CIP-0030 | Dapp-Connector #88
There are no files selected for viewing
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,250 @@ | ||
| --- | ||
| CIP: 30 | ||
| Title: Cardano dApp-Wallet Web Bridge | ||
| Authors: rooooooooob | ||
| Comments-URI: https://github.com/cardano-foundation/CIPs/pull/88 | ||
| Status: Draft | ||
| Type: Standards | ||
rooooooooob marked this conversation as resolved.
Show resolved
Hide resolved
|
||
| Created: 2021-04-29 | ||
| License: CC-BY-4.0 | ||
| --- | ||
|
|
||
| # Abstract | ||
|
|
||
| This documents describes a webpage-based communication bridge allowing webpages (i.e. dApps) to interface with Cardano wallets. This is done via injected javascript code into webpages. This specification defines the manner that such code is to be accessed by the webpage/dApp, as well as defining the API for dApps to communicate with the user's wallet. This document currently concerns the Shelley-Mary era but will have a second version once Plutus is supported. This specification is intended to cover similar use cases as web3 for Ethereum or [EIP-0012](https://github.com/ergoplatform/eips/pull/23) for Ergo. The design of this spec was based on the latter. | ||
rooooooooob marked this conversation as resolved.
Show resolved
Hide resolved
|
||
|
|
||
|
|
||
| # Motivation | ||
|
|
||
| In order to facilitate future dApp development, we will need a way for dApps to communicate with the user's wallet. While Cardano does not yet support smart contracts, there are still various use cases for this, such as NFT management. This will also lay the groundwork for an updated version of the spec once the Alonzo hardfork is released which can extend it to allow for Plutus support. | ||
|
|
||
|
|
||
|
|
||
| # Specification | ||
|
|
||
| ## Version | ||
|
|
||
| The API specified in this document will count as version 0.1.0 for version-checking purposes below. | ||
|
|
||
| ## Data Types | ||
|
|
||
| ### Bytes | ||
|
|
||
| A hex-encoded string of the corresponding bytes. | ||
|
|
||
| ### cbor\<T> | ||
|
|
||
| A hex-encoded string representing [CBOR](https://tools.ietf.org/html/rfc7049) corresponding to `T` defined via [CDDL](https://tools.ietf.org/html/rfc8610) either inside of the [Shelley Mult-asset binary spec](https://github.com/input-output-hk/cardano-ledger-specs/blob/0738804155245062f05e2f355fadd1d16f04cd56/shelley-ma/shelley-ma-test/cddl-files/shelley-ma.cddl) or, if not present there, from the [CIP-0008 signing spec](https://github.com/cardano-foundation/CIPs/blob/master/CIP-0008/CIP-0008.md). | ||
|
There was a problem hiding this comment. Why is the CBOR represented as a hex string instead of a There was a problem hiding this comment. Yes it incurs serialization overhead, but that should be quite minimal compared to everything else going on. I do also like that we are maintaining that the API as pure and direct JSON compatible in case we ever want to extend it to other approaches (e.g. Wallet Connect like functionality). |
||
| This representation was chosen when possible as it is consistent across the Cardano ecosystem and widely used by other tools, such as [cardano-serialization-lib](https://github.com/Emurgo/cardano-serialization-lib), which has support to encode every type in the binary spec as CBOR bytes. | ||
|
|
||
| ### TransactionUnspentOutput | ||
|
|
||
| If we have CBOR specified by the following CDDL referencing the Shelley-MA CDDL: | ||
| ```cddl | ||
| transaction_unspent_output = [ | ||
| input: transaction_input, | ||
| output: transaction_output, | ||
| ] | ||
| ``` | ||
| then we define | ||
| ``` | ||
| type TransactionUnspentOutput = cbor<transaction_unspent_output> | ||
| ``` | ||
|
|
||
| This allows us to use the output for constructing new transactions using it as an output as the `transaction_output` in the Shelley Multi-asset CDDL does not contain enough information on its own to spend it. | ||
|
|
||
| ### Paginate | ||
|
|
||
| ``` | ||
| type Paginate = {| | ||
| page: number, | ||
|
There was a problem hiding this comment. This isn't sufficient information because wallet state could change in-between pages (either new entries added or a rollback causing entries to be removed) Due to this fact, I don't think it necessarily makes sense to have a unified paging system since the anchor to use depends on the data type you're looking for (txs, addresses, etc.) If you feel this problem isn't really solvable, probably we should at least mention the pagination system has this possibility for error |
||
| limit: number, | ||
| |}; | ||
| ``` | ||
| Used to specify optional pagination for some API calls. Limits results to {limit} each page, and uses a 0-indexing {page} to refer to which of those pages of {limit} items each. dApps should be aware that if a wallet is modified between paginated calls that this will change the pagination, e.g. some results skipped or showing up multiple times but otherwise the wallet must respect the pagination order. | ||
|
|
||
|
|
||
| ## Error Types | ||
|
|
||
| ### APIError | ||
|
|
||
| ``` | ||
| APIErrorCode { | ||
| InvalidRequest: -1, | ||
| InternalError: -2, | ||
| Refused: -3, | ||
| AccountChange: 4, | ||
| } | ||
| APIError { | ||
| code: APIErrorCode, | ||
| info: string | ||
| } | ||
| ``` | ||
|
|
||
| * InvalidRequest - Inputs do not conform to this spec or are otherwise invalid. | ||
| * InternalError - An error occurred during execution of this API call. | ||
| * Refused - The request was refused due to lack of access - e.g. wallet disconnects. | ||
| * AccountChange - The account has changed. The dApp should call `wallet.enable()` to reestablish connection to the new account. The wallet should not ask for confirmation as the user was the one who initiated the account change in the first place. | ||
|
There was a problem hiding this comment. We had no other way of knowing with the events API removed so I added this in. It's not ideal control flow but it should suffice until we have that implemented. |
||
|
|
||
| ### DataSignError | ||
|
|
||
| ``` | ||
| DataSignErrorCode { | ||
| ProofGeneration: 1, | ||
| AddressNotPK: 2, | ||
| UserDeclined: 3, | ||
| InvalidFormat: 4, | ||
| } | ||
| type DataSignError = { | ||
| code: DataSignErrorCode, | ||
| info: String | ||
| } | ||
| ``` | ||
|
|
||
| * ProofGeneration - Wallet could not sign the data (e.g. does not have the secret key associated with the address) | ||
| * AddressNotPK - Address was not a P2PK address and thus had no SK associated with it. | ||
| * UserDeclined - User declined to sign the data | ||
| * InvalidFormat - If a wallet enforces data format requirements, this error signifies that the data did not conform to valid formats. | ||
|
|
||
| ### PaginateError | ||
|
|
||
| ``` | ||
| type PaginateError = {| | ||
| maxSize: number, | ||
| |}; | ||
| ``` | ||
| {maxSize} is the maximum size for pagination and if the dApp tries to request pages outside of this boundary this error is thrown. | ||
|
|
||
| ### TxSendError | ||
|
|
||
| ``` | ||
| TxSendErrorCode = { | ||
| Refused: 1, | ||
| Failure: 2, | ||
| } | ||
| type TxSendError = { | ||
| code: TxSendErrorCode, | ||
| info: String | ||
| } | ||
| ``` | ||
|
|
||
| * Refused - Wallet refuses to send the tx (could be rate limiting) | ||
| * Failure - Wallet could not send the tx | ||
|
|
||
| ### TxSignError | ||
|
|
||
| ``` | ||
| TxSignErrorCode = { | ||
| ProofGeneration: 1, | ||
| UserDeclined: 2, | ||
| } | ||
| type TxSignError = { | ||
| code: TxSignErrorCode, | ||
| info: String | ||
| } | ||
| ``` | ||
|
|
||
| * ProofGeneration - User has accepted the transaction sign, but the wallet was unable to sign the transaction (e.g. not having some of the private keys) | ||
| * UserDeclined - User declined to sign the transaction | ||
|
|
||
|
|
||
|
|
||
| ## Initial API | ||
|
|
||
| In order to initiate communication from webpages to a user's Cardano wallet, the wallet must provide the following javascript API to the webpage. A shared, namespaced `cardano` object must be injected into the page if it did not exist already. Each wallet implementing this standard must then create a field in this object with a name unique to each wallet containing a `wallet` object with the following methods. The API is split into two stages to maintain the user's privacy, as the user will have to consent to `cardano.walletName.enable()` in order for the dApp to read any information pertaining to the user's wallet. | ||
|
|
||
|
There was a problem hiding this comment. What about using a dedicated namespace on the global object instead of prefixed functions. That is, have There was a problem hiding this comment. Hmmm. A There was a problem hiding this comment. Exactly. The There was a problem hiding this comment. We did this two-phase so that the cardano object was separate and if it exists then it meant that the rest of the API was injected. It was originally all in there e.g. At page load those 2 functions are injected, and if There was a problem hiding this comment. Another idea I had thought of previously was if There was a problem hiding this comment.
Well at first I had wanted to simplify things so that dApps wouldn't have access to those APIs until they had been granted access without having to check for API access denied errors in every endpoint, but it's not really a valid point once you realize that you'll need to handle those anyway if a wallet cancels access later on after injection. It does let us potentially go with that returning the There was a problem hiding this comment. Yeah I think just hiding the endpoints, doesn't fully prevent someone from accessing the wallet actually, since you communicate with window.postMessage. so the prevention needs to be in the extension itself. I would also prefer to move it under the same name space. and maybe make it shorter like: There was a problem hiding this comment. @alessandrokonrad It absolutely doesn't on its own. That is up to the wallet's implementation. When we implemented the ergo dApp connector spec in Yoroi we handle the connections from inside the Yoroi extension so Yoroi will only only respond to requests from pages that it considers connected, which can only happen if the connect request was accepted by the user (either by whitelisting the site or by the popup). You can't assume much at all in the way of security guarantees whatsoever in the injected code. That's why we treat the There was a problem hiding this comment. Concerning this, we could potentially expand on this and other implementation-related security issues in the spec, but it might be outside of the scope. There was a problem hiding this comment. I changed how these things work while I was reworking the wallet connection UX for when you have multiple wallets (e.g. Yoroi + AdaLite) that need to inject their API. |
||
| ### wallet.enable(): Promise\<API> | ||
|
|
||
| Errors: APIError | ||
|
|
||
| This is the entrypoint to start communication with the user's wallet. The wallet should request the user's permission to connect the web page to the user's wallet, and if permission has been granted, the full API will be returned to the dApp to use. The wallet can choose to maintain a whitelist to not necessarily ask the user's permission every time access is requested, but this behavior is up to the wallet and should be transparent to web pages using this API. If a wallet is already connected this function should not request access a second time, and instead just return the `API` object. | ||
|
|
||
| ### wallet.isEnabled(): Promise\<bool> | ||
|
|
||
| Errors: APIError | ||
|
|
||
| Returns true if the dApp is already connected to the user's wallet, or if requesting access would return true without user confirmation (e.g. the dApp is whitelisted), and false otherwise. If this function returns true, then any subsequent calls to `wallet.enable()` during the current session should succeed and return the `API` object. | ||
|
|
||
| ### wallet.apiVersion: String | ||
|
|
||
| The version number of the API that the wallet supports. | ||
|
|
||
|
|
||
| ### wallet.name: String | ||
|
|
||
| A name for the wallet which can be used inside of the dApp for the purpose of asking the user which wallet they would like to connect with. | ||
|
|
||
| ### wallet.icon: String | ||
|
|
||
| A URI image (e.g. data URI base64 or other) for img src for the wallet which can be used inside of the dApp for the purpose of asking the user which wallet they would like to connect with. | ||
|
|
||
|
|
||
| ## Full API | ||
|
|
||
| Upon successful connection via `wallet.enable()`, a javascript object we will refer to as `API` (type) / `api` (instance) is returned to the dApp with the following methods. All read-only methods (all but the signing functionality) should not require any user interaction as the user has already consented to the dApp reading information about the wallet's state when they agreed to `wallet.enable()`. The remaining methods `api.signTx()` and `api.signData()` must request the user's consent in an informative way for each and every API call in order to maintain security. | ||
|
|
||
| The API chosen here is for the minimum API necessary for dApp <-> Wallet interactions without convenience functions that don't strictly need the wallet's state to work. The API here is for now also only designed for Shelley's Mary hardfork and thus has NFT support. When Alonzo is released with Plutus support this API will have to be extended. | ||
|
|
||
| ### api.getNetworkId(): Promise\<number> | ||
|
There was a problem hiding this comment. I would open the option to return more integers values for future testnets or private networks. There was a problem hiding this comment. Would simply mentioning that it could be a non 0/1 value be fine and just mention that values that aren't 0/1 are not regulated by this documented? (unless some other CIP or registry or whatever comes out for registering other testnets like all the ones that exist for Ethereum for example) |
||
|
|
||
| Errors: `APIError` | ||
|
|
||
| Returns the network id of the currently connected account. 0 is testnet and 1 is mainnet but other networks can possibly be returned by wallets. Those other network ID values are not governed by this document. This result will stay the same unless the connected account has changed. | ||
|
|
||
| ### api.getUtxos(amount: cbor\<value> = undefined, paginate: Paginate = undefined): Promise\<TransactionUnspentOutput[] | undefined> | ||
|
|
||
| Errors: `APIError`, `PaginateError` | ||
|
|
||
| If `amount` is `undefined`, this shall return a list of all UTXOs (unspent transaction outputs) controlled by the wallet. If `amount` is not `undefined`, this request shall be limited to just the UTXOs that are required to reach the combined ADA/multiasset value target specified in `amount`, and if this cannot be attained, `undefined` shall be returned. The results can be further paginated by `paginate` if it is not `undefined`. | ||
|
|
||
| ### api.getBalance(): Promise\<cbor\<value>> | ||
|
|
||
| Errors: `APIError` | ||
|
|
||
| Returns the total balance available of the wallet. This is the same as summing the results of `api.getUtxos()`, but it is both useful to dApps and likely already maintained by the implementing wallet in a more efficient manner so it has been included in the API as well. | ||
|
|
||
| ### api.getUsedAddresses(paginate: Paginate = undefined): Promise\<cbor\<address>[]> | ||
|
|
||
| Errors: `APIError` | ||
|
|
||
| Returns a list of all used (included in some on-chain transaction) addresses controlled by the wallet. The results can be further paginated by `paginate` if it is not `undefined`. | ||
|
|
||
| ### api.getUnusedAddresses(): Promise\<cbor\<address>[]> | ||
|
|
||
| Errors: `APIError` | ||
|
|
||
| Returns a list of unused addresses controlled by the wallet. | ||
|
|
||
| ### api.getChangeAddress(): Promise\<cbor\<address>> | ||
|
|
||
| Errors: `APIError` | ||
|
|
||
| Returns an address owned by the wallet that should be used as a change address to return leftover assets during transaction creation back to the connected wallet. This can be used as a generic receive address as well. | ||
|
|
||
|
There was a problem hiding this comment. What call would the dApp need to invoke to fetch the staking key of the wallet, e.g. to perform a stake delegation? It could infer it from the addresses returned via any of the already existing There was a problem hiding this comment. I added in a |
||
| ### api.getRewardAddresses(): Promise\<cbor\<address>[]> | ||
|
|
||
| Errors: `APIError` | ||
|
|
||
| Returns the reward addresses owned by the wallet. This can return multiple addresses e.g. CIP-0018. | ||
|
|
||
| ### api.signTx(tx: cbor\<transaction>, partialSign: bool = false): Promise\<cbor\<transaction_witness_set>> | ||
|
|
||
| Errors: `APIError`, `TxSignError` | ||
|
|
||
| Requests that a user sign the unsigned portions of the supplied transaction. The wallet should ask the user for permission, and if given, try to sign the supplied body and return a signed transaction. If `partialSign` is true, the wallet only tries to sign what it can. If `partialSign` is false and the wallet could not sign the entire transaction, `TxSignError` shall be returned with the `ProofGeneration` code. Likewise if the user declined in either case it shall return the `UserDeclined` code. Only the portions of the witness set that were signed as a result of this call are returned to encourage dApps to verify the contents returned by this endpoint while building the final transaction. | ||
|
|
||
| ### api.signData(addr: cbor\<address>, sigStructure: cbor\<Sig_structure>): Promise\<Bytes> | ||
|
|
||
| Errors: `APIError`, `DataSignError` | ||
|
|
||
| This endpoint utilizes the [CIP-0008 signing spec](https://github.com/cardano-foundation/CIPs/blob/master/CIP-0008/CIP-0008.md) for standardization/safety reasons. It allows the dApp to request the user to sign data conforming to said spec. The user's consent should be requested and the details of `sig_structure` shown to them in an informative way. The Please refer to the CIP-0008 spec for details on how to construct the sig structure. | ||
|
|
||
| ### api.submitTx(tx: cbor\<transaction>): Promise\<hash32> | ||
|
|
||
| Errors: `APIError`, `TxSendError` | ||
|
|
||
| As wallets should already have this ability, we allow dApps to request that a transaction be sent through it. If the wallet accepts the transaction and tries to send it, it shall return the transaction id for the dApp to track. The wallet is free to return the `TxSendError` with code `Refused` if they do not wish to send it, or `Failure` if there was an error in sending it (e.g. preliminary checks failed on signatures). | ||
|
|
||
rooooooooob marked this conversation as resolved.
Show resolved
Hide resolved
|
||
| # Implementations | ||
|
|
||
| [nami-wallet](https://github.com/Berry-Pool/nami-wallet/blob/master/src/pages/Content/injected.js) | ||
|
There was a problem hiding this comment. CIP1 does mention there should be tests for implementations but I'm not sure how you'd test that for code injection so maybe it's fine. nami-wallet does also implement part of the events API which is removed from this CIP now as well. There was a problem hiding this comment. @rooooooooob The tests refer to changes on core aspects of the protocol one would propose to change - this being a connector, no tests required. From here once merged, a "Path to Active" proposal / addition to your PR, so it can be moved to 'Proposed' or 'Active' (ex: "I propose this be moved to 'Active' when x dapps have demonstrated integrations aligned with this CIP") |
||
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Possibly, add more authors here to include people who have actively contributed to the writing of this specification?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
What would we use for the threshold? Like @alessandrokonrad who has contributed significantly to discussion?