Update flow "Sign Twitter" to avoid reuse in another session but reuse in currect session

Question

Update flow "Sign Twitter" to avoid reuse in another session but reuse in currect session

Opened this issue 3 years ago · 6 comments

As @colourful-land mention in the #203 , we have to avoid reuse of that flow and ask for single IDAttestations per twitter login session.

My suggestion:

when user auth with twitter through Auth0 then he receives some token (frontend adds it in the header as x-ac: e2WyLe6rNyXNxTSAIv2XdJIxweeeeSd9ud)
we can update message to sign to the format like "Please sign this message to acquire your public attestation. (e2WyLe6rNyXNxTSAIv2XdJIxweeeeSd9ud)", just add that Auth0 token or this token hash or bit cropped hash to the message to sign
we can save signature for the current Auth0 session and reuse it for next IDAttestations for this session and no need to ask user to sign it again.
in that case flow will be simplified for multiple autographs inside single Auth0 session, but nobody can reuse it for another session

as option: we can sign EIP712 message instead of text string if its supported my most of the wallets. Anyway we use EIP712 for attestation.id attestRequest, so if wallet doesnt support EIP712 when it cant sign attestRequest too :-)

that flow require updates for attestation.id backend and autographnft.io frontend. no need to update smartcontract.
@foxgem , @colourful-land does it make sense?

cc @AW-STJ

Answer 1 · 2021-12-22T08:23:00.000Z

the expiration of access token is very short and signing actually is not a high frequency action for the same user. so I agree to cache the public attestation, but:

signing message not changed.
caching public attestation and using ${twitter_id}-${screen_name} as the cache key.

because public attestation has not time limit and ${twitter_id}-${screen_name} can live for a long time, we can reuse the same attestation later.

Answer 2 · 2021-12-22T08:30:25.000Z

@foxgem , do you remeber why IdAttestation has unlimited TTL? what is purpose for that?

Answer 3 · 2021-12-22T08:38:21.000Z

sorry, I don't know. maybe @colourful-land can answer this.

Answer 4 · 2021-12-22T09:00:07.000Z

I am afraid that it can be some security issue if user has unlimited twitter attestation.
lets imagine that PersonX has TwitterX account and created twitterIdAttestation(TwitterX) for autographNFT. That attestation will be saved in the blockchain.
then PersonX sold his TwitterX account to PersonY
in that case PersonX still can use TwitterX account because of unlimited attestation
@colourful-land , what do you think about that?

Answer 5 · 2021-12-22T09:36:21.000Z

@colourful-land , what do you think about that?

https://community.tokenscript.org/t/what-if-inet-identifer-such-as-twitter-handle-is-sold/492

Answer 6 · 2021-12-22T09:58:01.000Z

@colourful-land , do we have any benefits because of unlimited IDattestation? do you remeber why we don't limit IDattestation with expiration?