feat: access/authorize confirmation email click results in a delegation back to the issuer did:key so that access/claim works #460
Conversation
…esult-in-space-being-registered-and-accessdelegate-for-space-allowed
gobengo
changed the title
| // invocations invoked by the did:key | ||
| const delegateToKey = await ucanto.delegate({ | ||
| issuer: env.signer, | ||
| audience: { |
There was a problem hiding this comment.
Audience of ./update capabilities is meant to be non did:key principal, because those are only times ucanto would look at ./update capabilities. Delegation to the agent key is not going to get you anything other than been able to claim that delegation from that agent afterwards.
There was a problem hiding this comment.
ok. I updated to not use ./update. If what I updated to is even remotely tolerable on staging, it would be real nice to merge it because any delegation in there with the correct audience will make the tests pass.
|
@Gozala after your last review e.g. this comment, I updated this to have clicking the confirmation email generate a wdyt? |
|
|
||
| const agentPubkey = accessSessionResult.capability.nb.key | ||
|
|
||
| const update = await ucanto.delegate({ |
There was a problem hiding this comment.
It would really help to add comment above explaining what this delegation intends to do. In the version that I think this implements this delegation is attestation from us that account has authorized agent key to be able to sign ucans where issuer is account did.
| }, | ||
| ], | ||
| }) | ||
| const attestKeyAuthorizesAccount = await ucanto.delegate({ |
There was a problem hiding this comment.
Comment here describing what it's meant to do would also help, because it does not do what spec or issue suggests and it's not clear to me what the intentions are.
| with: env.signer.did(), | ||
| can: 'ucan/attest', | ||
| nb: { | ||
| proof: update.cid, |
There was a problem hiding this comment.
This should be the CID for the (unsigned) delegation from an account to the agent. This delegation should be replacement for the update above. More concretely if update was attesting to the authorization of the key, this attestation should be for the authorization of the specific delegation.
That is the core change in the spec, if previously we were attesting to key authorization which implied sudo privileges, in a new version we attest to the specific delegation authorization. Which means it could be sudo privileges or a very specific capabilities.
There was a problem hiding this comment.
Reading further down I think you could just remove this delegation.
There was a problem hiding this comment.
this is what's needed to make this work https://github.com/web3-storage/w3protocol/pull/460/files#diff-0cebcdde20e55de2911e90a385f368240bd9109fc54b074b89759628b695e88bR202
| }) | ||
|
|
||
| // create delegations that should be claimable | ||
| const delegationAccountToKey = await ucanto.delegate({ |
There was a problem hiding this comment.
This is somewhat correct, except it will have a signature from accountOneOffKey key as opposed to having an "absent" signature. Which may be ok temporarily, but not in MVP because those could fail to validate.
| // generate a delegation to the key that we can save in | ||
| // models.delegations to be found by subsequent access/claim | ||
| // invocations invoked by the did:key | ||
| const delegateToKey = await ucanto.delegate({ |
There was a problem hiding this comment.
Probably should be renamed and update comments as it does a different thing now.
There was a problem hiding this comment.
renamed/recommented in 685af65
| return agentPubkey | ||
| }, | ||
| }, | ||
| proofs: [delegationAccountToKey], |
There was a problem hiding this comment.
I'm not sure what is this for ? This could either contain delegation from did:web:web3.storage to a service key, or if they are the same no proof is required.
| }) | ||
| await env.models.delegations.putMany( | ||
| delegateToKey, | ||
| attestKeyAuthorizesAccount |
There was a problem hiding this comment.
I think you need to put delegationAccountToKey and delegateToKey instead.
| assert.ok(expectAccountToKey, 'expect proofs to contain delegation') | ||
| assert.deepEqual(expectAccountToKey.issuer.did(), accountDID) | ||
| assert.deepEqual(expectAccountToKey.audience.did(), issuer.did()) | ||
| assert.deepEqual(expectAccountToKey.capabilities, [ |
There was a problem hiding this comment.
remove this whole delegation if it's not needed for this test
I removed the new |
| capabilities: [ | ||
| { | ||
| with: env.signer.did(), | ||
| can: 'access-api/delegation', |
There was a problem hiding this comment.
| can: 'access-api/delegation', | |
| can: 'access/delegation' |
Nit: It just occurred to me that you can use access/delegate here as spec-ed except with audience being an agent as opposed to service.
There was a problem hiding this comment.
I'm down to change to that post-merge but otherwise I'd prefer to make this a meaningless can
Co-authored-by: Irakli Gozalishvili <[email protected]>
gobengo
deleted the
458-successful-accessauthorize-flow-should-result-in-space-being-registered-and-accessdelegate-for-space-allowed
branch
|
when testing this on staging, I ran into an error due to #464 |
🤖 I have created a release *beep* *boop* --- ## [5.0.0](access-api-v4.11.0...access-api-v5.0.0) (2023-03-23) ### ⚠ BREAKING CHANGES * implement new account-based multi-device flow ([#433](#433)) * upgrade capabilities to latest ucanto ([#463](#463)) ### Features * access-api handles provider/add invocations ([#462](#462)) ([5fb56f7](5fb56f7)) * access-api serves access/claim invocations ([#456](#456)) ([baacf35](baacf35)) * access/authorize confirmation email click results in a delegation back to the issuer did:key so that access/claim works ([#460](#460)) ([a466a7d](a466a7d)) * allow multiple providers ([#595](#595)) ([96c5a2e](96c5a2e)) * define `access/confirm` handler and use it in ucanto-test-utils registerSpaces + validate-email handler ([#530](#530)) ([b1bbc90](b1bbc90)) * handle access/delegate invocations without error ([#427](#427)) ([4f0bd1c](4f0bd1c)) * if POST /validate-email?mode=authorize catches error w/ too big qr code ([#516](#516)) ([d0df525](d0df525)) * implement new account-based multi-device flow ([#433](#433)) ([1ddc6a0](1ddc6a0)) * includes proofs chains in the delegated authorization chain ([#467](#467)) ([5144293](5144293)) * move access-api delegation bytes out of d1 and into r2 ([#578](#578)) ([4510c9a](4510c9a)) * move validation flow to a Durable Object to make it ⏩ fast ⏩ fast ⏩ fast ⏩ ([#449](#449)) ([02d7552](02d7552)) * provision provider type is now the DID of the w3s service ([#528](#528)) ([6a72855](6a72855)) * space/info will not error for spaces that have had storage provider added via provider/add ([#510](#510)) ([ea4e872](ea4e872)) * upgrade capabilities to latest ucanto ([#463](#463)) ([2d786ee](2d786ee)) * upgrade to new ucanto ([#498](#498)) ([dcb41a9](dcb41a9)) * write invocations and receipts into ucan log ([#592](#592)) ([754bf52](754bf52)) ### Bug Fixes * access/delegate checks hasStorageProvider(space) in a way that provider/add allows access/delegate ([#483](#483)) ([f4c640d](f4c640d)) * adjust migration 0005 to keep delegations table but create new used delegations_v2 ([#469](#469)) ([a205ad1](a205ad1)) * adjust migration 0005 to not do a drop table and instead rename delegations -> delegations_old and create a new delegations ([#468](#468)) ([6c8242d](6c8242d)) * allow injecting email ([#466](#466)) ([e19847f](e19847f)) * DbDelegationsStorage#find throws UnexpectedDelegation w/ { row } if failed bytesToDelegations ([#476](#476)) ([a6dafcb](a6dafcb)) * DbProvisionsStorage putMany doesnt error on cid col conflict ([#517](#517)) ([c1fea63](c1fea63)) * delegations model tries to handle if row.bytes is Array not Buffer (e.g. cloudflare) ([#478](#478)) ([030e7b7](030e7b7)) ### Miscellaneous Chores * **access-client:** release 11.0.0-rc.0 ([#573](#573)) ([be4386d](be4386d)) --- This PR was generated with [Release Please](https://github.com/googleapis/release-please). See [documentation](https://github.com/googleapis/release-please#release-please).
…on back to the issuer did:key so that access/claim works (#460) Motivation: * #455 * This implements the second delegation described in #457 * make this test pass once we deploy this to staging gobengo/w3protocol-test#6 Test Case: * https://github.com/gobengo/w3protocol-test/pull/6/files#diff-698e92d7467a4a470689d4cb120272c6cac28864d4960ac12a3720ab7c35a15cR364 --------- Co-authored-by: Irakli Gozalishvili <[email protected]>
🤖 I have created a release *beep* *boop* --- ## [5.0.0](access-api-v4.11.0...access-api-v5.0.0) (2023-03-23) ### ⚠ BREAKING CHANGES * implement new account-based multi-device flow ([#433](#433)) * upgrade capabilities to latest ucanto ([#463](#463)) ### Features * access-api handles provider/add invocations ([#462](#462)) ([46da0df](46da0df)) * access-api serves access/claim invocations ([#456](#456)) ([2ec16e9](2ec16e9)) * access/authorize confirmation email click results in a delegation back to the issuer did:key so that access/claim works ([#460](#460)) ([fc62691](fc62691)) * allow multiple providers ([#595](#595)) ([aba57b3](aba57b3)) * define `access/confirm` handler and use it in ucanto-test-utils registerSpaces + validate-email handler ([#530](#530)) ([a08b513](a08b513)) * handle access/delegate invocations without error ([#427](#427)) ([db01d07](db01d07)) * if POST /validate-email?mode=authorize catches error w/ too big qr code ([#516](#516)) ([ab83b19](ab83b19)) * implement new account-based multi-device flow ([#433](#433)) ([6152e55](6152e55)) * includes proofs chains in the delegated authorization chain ([#467](#467)) ([743a72f](743a72f)) * move access-api delegation bytes out of d1 and into r2 ([#578](#578)) ([3029e4a](3029e4a)) * move validation flow to a Durable Object to make it ⏩ fast ⏩ fast ⏩ fast ⏩ ([#449](#449)) ([3868d97](3868d97)) * provision provider type is now the DID of the w3s service ([#528](#528)) ([4cd6cd9](4cd6cd9)) * space/info will not error for spaces that have had storage provider added via provider/add ([#510](#510)) ([362024f](362024f)) * upgrade capabilities to latest ucanto ([#463](#463)) ([e375ae4](e375ae4)) * upgrade to new ucanto ([#498](#498)) ([790750d](790750d)) * write invocations and receipts into ucan log ([#592](#592)) ([d52a281](d52a281)) ### Bug Fixes * access/delegate checks hasStorageProvider(space) in a way that provider/add allows access/delegate ([#483](#483)) ([1d3d562](1d3d562)) * adjust migration 0005 to keep delegations table but create new used delegations_v2 ([#469](#469)) ([d90825a](d90825a)) * adjust migration 0005 to not do a drop table and instead rename delegations -> delegations_old and create a new delegations ([#468](#468)) ([89f2acd](89f2acd)) * allow injecting email ([#466](#466)) ([b4b0173](b4b0173)) * DbDelegationsStorage#find throws UnexpectedDelegation w/ { row } if failed bytesToDelegations ([#476](#476)) ([660f773](660f773)) * DbProvisionsStorage putMany doesnt error on cid col conflict ([#517](#517)) ([8c6dea8](8c6dea8)) * delegations model tries to handle if row.bytes is Array not Buffer (e.g. cloudflare) ([#478](#478)) ([02c0c28](02c0c28)) ### Miscellaneous Chores * **access-client:** release 11.0.0-rc.0 ([#573](#573)) ([29daa02](29daa02)) --- This PR was generated with [Release Please](https://github.com/googleapis/release-please). See [documentation](https://github.com/googleapis/release-please#release-please).
Motivation:
did:key:{}#455Test Case: