-
Notifications
You must be signed in to change notification settings - Fork 546
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Unblock eth_requestAccounts
and add dynamic permission support
#1421
Conversation
could i ask for some context on this please? i noticed that knowing the user's |
Hi, we had to disable In the meantime, if you need to do a signature for your snap, you will have to rely on a dapp. An example is here: https://github.com/ziad-saab/siwe-metamask-snap |
ok, but this means that the dapp will see the resulting signature, yes? and must "pass it back" somehow to the snap? this is deeply problematic in situations in which the signature itself is secret, and must be kept within the snap (per the whole security / domain-separation goals we are trying to achieve in the first place by using snaps). an example in which this happens is in, say, services which use a (deterministic) ECDSA signature to derive an app-specific key. Aztec Connect is a very widely-used example where this happens. Firn is another. if a service such as that were to make a snap, then that signature needs to be kept inside the snap. if a malicious dapp were to see it, and, say, exfiltrate it to the owners of the dapp, then the user would lose funds (and privacy to boot). |
Yes, I'm aware that this is a huge security concern. If the signature needs to be secret, you can either filter the domain of the dapp that requests the signature (using SIWE and at the RPC level), or I understand if you would rather wait until this new API lands in the Snaps API in stable. |
i have to admit i just truly don't catch the drift of this whole "static" vs. "dynamic permissions" distinction.
i have no idea why these methods in particular would require "dynamic" permissions, or why any method for that matter should. can you just make them static for now? |
It has to do with how the underlying MetaMask system works.
The Snaps platform is all about balancing developer convenience with user security. Snaps are very powerful programs, and while we could allow developers to do all sorts of things, there are many things that would come at the expense of user security. We made a decision to remove access to So no, we cannot make them static for now. |
so what i'm gathering is that each snap is essentially entirely oblivious of which indeed, even the workaround where the dapp passes in |
Yes, this is a correct understanding of Snaps v1. |
i see, thanks. suffice it to say that i consider this to be a pretty restricted feature set, and am fairly surprised that anyone else can do anything useful with it. please let me know (perhaps in this thread) once this changes. thanks in advance. |
1f6f21e
to
e0865bc
Compare
@metamaskbot publish-preview |
Preview builds have been published. See these instructions for more information about preview builds. Expand for full list of packages and versions.
|
e0865bc
to
d9665e8
Compare
wallet_requestSnaps
and add dynamic permission support
Codecov Report
@@ Coverage Diff @@
## main #1421 +/- ##
==========================================
+ Coverage 95.12% 95.31% +0.18%
==========================================
Files 219 219
Lines 4988 4995 +7
Branches 765 766 +1
==========================================
+ Hits 4745 4761 +16
+ Misses 243 234 -9
|
* @param permissionNames - The names of the permissions. | ||
* @throws If non-dynamic permissions are passed. | ||
*/ | ||
revokeDynamicSnapPermissions( |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Should we just name this revokePermissions
? Is there a need (in the long term) to make a difference between dynamic and static permissions?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I'm not sure. I named it like this to avoid confusion with the PermissionController
.
If all snap permissions end up being dynamic we can probably just remove this again and use the PermissionController directly. But for now it needs to be managed by the SnapController 🤔
hello, can i please ask when this will be released into a metamask flask build? alternatively, is there a way i can locally install this / start testing and developing now? thanks in advance. |
@firnprotocol This has been merged to the MetaMask develop branch, so if you are comfortable building the extension yourself you can do that to leverage this new change! There should be instructions in the README on building. This will be included in a future MetaMask Flask release, probably within a week or two. |
hi @FrederikBolding, thanks. confirmed that i am now able to call however, edit: looks like |
Hi @firnprotocol can you try using |
hi @Montoya. same issue—and in fact you can check that snaps/packages/snaps-execution-environments/src/common/utils.ts Lines 105 to 124 in 0934b73
|
@firnprotocol We are currently working on unblocking |
@FrederikBolding cool. any rough time estimate available? to clarify, it was only ever |
wallet_requestSnaps
and add dynamic permission supporteth_requestAccounts
and add dynamic permission support
This PR unblocks
eth_requestAccounts
and add dynamic permission support to the SnapController. This will allow Snaps to requesteth_requestAccounts
and get the dynamiceth_accounts
permission. These dynamic permissions can be revoked again viaSnapController:revokeDynamicPermissions
.Unblocking
eth_accounts
gives snaps access to more RPC methods by default. We disable these as the extension confirmations aren't ready to support snaps quite yet.This PR needs changes in the extension as well.
Fixes #1451
Fixes #1452