From 3a6595733992ae01e192e3edfad605337fb79a0f Mon Sep 17 00:00:00 2001 From: Jiahui Hu Date: Mon, 4 Mar 2024 19:11:21 -0500 Subject: [PATCH] [ANCHOR-591] Add clients config to sep10 auth configuration (#347) * add clients config to sep10 auth * prettier * address comments * format and lint * address comments --- .../anchor-platform/sep10/configuration.mdx | 49 +++++++++++++++++-- .../anchor-platform/sep24/faq.mdx | 5 +- 2 files changed, 47 insertions(+), 7 deletions(-) diff --git a/docs/anchoring-assets/anchor-platform/sep10/configuration.mdx b/docs/anchoring-assets/anchor-platform/sep10/configuration.mdx index 91d39b68c..bf01374eb 100644 --- a/docs/anchoring-assets/anchor-platform/sep10/configuration.mdx +++ b/docs/anchoring-assets/anchor-platform/sep10/configuration.mdx @@ -40,17 +40,56 @@ By default, the Anchor Platform allows anyone with a Stellar account to authenti ```bash # dev.env SEP10_CLIENT_ATTRIBUTION_REQUIRED=true -SEP10_CLIENT_ATTRIBUTION_ALLOWLIST=lobstr.co,api.vibrantapp.com,decaf.so,api.beansapp.com +``` + + + + -SEP10_REQUIRE_KNOWN_OMNIBUS_ACCOUNT=true -SEP10_OMNIBUS_ACCOUNT_LIST=GBIBMZNXMD3P7HXVQCYIWWT5NG43NEIIY7VYBQ5SADV6UULUKCAJTGPG +```yaml +clients: + # Each item in the list may contain the following fields: + # - name: (required) the name of the client + # - type: (required) `custodial` or `noncustodial` + # + # If the type is `custodial`, + # - signing_key: (required) the custodial SEP-10 signing key of the client. + # - callback_url: (optional) the URL of the client's callback API endpoint. + # - allow_any_destination: (optional) default to false. If set to true, allows any destination for deposits. + # - destination_accounts: (optional) list of accounts allowed to be used for the deposit. If allows_any_destinations set to true, this configuration option is ignored. + # + # If the type is `noncustodial`, + # - domain: (required) the domain of the client. + # - callback_url: (optional) the URL of the client's callback API endpoint + # - signing_key: (optional) the signing key of the client. + + # custodial client + - name: custodial-client1 + type: custodial + signing_key: "the custodial SEP-10 signing key of the client1" + callback_url: https://callback.custodial-client1.com/api/v1/anchor/callback + allow_any_destination: false + destination_accounts: + - name: custodial-client2 + type: custodial + signing_key: "the custodial SEP-10 signing key of the client2" + + # noncustodial client + - name: noncustodial-client1 + type: noncustodial + domain: noncustodial-client1.co + callback_url: https://callback.noncustodial-client1.co/api/v2/anchor/callback + signing_key: "the signing key of the client1" + - name: noncustodial-client2 + type: noncustodial + domain: noncustodial-client2.com ``` -`SEP10_CLIENT_ATTRIBUTION_REQUIRED` informs the Anchor Platform whether or not it should allow users of non-custodial wallets to authenticate without the wallet also identifying itself, and `SEP10_CLIENT_ATTTRIBUTION_ALLOWLIST` is the list of non-custodial wallets that can create authenticated sessions with your services. +`SEP10_CLIENT_ATTRIBUTION_REQUIRED` informs the Anchor Platform whether it should allow users of noncustodial wallets to authenticate without the wallet also identifying itself. -`SEP10_REQUIRE_KNOWN_OMNIBUS_ACCOUNT` informs the Anchor Platform whether or not it should allow users of custodial wallets to authenticate without the custodial wallet's public key being included in the `SEP10_OMNIBUS_ACCOUNT_LIST`. +`CLIENTS` is the list of outside wallet servers or clients for the Anchor server to safely communicate with. ## Modify a Stellar Info File diff --git a/docs/anchoring-assets/anchor-platform/sep24/faq.mdx b/docs/anchoring-assets/anchor-platform/sep24/faq.mdx index 69b332641..825baccce 100644 --- a/docs/anchoring-assets/anchor-platform/sep24/faq.mdx +++ b/docs/anchoring-assets/anchor-platform/sep24/faq.mdx @@ -12,7 +12,7 @@ This JWT token will contain: 1. `exp` is the expiration time of the token. You should check that the provided token has not expired. 2. `sub` is the account associated with this transaction. It can be used to identify the user account. Note that this value may be different from the account that will be used to receive/send funds. 3. `jti` is the hash of the transaction. -4. `data` is the extra payload that has been set by the user. It will always contain the Stellar `asset` wants to deposit or withdraw. If provided by the client, it will also contain the `amount` the user wants to transact, the `client_domain` of the wallet verified during SEP-10 authentication, and the `lang` (language) preference of the user. +4. `data` is the extra payload that has been set by the user. It will always contain the Stellar `asset` wants to deposit or withdraw. If provided by the client, it will also contain the `amount` the user wants to transact, the `client_domain` of the wallet verified during SEP-10 authentication, and the `lang` (language) preference of the user, and `client_name` (defined as 'name' in [clients] configuration if provided). ### How To Provide Fees? @@ -32,7 +32,8 @@ You should use the `sub` field of the JWT token. For custodial wallets, this val ### How to identify the wallet? -You should use a combination of `sub` and `data.client_domain` fields of the JWT token. For custodial wallets, the `sub` value will be in the format `account:memo`. Use the account to identify the wallet. For noncustodial wallets, use the `data.client_domain` field. Note that the wallet must provide the `client_domain` beforehand as a part of SEP-10 authentication. +Utilize the `data.client_domain` attributes within the JWT token. In the presence of [clients] configuration, the JWT token will additionally incorporate the `data.client_name` field, enabling wallet identification. [sep-9]: https://github.com/stellar/stellar-protocol/blob/master/ecosystem/sep-0009.md [sep-24]: https://github.com/stellar/stellar-protocol/blob/master/ecosystem/sep-0024.md +[clients]: docs/anchoring-assets/anchor-platform/sep10/configuration.mdx