w3up icon indicating copy to clipboard operation
w3up copied to clipboard

Published 20 hours ago verified publisher icon w3s-project

Client should setup space recovery when it creates one

Open Gozala opened this issue 1 year ago • 7 comments

Right now our clients create a space and delegate all capabilities to the agent, which later delegates them to the account.

This has two the problem that access to space can be permanently lost if agent gets compromised.

What we should do instead is on space creation setup a recovery plan. I think we can offer them to provide an account email so that it has full privileges for the account.

We can also follow the established cow path in the space and also ask user to write down set of phrases from which space key can be derived.

By doing both we will ensure that user will never loose access to their space.

Gozala avatar Oct 05 '23 16:10 Gozala

So here is how things work today

w3 space create
did:key:z6MkqneEnjm67escdX9mXRniyh3habma5CvDMNRXpz78wvKy

w3 space register gozala@...
⁂ space registered to gozala@...

w3 up /Users/gozala/Downloads/w3-aggregation.svg
  1 file 0.2MB
⁂ Stored 1 file
⁂ https://w3s.link/ipfs/bafybeig6klboqjlqq55hbtx3xvsqqjvnopcluwj6jhn5ctqtgcet45qwtu

Here is how I suggest they work in the future

w3 space create ⏎
⁂ did:key:z6MkqneEnjm67escdX9mXRniyh3habma5CvDMNRXpz78wvKy

⚠️ Here is your unique paper key, which will allow you to recover access to the created space on a different device in case access to all other devices are compromised. This is the only time you'll see this so be sure to write it down and then hit enter

seven physical orange dash island village scatter together recycle echo ladder cash response become aim desert desk advice axis gown unfold reduce plate rifle

⏎
⁂ Just to be sure you got it right, please enter or paste the paper you have saved and then hit enter

....
⏎
⁂ We recommend delegating full access to this space to your email address, which will allow you to gain access to the space using simple email authorization and without a paper key. If you exit now recovery email will not be setup and you will need to use paper key to authorize on a new device. Please enter email address you wish to authorize and hit Enter or hit Enter to use [email protected]
⏎
⁂ New space is created, but it does not yet have any storage capacity. You can hit Enter to provision this space with [email protected] account. You can also exit now and arrange storage later by running `w3 space provision` command.
⏎
⁂ Your new space is all set and ready to store content
...

Gozala avatar Oct 25 '23 21:10 Gozala

LGTM, although as discussed before please ensure parameters exist for non-interactive use cases.

How do we use paper key to authorize on a new device?

alanshaw avatar Oct 26 '23 08:10 alanshaw

How do we use paper key to authorize on a new device?

space recover did:key:zMySpace
⁂ Please enter or paste the paper key displayed during space creation and press Enter key
ℹ️ We will not store this key, but we will use it to delegate access to w3 on this device

# User pastes the key

✨ Space has been added

We could also fold it under space add if we wanted to

Gozala avatar Oct 27 '23 16:10 Gozala

Created an event diagram

stateDiagram-v2

mnemonic: ⁂ Save this key 📜
verify: ⁂ Enter saved key
confirm_email: ⁂ Confirm by clicking link in email
state has_account <<choice>>


[*] --> mnemonic: > w3 create stuff
mnemonic --> verify
verify --> has_account: is authorized ?

has_account --> authorize_with: Yes
authorize_with: ⁂ Provision with [email protected] ?

state authorize_with_proceed <<choice>>
authorize_with --> authorize_with_proceed
authorize_with_proceed --> recovery: Yes
authorize_with_proceed --> [*]: No

has_account --> want_provision: No

want_provision: ⁂ Want to provision space ?
state want_provision_choice <<choice>>


want_provision --> want_provision_choice
want_provision_choice --> [*]: No
want_provision_choice --> authorize: Yes

authorize: ⁂ What is your email address ?
authorize --> authorization
authorization: > [email protected]
authorization --> confirm_email
confirm_email --> recovery

recovery: ⁂ Setup recovery with [email protected] ?

state recovery_choice <<choice>>

recovery --> recovery_choice

recovery_choice --> setup_default_recovery: Enter
recovery_choice --> done: Exit
recovery_choice --> setup_custom_recovery: [email protected]

setup_default_recovery: ⁂  Delegating access to [email protected]
setup_custom_recovery: ⁂  Delegating access to [email protected]

setup_default_recovery --> done
setup_custom_recovery --> done

done: ✨ Space is ready

Gozala avatar Oct 31 '23 06:10 Gozala

PR tackling this https://github.com/web3-storage/w3up/pull/1046

Gozala avatar Oct 31 '23 08:10 Gozala

Would be good to get an example of what this looks like in code using the w3up-client :)

alanshaw avatar Nov 02 '23 17:11 alanshaw

Would be good to get an example of what this looks like in code using the w3up-client :)

Here is the test that shows above workflow in code with w3up client

https://github.com/web3-storage/w3up/blob/3cbce6745fa94679e8e15e5801df492853d9fa1b/packages/w3up-client/test/account.test.js#L109-L143

Gozala avatar Nov 03 '23 18:11 Gozala