Refs
https://filecoinproject.slack.com/archives/C02BZPRS9HP/p1673387411040389
https://github.com/web3-storage/specs/issues/26
https://github.com/web3-storage/w3protocol/pull/318
https://github.com/web3-storage/w3protocol/issues/333
Notes
- Add more information to the email about what the action is, human readable names for spaces/accounts, user-agent where the email originated, location info from the CF headers and some unique code/pattern generated by the backend to validate origin.
Email link will have redirects for web based origins but should also pull or wait on websockets for the validations.
Redirects will auto login on the page opened by clicking the email link
Pull/Websockets will auto login on the page that originated the email
User maybe have both pages opened and both should go automatically into logged in state after validation
- CLIs should not start an email validation flow, they SHOULD only open the keyring (or print an URL/QRcode to be opened) and setup a secure AWAKE channel to request delegations or import account. Consider this in the w3accounts spec context not 100% sure we should force this or if the first bullet point is enough !!
Electron and native apps should start the email flow with deep links (protocol handlers) in the redirect callback URL instead of websockets to get the delegation back.
- We can keep track of devices in the account and even further restrict non web devices from starting email flow by forcing the user to register the device first.
- Use avatar derived from the agent DID to inform the user about the email’s origin
- v0 could just use the agent DID (+did-avatar) as the origin validation in the email just needs to be more explicit about it.
- Avoid SafeLinks and other auto open email client stuff
- We need to expire email link in reasonably short time window, this is most effective tool to reduce attack vector as attacker will only be able to succeed if malicious request happens around same time as users attempt to login.
- We also need a button allowing user to report that authorization was not initiated by them. This would help us at identify potential attackers before they a succeed and block origins used as a vector.
Tasks