff
native/schema/CommCoreModuleSchema.js
21–24 ↗	(On Diff #18496)	reran codegen but no changes came up - i think it was just the lack of typing on js side

removed duplicate argument

Harbormaster completed remote builds in B13559: Diff 18578.Nov 18 2022, 8:32 AM

addressed comments

reverted changes applied to wrong diff

Harbormaster completed remote builds in B13566: Diff 18585.Nov 18 2022, 9:51 AM

Harbormaster completed remote builds in B13567: Diff 18586.Nov 18 2022, 9:53 AM

I think there's some confusion about what the socialProof needs to contain. See inline comments

keyserver/src/creators/account-creator.js
106–107 ↗	(On Diff #18586)	we removed the public key from users/sessions table, i was under the impression every new account was registering with the public key from their device Not sure why you're bringing up the user vs. device distinction. Repeating my comment here: I think the plaintext of the signed message should contain the public key, so shouldn't be a need to transmit it separately... we just need to parse it out The `socialProof` is a signed message that contains the `publicKey` inside it, right? So instead of sending the `publicKey` twice, can we just parse it out of the `socialProof`? We can't just take the user's "word for it" that the `publicKey` matches the `socialProof`... we need to parse the `socialProof` to make sure that it includes the `publicKey`. At that point, we'll have the `publicKey`... so there's no reason to send it up separately. Let me know over chat if that's unclear!
keyserver/src/session/cookies.js
645–648 ↗	(On Diff #18586)	Can we make all of these `$ReadOnly` by prefixing with `+`?
lib/types/account-types.js
161–165 ↗	(On Diff #18586)	Why'd you remove the `+`? Let's make it `$ReadOnly` again
native/account/siwe-panel.react.js
46 ↗	(On Diff #18586)	I think we want the `signature` to contain the `publicKey`, so this is too late in the process for us to doing this The point of the social proof is to prove that Ethereum account X corresponds to Comm account Y. To do that, we sign a message containing Y's public key using X's private key. Does that make sense?

This revision now requires changes to proceed.Nov 18 2022, 12:48 PM

added public key to message prior to signing

need flow fix me help

native/account/siwe-panel.react.js
50 ↗	(On Diff #18621)	i'm having trouble with flow here. WebViewProps are typescript declarations & don't seem to play nicely with flow

removed unnecessary function call

still planning changes tho

Harbormaster completed remote builds in B13593: Diff 18621.Nov 19 2022, 1:07 PM

Harbormaster completed remote builds in B13594: Diff 18622.

ashoat added inline comments.Nov 19 2022, 6:37 PM

native/account/siwe-panel.react.js
23 ↗	(On Diff #18621)	Why'd you remove this space
41 ↗	(On Diff #18621)	Prefix with `+` to make `$ReadOnly`
50 ↗	(On Diff #18621)	Yes you cannot use TypeScript declarations in Flow...

spacing, readonly

native/account/siwe-panel.react.js
50 ↗	(On Diff #18621)	Cannot instantiate `React.Ref` because `WebViewProps` [1] is incompatible with AbstractComponent [2] in type argument `ElementType` can we leave the FlowFixMe(s) here? if not, how do I typecast WebViewProps as a component?

Harbormaster completed remote builds in B13634: Diff 18681.Nov 21 2022, 7:29 AM

ashoat added inline comments.Nov 21 2022, 7:30 AM

native/account/siwe-panel.react.js
50 ↗	(On Diff #18621)	You have to type `WebViewProps` in Flow. if not, how do I typecast WebViewProps as a component? You shouldn't be "typecasting" it, you should just make sure you're using the types correctly. Have you tried Googling eg. "how to type a React component in Flow"? The first result for that query (for me, anyways) is Flow's React type reference. You could start by reading `React.Ref` first (since that's what you're using here), and next try reading `React.ComponentType`. What's obviously wrong here from a cursory read through those docs is that you're passing a type representing the props of a component (`WebViewProps`) to a type (`React.Ref`) that expects its parameter to be a React component (`React.ComponentType`).

can we leave the FlowFixMe(s) here?

Definitely not

This revision now requires changes to proceed.Nov 21 2022, 7:31 AM

updated flow typing

Harbormaster completed remote builds in B13674: Diff 18739.Nov 22 2022, 11:18 AM

Two comments from earlier review were not addressed

keyserver/src/creators/account-creator.js
106–107 ↗	(On Diff #18586)	See here
native/account/siwe-panel.react.js
46 ↗	(On Diff #18586)	And here

This revision now requires changes to proceed.Nov 22 2022, 5:14 PM

You're most of the way there, though. Point is basically "keyserver needs to verify that the provided public key matches what is contained within the provided message, and that isn't being done currently. To do that, keyserver needs to extract the public key... but at that point, we don't need to ask the client to pass it in separately.'

Does that make sense? keyserver just needs the ETH-signed message. Then it extracts the Comm public key out of the message, verifies that request.address signed it (not currently being done it seems?), and then goes ahead and associated that cookie with that socialProof

keyserver/src/creators/account-creator.js
74	We need to verify that `request.address` actually signed the `socialProof`
landing/siwe.react.js
46	I checked the whitepaper draft for what to use. Here's what I found: Comm wants you to sign in with your Ethereum account: 0xC02aaA39b223FE8D0A0e5C4F27eAD9083C756Cc2 I accept the Comm Terms of Service: https://comm.app/tos URI: https://comm.app/login Version: 1 Chain ID: 1 Nonce: 32891756 Issued At: 2022-07-24T16:25:24Z There's a lot of questions here: I think it's missing the public key. I'm rather confident that's an accidental omission, but currently checking with Anunay. You're including that here which is good! We need a nonce passed in from the `keyserver` I think, but I seem to remember there's a task for that? I can't tell what part of this is SIWE boilerplate (presumably that this `SiweMessage` class will handle?), and it's confusing to see the developer-defined message split by the Ethereum address. We should probably update the whitepaper to have the real "URI" produced by our messages in production instead of "https://comm.app/login" "https://comm.app/tos" in the whitepaper should be replaced with "https://comm.app/terms" We can probably handle all of this stuff in a later diff

• derek mentioned this in D5851: [lib] SIWE: added types & modified reducers.Dec 9 2022, 2:58 PM

• derek added a child revision: D5851: [lib] SIWE: added types & modified reducers.Dec 9 2022, 2:58 PM

atul commandeered this revision.Dec 22 2022, 12:07 AM

atul edited reviewers, added: • derek; removed: atul.

I assume we're abandoning this one as well given @atul's comment. We can always come back to it later if we change our mind

ashoat commandeered this revision.Dec 25 2022, 8:19 AM

ashoat edited reviewers, added: atul; removed: ashoat.

This revision now requires review to proceed.Dec 25 2022, 8:19 AM

ashoat abandoned this revision.Dec 25 2022, 8:19 AM

[keyserver] add public key/social proof to the cookie record
AbandonedPublic
Actions

Details

Diff Detail

Event Timeline

Revision Contents
Changeset List

Diff 18739

keyserver/src/creators/account-creator.js

keyserver/src/responders/user-responders.js

keyserver/src/session/cookies.js

landing/siwe.react.js

lib/types/account-types.js

native/account/logged-out-modal.react.js

native/account/siwe-panel.react.js

native/schema/CommCoreModuleSchema.js

native/utils/url-utils.js

[keyserver] add public key/social proof to the cookie recordAbandonedPublicActions

Details

Diff Detail

Event Timeline

Revision ContentsChangeset List

Diff 18739

keyserver/src/creators/account-creator.js

keyserver/src/responders/user-responders.js

keyserver/src/session/cookies.js

landing/siwe.react.js

lib/types/account-types.js

native/account/logged-out-modal.react.js

native/account/siwe-panel.react.js

native/schema/CommCoreModuleSchema.js

native/utils/url-utils.js

[keyserver] add public key/social proof to the cookie record
AbandonedPublic
Actions

Revision Contents
Changeset List