status-im/EIPs
2
0
Fork 0
mirror of https://github.com/status-im/EIPs.git synced 2025-02-22 11:48:19 +00:00
Code Issues Projects Releases Wiki Activity

Automatically merged updates to draft EIP(s) 2255 (#3568)

Browse Source 
Hi, I'm a bot! This change was automatically merged because:

 - It only modifies existing Draft, Review, or Last Call EIP(s)
 - The PR was approved or written by at least one author of each modified EIP
 - The build is passing
This commit is contained in:
Erik Marks 2021-05-11 13:02:58 -07:00 committed by GitHub
parent 1359882e69
commit 13e96ca288
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
1 changed files with 7 additions and 21 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

28
EIPS/eip-2255.md
View File

@ -64,7 +64,7 @@ These two methods are used to restrict a few hypothetical "restricted methods".
In this framework, the permission for a user to reveal their accounts would look like this:
```javascript
const response = await provider.send({
const response = await provider.request({
method: 'wallet_requestPermissions',
params: [{
'eth_accounts': {},
@ -72,14 +72,14 @@ const response = await provider.send({
})
```
If this request was rejected, it would throw an error with a `code` value equal to `4001`, per [EIP 1193 errors](./eip-1193.md), which the MetaMask team has canonized in a module [eth-json-rpc-errors](https://github.com/metamask/eth-json-rpc-errors).
If this request was rejected, it would throw an error with a `code` value equal to `4001`, per [EIP-1193 errors](./eip-1193.md), which the MetaMask team has canonized in a module [eth-rpc-errors](https://github.com/metamask/eth-rpc-errors).
If the request is accepted by the user, then subsequent requests to `eth_accounts` will succeed, and return an accounts array as usual.
A call to `wallet_getPermissions` will then return a permissions schema object that describes the current permission.
```javascript
const response = await provider.send({
const response = await provider.request({
method: 'wallet_getPermissions'
})
```
@ -122,7 +122,7 @@ On-chain actions could be represented as a permission under this model, for exam
The `requestPermissions` method could be expanded to include other options related to the requested permissions, for example, sites could request accounts with specific abilities. For example, a website like an exchange that requires `signTypedData_v3` (which is not supported by some hardware wallets), might want to specify that requirement, maybe like this:
```javascript
provider.send({
provider.request({
method: 'requestPermissions',
params: [
{
@ -134,29 +134,15 @@ provider.send({
})
```
That type of API will also be up for discussion on [The MetaMask repository](https://github.com/MetaMask/metamask-extension/issues/6994).
This would allow the wallet to limit the user's options to valid ones, and allows dapps to ensure selected accounts are compatible with their service, while preserving the user's privacy regarding how they are storing their keys.
## Implementation
We have [a branch of MetaMask available now](https://github.com/MetaMask/metamask-extension/tree/LoginPerSite) which adds these methods via an [rpc-engine](https://github.com/MetaMask/json-rpc-engine) middleware called [json-rpc-capabilities-middleware](https://github.com/MetaMask/json-rpc-capabilities-middleware) (or often `RpcCap` internally, for short).
MetaMask uses EIP-2255 to restrict the `eth_accounts` RPC method such that it will return an empty array to any caller that has not been granted the corresponding permission.
The latest build of this branch of MetaMask can be downloaded from [the draft pull request](https://github.com/MetaMask/metamask-extension/pull/7004) (look for the latest post by `@MetaMaskBot`). A guide to adding a custom build of MetaMask to Chrome can be found [here](https://github.com/MetaMask/metamask-extension/blob/develop/docs/add-to-chrome.md).
You can get more detailed API and type information [on the RpcCap repository's readme](https://github.com/MetaMask/rpc-cap#rpc-methods).
This branch of MetaMask can be used with [this sample site](https://metamask.github.io/permissions-adventure/) ([source](https://github.com/metamask/permissions-adventure)), which uses a couple sample permissions for demonstration purposes:
- `readYourProfile`: We have bundled this build with an imaginary concept of a local "profile", a simple [POJO](https://en.wikipedia.org/wiki/Plain_old_Java_object). Eventually this could be extended to instead expose the user's [3box profile](https://3box.io/).
- `writeToYourProfile`: This permission allows the requesting app to freely update/edit the user's profile.
- `sendEther`: A permission allowing the sending of transactions.
![sample dapp](../assets/eip-2255/permissions_adventure.gif)
It is notable that this branch is the first version of MetaMask that allows you to be connected to each site with a different account, which persists on that site, along with any other permissions granted to the site.
You can get more detailed API and type information [on the RpcCap repository's readme](https://github.com/MetaMask/json-rpc-capabilities-middleware#rpc-methods).
New hypothetical and proposed permissions can be easily added to [the `restrictedMethods` hash in the MetaMask permissions controller](https://github.com/MetaMask/metamask-extension/blob/774d931cb9f16a8f2df8c6deee1dd553b40d5ad5/app/scripts/controllers/permissions.js#L187) or proposed for discussion on the [MetaMask/wallet-permissions-spec](https://github.com/MetaMask/wallet-permissions-spec) repository.
New hypothetical and proposed permissions can be easily added to [the `restrictedMethods` in the MetaMask permissions controller](https://github.com/MetaMask/metamask-extension/blob/76a2a9b/app/scripts/controllers/permissions/restrictedMethods.js).
## Copyright