-
Notifications
You must be signed in to change notification settings - Fork 984
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Chat api #10910
Conversation
Hey @bgits, and thank you so much for making your first pull request in status-react! ❤️ Please help us make your experience better by filling out this brief questionnaire https://goo.gl/forms/uWqNcVpVz7OIopXg2 |
Jenkins BuildsClick to see older builds (2)
|
@bgits Thanks for kicking this off. I understand from Marketing that a Chat API, in the wider realm of extensions, has been requested by dapps. If the functionality can drive existing dapp audiences to use Status to benefit from messaging features, it makes a strong case to work on this now. Suggestion/questions
cc @0kok0 for security eyes |
thanks @bgits , permissions will be asked only ones, so if user gives permission to dapp, then dapp will be doing next calls silently, sending message on behalf of user is really dangerous, also current UX for permissions isn't great, if we'll have more permissions and dapp will ask all permisions on the first run, they all will be asked one after another |
There are some as such gas abstraction or gasless voting where the dapp just needs to submit a signed ethereum transaction to a channel. |
I understand the security concerns. Perhaps for now it makes sense to put this behind either a "Security" or "Advanced" flag that is by default turned off until we think of a better approach? Another approach that I think requires less security concern is allowing dapps to send messages from a random key. This is still useful for certain applications such a gasless voting & gas abstraction but removes the concern of dapps impersonating a users to do malicious things. |
@bgits @hesterbruikman - Some very interesting ideas have come up in partner outreach. Id love to discuss further and perhaps even loop those teams in to collaborate on these. Two high level ideas from partners: |
Sending messages to friends assumes they are already on Status? |
Correct. Imagine some friends have a private group chat and one of the members shares a prediction market. The other friends can take a position in the market directly from the chat interface with a simple tap |
cc @corpetty for planning purposes. We'll need security requirements for a chat API to be used by dapps. I suggest limiting to use case 1 described by @j-zerah described:
(most generalizable, least privacy sensitive) I'm thinking of a timeframe of around 2 months, so we don't postpone this indefinitely. I understand it could draw dapps and bring utility, and more functioning dapps, to Status. We'll likely need UI work on permissions etc after we have a security model as a reference point. Does that sound feasible @corpetty? |
It seems using onMessage to respond over the bridge is not ideal for send larger payload and the preferred method is to use postMessage to communicate with webview
I assume this will start with messages being sent on the users behalf, later exposing wallet functionality, accessing images etc. Iteration 0:Dapp requirementsExample threat: Poorly implemented collectible dapps lure users into compromising their and contact's privacy by pushing/pulling messages in the clear.
API gateway:Example threat: Malicious Dapp successfully circumvents API endpoint safety measures and can execute code on the user's device. API gateway process for all API calls that can be strictly isolated. Implements least authority. Performs the following tasks for all API calls:
Permission/Token:
|
The existing API already exposes wallet functionality using the EIP-1102 standard. It also exposes some chat functionality: https://status.im/developer_tools/status_extras/status_dapp_api.html How to make these API enhancements secure is something we want to do and think specific exploit cases will crystalize during testing. It would be helpful to have specific exploits that use API so they can be tested against and designed to mitigate. In the case of: "Example threat: Malicious Dapp successfully circumvents API endpoint safety measures and can execute code on the user's device.", How can we create this scenario using the chat-api? |
Please, if you ever possess this type of information, never disclose it publicly to prove a point. Send me a DM if you require a more concrete/testable threat model. I agree it's very generic. However, I am afraid I have to disagree that we should do exploit driven security development; that's the definition of being reactive. Let me ask a question: would you still like to use Linux if there was no kernel isolation, no package manager, or an hour to create a package? |
Not disagreeing with you. I think having an actual example makes the threat more tangible and less prone to repeating. |
You're right, I'll make sure to provide detailed examples during the next cycle |
feel free to reopen |
Summary
Implements DApp Chat api as per: status-im/specs#117
Review notes
This is my first PR on this code base, wondering how these changes should be organized and if these state mutation are idiomatic?
There are 3 functions in
permissions.cljs
that dispatch re-frame events, I'm wondering if they should live elsewhere? Are they inline with convention to dispatch re-frame events if the action is coming from the browser API?Outstanding bugs
Looking for guidance on how to resolve these issues:
'
. I have not found a way to escape it so for now it is removed.Testing notes
There is a test dapp which makes calls to the api, it can be run locally and use in the webview. It can be found here: https://github.com/status-im/status-api-tester.git
Platforms
Areas that maybe impacted
Security? Two of the calls have the permission
:yield-control? true
I don't know the full impact of this.Functional
Steps to test
After running npm install in the
status-api-test
directory one can start the dapp usingembark run
. It should be accessible fromhttp://localhost:8000/
. Open it in the dapp browser and use the Status api tab to test calls. Keep the localhost console open as some function currently just log to console.status: wip