Account Sessions System (Cookie-Like)

[moul]

We are preparing for an upcoming discussion on the session system that we want to develop in the account module of tm2.

Please note that the @gnolang/berty and VarMeta teams will be discussing this in the next few days. I will also provide more information here shortly.

Related with #1375

---

TODO(manfred): explain more this list:

• Design a version with only contracts and another with blockchain.
• Require a secure flow for mobile and desktop wallets, possibly using QR codes or small hashes, with the option for TOTP and passwords.

[dongwon8247]

@AnhVAR @nhatran Let's continue the discussion here

[AnhVAR]

Here is my idea for that. The main account will store in wallets, each application like game, social will be generate Session Account to do all action without need request many time to accept from main wallet.

[Nhatran94]

@moul @dongwon8247 pls feedback

[AnhVAR]

demo_H.264.mp4

We made a sample demo follow our solution. You can see in video, we made a smart contract, we can link with main account with session account. After that, the main account can authorize session accounts to perform actions on chain.
@moul @dongwon8247 @Nhatran94

[AnhVAR]

@jaekwon Should we build a feature that is only an account session, or should we build a feature that is similar to account abstraction on ETH? gnolang/hackerspace#58

[dongwon8247]

@moul @jaekwon @zivkovicmilos @Nhatran94 @AnhVAR Can Onbloc also work on this Account Session feature? I'm personally interested in what this will bring to the Web3 wallets in terms of UX, and this could be one of the unique features that Gno offers to the ecosystem.

[Nhatran94]

of course @dongwon8247 we would love to have you join us on this.

[notJoon]

The diagram below shows a rough flow of the Account Session that I have in mind.

sequenceDiagram
participant User
participant Client
participant SessionAccount
participant PrimaryAccount
participant ACL

User->>Client: Login request
Client->>PrimaryAccount: User authentication request
PrimaryAccount->>Client: Authentication result returned
Client->>SessionAccount: SessionAccount creation request
SessionAccount->>PrimaryAccount: Permission delegation request
PrimaryAccount->>ACL: Permission verification request
ACL->>PrimaryAccount: Permission verification result returned
PrimaryAccount->>SessionAccount: Permission delegation approved
SessionAccount->>Client: SessionAccount creation completed

loop User request processing
    User->>Client: Service request
    Client->>SessionAccount: Signature request
    SessionAccount->>PrimaryAccount: Signature permission verification request
    PrimaryAccount->>ACL: Permission verification request
    ACL->>PrimaryAccount: Permission verification result returned
    PrimaryAccount->>SessionAccount: Signature permission verification result returned
    alt Signature permission granted
        SessionAccount->>PrimaryAccount: Signature request
        PrimaryAccount->>PrimaryAccount: Signature processing
        PrimaryAccount->>SessionAccount: Signature result returned
        SessionAccount->>Client: Signature result returned
        Client->>User: Service response
    else Signature permission denied
        SessionAccount->>Client: Signature permission denied error returned
        Client->>User: Error response
    end
end

User->>Client: Logout request
Client->>SessionAccount: Session termination request
SessionAccount->>PrimaryAccount: Permission revocation request
PrimaryAccount->>ACL: Permission revocation request
ACL->>PrimaryAccount: Permission revocation completed
PrimaryAccount->>SessionAccount: Permission revocation completed
SessionAccount->>Client: Session termination completed

Loading

It would be good to use ACL (Account Control List) to grant access permissions or assign arbitrary roles to certain groups or users and grant permissions based on those roles. [1]

Expanding on this concept, we can allow the Primary Account (PA) to grant the Session Account (SA) the arbitrary to sign under certain conditions. With this apporach, the users can interact with dApps using the SA without directly accessing the PA.

Using a DAO as an example, Tier1DAO can grant Tier2DAO the authority to sign within a certaiin amount, and Tier2DAO can grant Tier3DAO the authority to sign within an even smailler amount and so on.

Furthermore, as much as this concept is used to enhance security, it is crucial to throughly separate them so that even if a lower-level session is attacked, it does not affect the root accounts (or, higher-level account). Moreover, to ensure the consistency, even when a session is used, the actual signing must occur in the PA.

cc: @zivkovicmilos @dongwon8247

---

[1] I think we can use the Directory type of the p/demo/acl package.

[AnhVAR]

Here are a few ideas I have regarding session accounts:

1. Implement session time limits: I believe that session accounts should have a session time limit, meaning that the account's access would be revoked after a certain period of inactivity. This would enhance security by preventing unauthorized access if the account is left unattended.
2. Shift signature message generation to session accounts: I'm concerned about the current implementation of signature messages being generated by the primary account. This poses a security risk as hackers could potentially exploit this to interact with the main wallet. To mitigate this risk, we should implement a mechanism where signature messages are generated by the session account instead of the primary account. This would ensure that even if a hacker gains access to the session account, they would not be able to compromise the primary account.

[moul]

I never shared the previous workshop's results on GitHub. It may be challenging to understand without an explanation, but it includes several concepts to keep in mind.

Things seem complex. Let's clarify major components and steps at a high level first, then focus on smaller details. Can someone propose something, or else we can resort to a workshop.

I add to my to-do list to propose something if nobody else does first.

[jamesnguyentech]

Based on what @moul has drawn, I can imagine and want to improve by using SSO service to help users start sessions more conveniently instead of using QR codes. I propose the following. Please contribute further:

We will build a deep account session system within the core blockchain. This system is designed in the direction of a Single Sign-On (SSO) service.

The use of secondary accounts to access assets of the primary account will be determined by the validator (we will update Tendermint 2 for it).

The Dapps must integrate SSO. This involves logging in by signing a message on the primary account.

User Experience:

1. User clicks on the login button with the account session.
2. User verifies the scopes of this session (each Dapp will determine different scopes).
3. User signs, grants permission to the account session.
4. User uses Dapp with the token provided by SSO (the Dapp does not retain this token).
5. The account session will have a timeout, or the user can revoke permissions by pressing the end session button.
6. Users can monitor active sessions and revoke them all on the Adena wallet.

Permission scopes:

To ensure the security of the primary wallet, Dapps will request scopes for each session. Users will review these scopes and sign off on them.

1. Execute Transaction
   Rate Limit: 100 transactions/hour
   Gas Limit: 1 GNO
   Valid For: Specified contract, Specified function
2. Transfer Native Token
   Rate Limit: 10 transfers/day
   Cap Limit: 100 GNO
   Valid For: Native Token
3. Transfer Custom Token
   Rate Limit: 10 transfers/hour
   Cap Limit: 100 TokenA, 100 TokenB
   Valid For: List specific tokens (e.g., TokenA, TokenB)

Session Expiration:

1. Fixed Timeout: The session expires after 24 hours from the start of the session.
2. Sliding Expiration: The expiration time is reset each time the user interacts with the server. (e.g., 30 minutes).

Consensus Modifications:

It will be a new concept when one account can sign transactions for another account. We need to update Tendermint 2 to allow validators to accept those signatures. Additionally, information related to sessions will also be stored on the blockchain to provide Tendermint 2 with confirmation information.

Security:

1. Private key: The private key will be generated and only stored in the memory of the SSO application (not stored in storage) and ensure that no one can access this memory portion. We can further apply the MPC method (splitting private data and storing it in SSO service and DApp client) or encrypted passwords to enhance security.
2. Session token: The session tokens are stored in the client browser (or mobile app). Dapps does not have permission to access this information.
3. Scopes: Whitelisting scopes from Dapp requests can be considered if necessary.

[AnhVAR]

@moul What do you think above our team idea?

[Nhatran94]

@moul @dongwon8247 can we create a workshop to move it forward? cc @AnhVAR @jamesnguyentech