Capability to unlock an account?

[gkd720]

I had previously been developing a simple app to record data into the Ethereum blockchain, and had used the web3.js package because I was in a javascript/Angular/browser world. I've now switched over to a flutter/dart native device application and will be trying to use this package. I had made some accounts using 'geth', and then, in my application, enabled them to send transactions with 'eth.personal.unlockAccount(....)', providing the method with a dynamically-decided-on account. I see here that sending a transaction had a comment that the account must be unlocked, suggesting no inbuilt/automatic way of unlocking an account. Does this package provide any mechanism to do that? I see a 'geth --unlock --password ...', but this suggests firing up another geth instance. I also see a 'geth attach', but this suggests that it sets up an interactive javascript environment to the geth node, and I'm not clear if that's usable. So I'm not clear on how to programmatically unlock an account. I guess one might permanently unlock any accounts that might send transactions, but that seems rather insecure. Any thoughts or guidance on how I might approach this? Thanks.

[shamblett]

Just looking at the JSON RPC page the only mention of unlock is for the eth_sign method, which says the account should be unlocked, so it looks as though there's no JSON API for this, however I could have missed something here, how does the web3.js package do this? If it can be done over JSON RPC I'll update the package to include it.

I'm just updating the package for Dart 2 usage, when this is complete I'll have a deeper look at this.

[gkd720]

Thanks for checking into this. Yeah, good question. Searching through 0.x.x and 1.x.x web3.js code for 'unlockAccount', I don't see where it's actually turned into a JSON API call. I just see a few lines that I think are a template for Typescript's static type checking in https://github.com/ethereum/web3.js/tree/1.0ES6/packages/web3-eth-personal/src with a Readme a level up. Searching finds answers at https://ethereum.stackexchange.com/questions/8478/account-is-locked-how-to-unlock-it-using-json-rpc and https://ethereum.stackexchange.com/questions/4157/how-to-unlock-the-account-with-geth (with the first link showing the direct JSON call/syntax). Seeing it missing on the JSON RPC page, I guess this means it's not required? So if web3.js implemented it, they were just being helpful? Or is that some optional defined extension? I think I read that 'geth' has a web3 package inside it. So how did they know if they should, and how to, implement handling unlockAccount? Are the geth/web3 people all buddies, or the same people? Thanks again.

Updated 8/16/2018:

Also, I had planned on using web3.js' 'ecrecover' function to retrieve the account from the signed data and a signature. Documentation at https://web3js.readthedocs.io/en/1.0/web3-eth-personal.html. Looks like this is in the same package as 'unlockAccount' and also not in the JSON RPC spec, so I guess these are a collection of helper utilities/functions for working with the blockchain. Not sure what the raw json should look like though. I'll look into the web3.js implementation to see if I can piece it together.

Updated 8/20/2018:

OK, it's a little clearer now. There is another set of management APIs available in 'geth': https://github.com/ethereum/go-ethereum/wiki/Management-APIs. In there are the 'personal' ones I was mentioning (unlockAccount, ecrecover). Looks like the web3.js package I originally used implemented/wrapped calls to these geth APIs, and I guess I thought all APIs were part of any 'web3' implementation, but maybe anything beyond the core transaction related ones are considered optional.