Hi!
I propose an extension to the Garden API, which enables the external creation of user profiles. This proposal serves as an interim solution until we have implemented a decentralized solution for profiles. It caters to the needs of other wallets interested in integrating with Circles and independent developers seeking Circles integration. Recently, a conference-specific app, DappCon23, was deployed, which allows users to create a new Circles safe, but not a corresponding profile. This proposal will suffice most needs for such use-cases for the time being.
Technical Considerations
-
Authentication/Authorization: Security will be maintained by adopting a challenge/response mechanism for authenticating requests to the API. Here’s a high-level outline of this process:
- A user requesting to add a profile will receive a challenge from the server.
- The user responds to the challenge by signing it with a private key.
- The server verifies the signature, checking if it corresponds to one of the current owners of the safe associated with the safe-address.
- If the signature is valid, the user is authorized to add or edit a profile using the safe-address as a primary key.
-
CORS Settings: In the best case the CORS policy can allow access from any domain to facilitate a good portability.
Security Considerations
Allowing everyone to openly write to an API (since everyone can create a key, safe, and thus a profile) poses inherent risks. However, if we verify that the key indeed belongs to a safe owner, this implies that a safe has been previously deployed, which incurs costs and thus makes it unlikely for someone to launch a DDoS attack involving creating a lot of safes. To expedite the API’s decision on whether to discard a request, the list of all Circles safe addresses and their owners could be kept in memory. The same data structure could be used to efficiently enforce a per-safe rate limit. Additionally, there should be a per-IP rate limit that allows high bursts (e.g., when everyone in a room signs up at the same time).
As always with the kind request for comments