Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add revoke permissions #26

Merged
merged 20 commits into from
Nov 22, 2023
Merged

Add revoke permissions #26

Changes from all commits
Commits
Show all changes
20 commits
Select commit Hold shift + click to select a range
00c2f75
feat: revokePermissions proposal
julesat22 Oct 6, 2023
3cb664b
chore: update name and mip version to x
julesat22 Oct 11, 2023
d657390
chore: updates to summary, motivatinos, and ux considerations
julesat22 Oct 11, 2023
4e6f8cd
Added some PR feedback like aligning the API and minor clarifications
shanejonas Nov 16, 2023
ebba7e6
Update MIPs/mip-x.md
shanejonas Nov 16, 2023
3177342
Update MIPs/mip-x.md
shanejonas Nov 16, 2023
7f46872
Update MIPs/mip-x.md
shanejonas Nov 16, 2023
cd59dc4
Update MIPs/mip-x.md
shanejonas Nov 16, 2023
7185b1c
Update MIPs/mip-x.md
shanejonas Nov 16, 2023
973383f
Update MIPs/mip-x.md
shanejonas Nov 16, 2023
42e98f6
Update MIPs/mip-x.md
shanejonas Nov 16, 2023
db822ab
Update MIPs/mip-x.md
shanejonas Nov 16, 2023
52b2c63
Update MIPs/mip-x.md
shanejonas Nov 16, 2023
25c291c
Update MIPs/mip-x.md
shanejonas Nov 16, 2023
9a2aade
Removed all permissions references
shanejonas Nov 16, 2023
6f6dd26
Update MIPs/mip-x.md
shanejonas Nov 17, 2023
5481ebe
Fixed revoke account permission
shanejonas Nov 17, 2023
da0ee61
Changed definitions to be at the bottom
shanejonas Nov 17, 2023
6a41832
Removed Caveat examples
shanejonas Nov 17, 2023
f2ee60b
Fixed feedback to summary and motivation
shanejonas Nov 21, 2023
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
112 changes: 112 additions & 0 deletions MIPs/mip-x.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,112 @@
---
MIP: x
Title: Implement `wallet_revokePermissions` for Flexible Permission Revocation
Status: Review
Stability: n/a
discussions-to: https://github.com/MetaMask/metamask-improvement-proposals/discussions
Author(s): Julia Collins (@julesat22), Shane Jonas (@shanejonas)
Type: Community
Created: 2023-10-06
---

## Summary
This proposal aims to add a new JSON-RPC method, `wallet_revokePermissions`, to MetaMask as a counterpart to `wallet_requestPermissions`. This method is designed to offer a high degree of flexibility in managing permissions. This streamlines the user experience by reducing the number of steps needed to manage permissions and disconnect from dApps, thereby aligning with traditional OAuth systems for enhanced user control and privacy.

## Motivation
The MetaMask Wallet API currently lacks a streamlined way for users and dApps to revoke permissions. This proposal aims to:

1. Streamline User Experience: Currently, disconnecting a dApp requires navigating through multiple UI layers. Implementing `wallet_revokePermissions` will simplify this process and align with user expectations. Also enabling users to have granular control over their permissions directly from within the dApp not only enhances UX but also aligns with best practices in data privacy and user agency.

2. Close an Ergonomic Gap: Being able to request permissions but not revoke them programmatically is inconsistent and poses challenges for developers. This proposal offers a holistic solution for permission management.

3. Developer Experience: dApp developers currently might resort to mocking disconnect functionality, which is not a genuine revocation of permissions. `wallet_revokePermissions` allows for an authentic disconnect, enhancing security and user trust.

By implementing wallet_revokePermissions, we achieve feature parity with traditional permission systems, offering a more robust, secure, and user-friendly environment.


# Proposal
The `wallet_revokePermissions` method is proposed as a new JSON-RPC feature for MetaMask, aimed at giving users more granular control over permission management. With this method, users can can revoke permissions for the specified permission(s).

The method signature will be as follows:

```js
await window.ethereum.request({
"method": "wallet_revokePermissions",
"params": [
{
"<permission>": {}
}
]
});
```

# Usage Example
```js
// revoke eth_account permission for the dApp
await window.ethereum.request({
"method": "wallet_revokePermissions",
"params": [
{
"eth_accounts": {}
}
]
});

shanejonas marked this conversation as resolved.
Show resolved Hide resolved
// revoke snap_dialog permission for the dApp
await window.ethereum.request({
"method": "wallet_revokePermissions",
"params": [
{
"snap_dialog": {}
}
]
});
```

The proposed changes have been implemented in the following PR against the `MetaMask/api-specs` repo: https://github.com/MetaMask/api-specs/pull/145

## Caveats
Adding Caveats to the implementation of `wallet_revokePermissions` means more granular control over user permissions and, subsequently, more combinations of permissions that can be revoked. This increases the scope of implementation so it will not be supported in the initial implementation.

## Implementation
There is a [PR](https://github.com/MetaMask/core/pull/1889) open against the `MetaMask/core` repo that implements the proposed changes.

## User Experience Considerations

#### Enhancements:

Streamlining Disconnection: Reducing the number of clicks and steps needed to disconnect from a dApp, making the experience more user-friendly.

Consistency in Connection Management: Providing a disconnect feature directly within the dApp aligns with user expectations and creates a consistent experience since the dApp can both request and revoke permissions.

Improved User-Dapp Communication: Clear, in-app options for managing permissions improve user confidence and control.

User Empowerment: The proposed method aligns with best practices in data privacy, giving users the agency to manage their data and connections effectively.

Synchronized Actions and Security: Ensuring that the dApp is aware of a user's intent to disconnect prevents potential security loopholes and reflects the user’s action accurately in the dApp’s state.

## Security Considerations
The introduction of the `wallet_revokePermissions` method bolsters security by providing users with more control over permission revocation, reducing the potential attack surface. By allowing users to revoke permissions either partially or entirely, it minimizes the risk of unauthorized or malicious activity.

However, the security model depends on users actively managing these permissions, and there's a minor risk that poorly implemented dApps could confuse users about what they're revoking, potentially leading to unwanted outcomes. Ex. If an attacker had XSS access to a site, it could revoke permissions without the users consent.
Copy link
Collaborator

@jiexi jiexi Nov 20, 2023
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This seems more like an inconvenience than an actual threat. If an attacker could run arbitrary code on the page for a Dapp, it seems more likely that they would make requests as is or even request more permissions rather than revoke them. I suppose it would be possible that permissions are revoked on the real Dapp in an effort to confuse the user and get them to approve them on a phishing Dapp? Or perhaps constantly revoking permissions that the real Dapp requests and then attempting to slip in a malicious request for permissions among the many reapproval prompts that may prompt the user? Idk

This is already labeled as a minor risk though


To mitigate this risk, MetaMask could implement the following countermeasures:

**User Education**: MetaMask could inform users about the importance of managing permissions and the risks associated with not revoking outdated or unused permissions. Offer guidelines for making informed decisions about when and how to revoke permissions for different dApps.
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Something we should consider in the future is keeping track of the last time a permission was used by a Dapp and periodically suggesting a list of stale permissions to the user that can be revoked (or even just automatically revoking).


**Warning and Consent**: Before executing a revoke operation, MetaMask could display an inormative alert message to users. This message could inform them of the consequences of revoking permissions and/or the specific permission(s) they are attempting to revoke.

## Definitions
**Revoke**: To officially cancel or withdraw specific privileges, rights, or permissions. In the context of `wallet_revokePermissions`, revoking would entail nullifying the access granted to certain dApps or operations, such as account information retrieval via `eth_accounts`.

## References
[wallet_revokePermissions](https://github.com/MetaMask/api-specs/pull/145)

## Feedback
Please provide feedback on this proposal by opening an issue in the MetaMask MIPs repository.

## Committed Developers
Julia Collins (@julesat22), Shane Jonas (@shanejonas)

## Copyright
Copyright and related rights waived via [CC0](../LICENSE).
Loading