-
Notifications
You must be signed in to change notification settings - Fork 22
/
doc.go
105 lines (105 loc) · 4.28 KB
/
doc.go
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
// Package api exposes all the wallet capabilities to manage connections,
// wallets, keys, and transactions.
//
// It is built with th JSON-RPC v2 standard. More info:
// See https://www.jsonrpc.org/specification for more information.
//
// # Terminology
//
// User:
//
// The user is the actor behind the API that has the responsibility to
// review and validate the requests. It can be a human or a bot.
//
// Wallet front-end:
//
// The wallet front-end is the interface through which the user interact
// with the API. It can be a command-line interface, a graphical
// user-interface, or a script.
//
// Third-party application:
//
// The application that connects to the API (through HTTP or directly to
// JSON-RPC) to access wallets information, send transaction, etc.
//
// # Third-party application connection workflow
//
// Before sending transaction, a third-party application must initiate a connection.
// The connection workflow consists of:
//
// 1. Obtaining a connection token.
//
// 2. Verifying if the state of the permissions given to the connection.
//
// 3. Request additional permissions if needed.
//
// ## 1. Obtaining a connection token
//
// A connection token is required to access the protected methods.
//
// There are two type of tokens, and the way to obtain them differs:
// - Temporary tokens
// - Long-living tokens
//
// Once obtained, this token must be used to value the `token` property in the
// requests payload of protected endpoints.
//
// ### Temporary tokens
//
// A temporary token is unique, randomly generated and is only valid for the
// duration of the connection between the third-party application and the wallet
// service.
//
// If any of the third-party application or the wallet service decide to end
// the connection, the token is voided. It can't be reused. There is no need for
// third-party applications to save this token for future use.
//
// This token is issued when the third-party application explicitly request a
// connection to a wallet through the `client.connect_wallet` endpoint.
//
// To end the connection, the third-party application can call the `client.disconnect_wallet`.
// endpoint. Once called, the token can no longer be used.
//
// Explicitly requiring a connection requires manual intervention from the user
// to review to connection. While this type of token useful for auditing the
// connections, and make them short-living, it's not suited for a headless software
// (like bots, simulator, etc.) that requires full automation and complete
// independence. For that type of software, long-living-tokens are better suited.
//
// ### Long-living tokens
//
// A long-living token, just like a temporary one, is unique and randomly generated.
// However, it's not voided when the connection between the third-party application,
// and the wallet service ends, nor when the service shutdowns.
//
// Akin to a traditional API token, it can be reused. This aspect makes is
// particularly useful for a headless software to operate independently.
//
// A long-living token must be generated in advance, before the service starts.
// through the `admin.generate_service_token` endpoint. Once generated, and the
// service started, the headless application can skip the call to the `client.connect_wallet`
// endpoint, and directly start calling the protected endpoints.
//
// It's not possible to close a connection initiated with a long-living token.
// Calling the `client.disconnect_wallet`.
//
// ## 2. Verifying the permissions
//
// To ensure a fine-grained control on what a third-party application can or
// can't do, the users can associate a set of permissions to the third-party
// application connection.
//
// In order to figure out what's the state of the permission, the third-party
// application must call the `client.get_permissions` endpoint and compare the
// result with what it requires. It's up to the third-party application to
// determine what it needs access to, and to which extent.
//
// If it has enough permission, then it can proceed with the call to other
// protected methods. If it doesn't, it has to request additional ones.
//
// ## 3. Requesting permissions
//
// If, for any reason, the third-party application doesn't have enough permissions
// to do its job, it has to request addition ones through the `client.request_permissions`
// endpoint.
package api