diff --git a/shared/protos/identity_client.proto b/shared/protos/identity_client.proto new file mode 100644 --- /dev/null +++ b/shared/protos/identity_client.proto @@ -0,0 +1,177 @@ +syntax = "proto3"; + +package identity.client; + +// RPCs from a client (iOS, Android, or web) to identity service +service IdentityClientService { + // Called by user to register with the Identity Service (PAKE only) + rpc RegisterUser(stream RegistrationRequest) returns (stream + RegistrationResponse) {} + // Called by user to update password and receive new access token + rpc UpdateUserPassword(stream UpdateUserPasswordRequest) returns + (stream UpdateUserPasswordResponse) {} + // Called by user to register device and get an access token + rpc LoginPasswordUser(stream OpaqueLoginRequest) returns + (stream OpaqueLoginResponse) {} + rpc LoginWalletUser(WalletLoginRequest) returns (WalletLoginResponse) {} + // Called by a user to delete their own account + rpc DeleteUser(DeleteUserRequest) returns (Empty) {} + + // Called by clients to get a nonce for a Sign-In with Ethereum message + rpc GenerateNonce(Empty) returns (GenerateNonceResponse) {} + // Called by clients to get session initialization info needed to open a new + // channel of communication with a given user + rpc GetSessionInitializationInfo(GetSessionInitializationInfoRequest) returns + (GetSessionInitializationInfoResponse) {} +} + +// Helper types + +message Empty {} + +message SessionInitializationInfo { + string payload = 1; + string payloadSignature = 2; // payload signed with the signing ed25519 key + optional string socialProof = 3; // signed message used for SIWE (optional) +} + +// RegisterUser + +// Request for registering a new user +message ClientRegistrationRequest { + // ed25519 key for the given user's device + string deviceEd25519PublicKey = 1; + // Message sent to initiate PAKE registration (step 1) + bytes opaqueRegistrationRequest = 2; + string username = 3; + // Information specific to a user's device needed to open a new channel of + // communication with this user + SessionInitializationInfo sessionInitializationInfo = 4; +} + + +// Messages sent from a client to Identity Service +message RegistrationRequest { + oneof data { + // First message in PAKE registration + user information + ClientRegistrationRequest registrationRequest = 1; + // Final message in PAKE registration + bytes opaqueRegistrationUpload = 2; + } +} + +// Messages sent from Identity Service to client +message RegistrationResponse { + oneof data { + // sent to the user upon reception of the PAKE registration attempt + // (step 2) + bytes opaqueRegistrationResponse = 1; + // After successful unpacking of user credentials, return token + string accessToken = 2; + } +} + +// UpdateUserPassword + +// Request for updating a user, similar to registration but need a +// access token to validate user before updating password +message InitialUpdateUserPasswordRequest { + // ed25519 key for the given user's device + string signingPublicKey = 1; + // Message sent to initiate PAKE registration (step 1) + bytes opaqueRegistrationRequest = 2; + string username = 3; + // Information specific to a user's device needed to open a new channel of + // communication with this user + SessionInitializationInfo sessionInitializationInfo = 4; + // Used to validate user, before attempting to update password + string accessToken = 5; +} + +// Do a user registration, but overwrite the existing credentials +// after validation of user +message UpdateUserPasswordRequest { + oneof data { + InitialUpdateUserPasswordRequest updateRequest = 1; + bytes opaqueRegistrationUpload = 2; + } +} + +message UpdateUserPasswordResponse { + oneof data { + bytes opaqueRegistrationResponse = 1; + // After validating client reponse, mint a new token + string accessToken = 2; + } +} + +// LoginUser + +message InitialOpaqueLoginRequest { + string username = 1; + // ed25519 key for the given user's device + string signingPublicKey = 2; + // Message sent to initiate PAKE login (step 1) + bytes opaqueLoginRequest = 3; + // Information specific to a user's device needed to open a new channel of + // communication with this user + SessionInitializationInfo sessionInitializationInfo = 4; +} + +message OpaqueLoginRequest { + oneof data { + InitialOpaqueLoginRequest loginRequest = 1; + // Message containing client's reponse to server challenge. + // Used to verify that client holds password secret (Step 3) + bytes opaqueLoginUpload = 1; + } +} + +message OpaqueLoginResponse { + oneof data { + // Opaque challenge sent from server to client attempting to login (Step 2) + bytes opaqueServerResponse = 1; + // Mint and return a new key upon successful login + string accessToken = 2; + } +} + +message WalletLoginRequest { + // ed25519 key for the given user's device + string signingPublicKey = 1; + string siweMessage = 2; + string siweSignature = 3; + // Information specific to a user's device needed to open a new channel of + // communication with this user + SessionInitializationInfo sessionInitializationInfo = 4; +} + +message WalletLoginResponse { + string accessToken = 1; +} + +// DeleteUser + +message DeleteUserRequest { + string accessToken = 1; +} + +// GenerateNonce + +message GenerateNonceResponse{ + string nonce = 1; +} + +// GetSessionInitializationInfo + +message GetSessionInitializationInfoRequest { + oneof identifier { + string username = 1; + string walletAddress = 2; + } +} + +message GetSessionInitializationInfoResponse { + // Map is keyed on devices' public ed25519 key used for signing + map devices = 1; +}