zebra icon indicating copy to clipboard operation
zebra copied to clipboard

Published 20 hours ago • verified publisher icon ZcashFoundation

Implement `Auth` scan service request for authorizing access to a set of keys and their scan results

Open arya2 opened this issue 1 year ago • 4 comments

Motivation

We want a way to:

  • Authenticate RPC clients/users
  • Authorize access to viewing keys and their results

Possible Design

We could add basic username/password authentication for RPC clients before authorizing access to viewing keys and their results:

  • Add an accounts db column where the keys are usernames, and the value is a hashed password + a list of registered keys for the account
  • Accept either a fresh token or a username/password pair in the request
  • Return a list of viewing keys that were registered by that account and a fresh token with the username as the response
  • Prefix the keys in sapling results with usernames
  • Add a config field for allowing unauthenticated requests

arya2 avatar Jan 29 '24 17:01 arya2

This is for later when we're working on authentication, it may be changed before we start on authentication.

arya2 avatar Feb 06 '24 15:02 arya2

@upbqdn @oxarbitrage Is this design okay, or do we want to do something else?

arya2 avatar Feb 15 '24 20:02 arya2

It looks good to me. I was thinking we could write a list of possible solutions in a discussion so that it's easier to tell we're picking the most suitable one. Will I start the discussion outlining the options?

upbqdn avatar Feb 15 '24 22:02 upbqdn

It looks good to me but i am not sure if that is the simplest way. I will like to do more research before implementing, i don't think we have to decide now.

oxarbitrage avatar Feb 15 '24 23:02 oxarbitrage