Skip to content

feat: identity and authentication #64

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 2 commits into from
Jan 8, 2025
Merged

feat: identity and authentication #64

merged 2 commits into from
Jan 8, 2025

Conversation

pcarranzav
Copy link
Member

@pcarranzav pcarranzav commented Dec 4, 2024
edited
Loading

This PR adds a basic authentication mechanism using random session tokens and using Sign-in with Ethereum for users to authenticate with their wallets (including Privy embedded wallets).

It also adds an identity mechanism by generating encryption and signing keys for each user, which are stored on the sync server using a secret based on a wallet signature, similarly to XMTP v2.

This is only an initial implementation to be iterated on. Some future improvements or things left for future PRs are (and there's probably others):

  • Using smart accounts and possibly session keys; for now the EOA chosen for Privy is used as the account ID.
  • Using the Privy identity cookie where possible, instead of requiring SIWE. This might be challenging as browsers might block the cross-site cookie, and otherwise requires exposing the cookie client side because we'd keep HttpOnly turned off.
  • Using Privy's Ecosystem SDK feature - it's unclear if it would actually provide a benefit in our case.
  • The GraphLogin component could potentially be integrated as part of the GraphFramework core component.
  • We may want to create separate identities for each app, space, or some other category, for now there is only one global identity per user. This means any app that the user uses to log in has to be trusted not to impersonate the user.
  • Session tokens expire in 1 month, and we currently renew them using SIWE with the signing key; we may want to use renew tokens or some other approach.
  • A lot of care should be put on reviewing the security in this approach. This system could be vulnerable to XSS if we're not careful.

@pcarranzav pcarranzav changed the title WIP: identity WIP: identity and authentication Dec 13, 2024
@pcarranzav pcarranzav mentioned this pull request Dec 22, 2024
Closed
nikgraf
nikgraf reviewed Dec 23, 2024
View reviewed changes
nikgraf
nikgraf reviewed Dec 23, 2024
View reviewed changes
nikgraf
nikgraf reviewed Dec 23, 2024
View reviewed changes
nikgraf
nikgraf reviewed Dec 23, 2024
View reviewed changes
nikgraf
nikgraf reviewed Dec 23, 2024
View reviewed changes
@pcarranzav pcarranzav force-pushed the pcv/identity branch 3 times, most recently from 7c2807b to 2110a03 Compare January 7, 2025 21:37
@pcarranzav
feat: identity and authentication
1ce47a1 
This PR adds a basic authentication mechanism using random session tokens and
using Sign-in with Ethereum for users to authenticate with their wallets (including
Privy embedded wallets).

It also adds an identity mechanism by generating encryption and signing keys for each user,
which are stored on the sync server using a secret based on a wallet signature, similarly to XMTP v2.
@pcarranzav pcarranzav marked this pull request as ready for review January 7, 2025 21:47
@pcarranzav pcarranzav changed the title WIP: identity and authentication feat: identity and authentication Jan 7, 2025
nikgraf
nikgraf reviewed Jan 8, 2025
View reviewed changes
nikgraf
nikgraf reviewed Jan 8, 2025
View reviewed changes
nikgraf
nikgraf reviewed Jan 8, 2025
View reviewed changes
nikgraf
nikgraf reviewed Jan 8, 2025
View reviewed changes
nikgraf
nikgraf reviewed Jan 8, 2025
View reviewed changes
nikgraf
nikgraf reviewed Jan 8, 2025
View reviewed changes
nikgraf
nikgraf reviewed Jan 8, 2025
View reviewed changes
nikgraf
nikgraf reviewed Jan 8, 2025
View reviewed changes
Copy link
Collaborator

@nikgraf nikgraf left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'm through with the review! Outstanding work @pcarranzav 👏

@nikgraf nikgraf self-requested a review January 8, 2025 13:49
@nikgraf nikgraf mentioned this pull request Jan 8, 2025
Closed
This was referenced Jan 8, 2025
Closed
Open
Open
Open
Closed
@nikgraf
Copy link
Collaborator

nikgraf commented Jan 8, 2025

jfyi I added two more issue we need to look into at some point:

@pcarranzav
Copy link
Member Author

Thanks for capturing all these issues @nikgraf! I'll address them as soon as I'm back from vacation

@pcarranzav pcarranzav merged commit 0b63e18 into main Jan 8, 2025
1 check passed
@pcarranzav pcarranzav deleted the pcv/identity branch January 8, 2025 15:32
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@nikgraf nikgraf nikgraf approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@pcarranzav @nikgraf