verify space events identities #142
Conversation
nikgraf
force-pushed
the
ng/verify-space-events-identities
branch
2 times, most recently
from
38b2862 to
53eb782
Compare
nikgraf
force-pushed
the
ng/verify-space-events-identities
branch
from
53eb782 to
c689734
Compare
| SpaceEvents.applyEvent({ | ||
| event, | ||
| state: JSON.parse(lastEvent.state), | ||
| getVerifiedIdentity: () => Effect.succeed(identity), |
There was a problem hiding this comment.
This sounds a bit risky, if we ever change applyEvent to query the identity for a different accountId then this will always return the same identity... I'd suggest passing a getVerifiedIdentity that checks if the accountId is the one we have, and fails otherwise
There was a problem hiding this comment.
yeah, that's I case I didn't imagine, but makes sense. Let me know if the change I made is what you envisioned
nikgraf
force-pushed
the
ng/verify-space-events-identities
branch
from
9684635 to
f55d3a7
Compare
|
|
||
| const result = await Effect.runPromiseExit(SpaceEvents.applyEvent({ event, state: JSON.parse(lastEvent.state) })); | ||
| const getVerifiedIdentity = (accountIdToFetch: string) => { | ||
| // applySpaceEvent is only allowed to be called by the account that is applying the event |
There was a problem hiding this comment.
I guess technically we could remove this check, right? It's assuming the behavior of applySpaceEvent, in the future we could have a case where we need to check the identity for a different account mentioned in the event. (That being said I think it's okay to leave this as it is and change it in the future if needed)
There was a problem hiding this comment.
Yeah, you are right that technically we could remove this check.
At the moment this ensures that the server only applies an event created that this account created. This must not be enforced, but I sleep a bit better that we enforce it. At least until we explicitly only allow accounts to send events to a sync server they themselves created
|
|
||
| export const createSpace = async ({ accountId, event, keyBox, keyId }: Params) => { | ||
| const result = await Effect.runPromiseExit(SpaceEvents.applyEvent({ event, state: undefined })); | ||
| const getVerifiedIdentity = (accountIdToFetch: string) => { |
There was a problem hiding this comment.
nit: I see there's a few repetitions of this so maybe they could be split out into a utility function like this (in a separate file):
export const getGetVerifiedIdentity = (allowedAccountId: string) => {
return function(accountIdToFetch: string) {
// applySpaceEvent is only allowed to be called by the account that is applying the event
if (accountIdToFetch !== allowedAccountId) {
return Effect.fail(new Identity.InvalidIdentityError());
}
return Effect.gen(function* () {
const identity = yield* Effect.tryPromise({
try: () => getIdentity({ accountId: accountIdToFetch }),
catch: () => new Identity.InvalidIdentityError(),
});
return identity;
});
}
}
Then you can pass getGetVerifiedIdentity(accountId) to applyEvent?
There was a problem hiding this comment.
sounds good, will do it in a follow up PR 👍
2 participants
Initially I wanted to use
getVerifiedIdentitydirectly insideapplyEvent, but then realized that on frontend we sometimes need to fetch from the API and on backend it's a DB call.Passing in the entire list of
identitieswas also an option. Didn't feel like a good idea to pass around the whole list from the store on frontend. I ended up adding agetVerifiedIdentitycallback with this signature:(accountId: string) => Effect.Effect<PublicIdentity, InvalidIdentityError>