smartcontract: allow payer access pass for subscribe and delete#3340
smartcontract: allow payer access pass for subscribe and delete#3340
Conversation
snormore
requested review from
bgm-malbeclabs,
juan-malbeclabs,
karl-dz,
martinsander00 and
packethog
I understand that the goal of this change is to allow an oracle to subscribe a user to a specific multicast group. From what I see in the code, implementing it this way will require a second access pass keyed by My recommendation is to keep referencing the access pass that was used when the User was created ( With the new permissions model, you will be able to create a permission that allows a user (the oracle) to subscribe users without adding anything to global_state. |
|
We'd have to also allow the feed authority (oracle) to update the user-owned access pass in that scenario. So it's either:
|
|
You could also allow the oracle authority to subscribe a user to a multicast group without that permission being granted in the Access Pass. You could register on the multicast group itself that the oracle is authorized to subscribe users to that group without any additional permissions. That way, you would not need to modify existing access passes or create new ones. You would be defining that each multicast group can have an authority allowed to subscribe users. Ultimately, what you want is to grant the oracle the authority to subscribe the user. |
|
This is the main change: you are now assuming the user would no longer be created by the user themselves with their own signature, but instead by the oracle. If that is the case, then I think changing the model so the user is no longer created under the user’s own identity is a substantial shift in how users are managed. I think this discussion is already outside the scope of this PR. |
snormore
changed the title
snormore
force-pushed
the
snor/multicast-subscribe-payer-accesspass
branch
from
1897f17 to
8688d86
Compare
Match the connect command's behavior by getting the client IP from the daemon instead of discovering it locally. This avoids mismatches when the daemon has a different view of the public IP (e.g. behind NAT). Extract resolve_client_ip() into a testable method and add unit tests for valid IP, empty IP, invalid IP, and daemon-unreachable cases. Move now-unused look_for_ip helpers behind #[cfg(test)]. Remove deprecated --client-ip from connect/disconnect invocations in e2e tests.
Accept the access pass from either the user's owner or the payer, enabling a third party (e.g. an oracle) to subscribe an existing user to a new multicast group using its own access pass.
Accept the payer's access pass in DeleteUser (same pattern as SubscribeMulticastGroup). Also authorize delete when the payer matches the access pass user_payer field. SDK DeleteUserCommand tries the payer's access pass first, falling back to user.owner's.
snormore
force-pushed
the
snor/multicast-subscribe-payer-accesspass
branch
from
8688d86 to
ed42d95
Compare
snormore
changed the title
2 participants
Summary
SubscribeMulticastGroup: accept access pass from either user.owner or payer, allowing a third party to subscribe a user using its own access passDeleteUser: same pattern — accept payer's access pass and authorize delete when payer matches the access passuser_payerfieldDeleteUserCommand(SDK): try payer's access pass first, fall back to user.owner'sRemoveMulticastGroupSubAllowlist: addfeed_authorityto auth checkdisconnect: get client IP from daemon instead of local discovery, matchingconnectbehavior (PRd separately in client: get client IP from daemon in disconnect command #3341, will be merged first)Testing Verification
user_payercan delete user, stranger cannotfeed_authoritycan remove from subscriber allowlist