Closed singulart closed 2 years ago
Alternative flow:
Discord ID
tokens to bot address
.AccountId
.X
tokens to bot address
(X = random number).Attacker would need to (A) forge and intercept direct discord message + (B) issue transaction with someone's key which both together are unlikely unless credentials are compromised anyway. In case attacker responds to public transaction in (1) and claims (2), (3) is impossible without obtaining key or convincing rightful owner to send requested amount of tokens to bot address.
AccountId
and compare amount to msg.author.tag
.AccountId
, blacklist after n wrong transactions or push commit.Estimated effort: 5..10h
Alternative:
Discord ID
-- identity is proven through this threadverified
tag or something like it to the userThis removes all transfers, bot commands and other things and the claim is stored and is public because its on the forum already.
This also removes many components of Discord from the concept, since the bot is effectively just using the forum thread.
Downsides:
@mochet what prevents me from claiming tomato#9464 Discord user on Forum?
@traumschule Couple of questions re: the alternative suggested. Firstly, was it proposed because it's more secure than the original proposal? Secondly, I don't think 5..10h estimate is realistic.. Could you may be break it down like I did? I feel like "pubilc ledger" of the mappings is a good idea, by the way. But efforts-wise, implementing a Git integration is no smaller than a Postgres integration. Thanks for your feedback anyway!
Nothing, but it seems like it would be easier to do the verificatoin aspect on Discord. This way we're removing transactions from something a user has to fully understand before they can participate.
My proposal doesn't imply any additional on-chain transactions. The key aspect of it from the users' perspective is to sign the data (a string) using the Pioneer's Sign tab, which is relatively straightforward thing to do.
My proposal doesn't imply any additional on-chain transactions. The key aspect of it from the users' perspective is to sign the data (a string) using the Pioneer's Sign tab, which is relatively straightforward thing to do.
So the new versoin of Pioneer doesn't include the signing thing AFAIK. In any case, signing stuff (in my opinion) is a more complex thing for very new users to learn.
I believe there will still be a copy of the old Pioneer where they could sign stuff, but I think it would be better to design this in a way that removes as many terms and complexity as possible.
For example, some users may primarily be video makers using Atlas and only the forums and using the Polkadot wallet. I think asking them to learn the signing part may be throwing too much at them (baring in mind the already highly complex nature of Joystream and the governance system).
I am working on an early stage initiative to identify the language that is used for each level of user and trying to minimize what the most basic/new users will encounter, which is why I think using signing is less desirable in the long term. Basically to make the initial education and participation elements really as simple as possible.
Another way to look at it: posting a forum message is basically signing it.
So the Discord bot could just generate a random string/numbers that the user could also post on the forum to verify.
This removes the entire "signing" aspect.
So rather than explain the whole concept of what signing is and having to tell users how to use the signing tool which is quite technically complex, we could maybe reduce it to just "post on the forum" which is practically general knowledge for people.
Another way to look at it: posting a forum message is basically signing it.
So the Discord bot could just generate a random string/numbers that the user could also post on the forum to verify.
This removes the entire "signing" aspect.
So rather than explain the whole concept of what signing is and having to tell users how to use the signing tool which is quite technically complex, we could maybe reduce it to just "post on the forum" which is practically general knowledge for people.
Love the idea with posting on forum, but again, this brings the question of how scalable this approach is. (Imagine thousands of users doing this.)
Another way to look at it: posting a forum message is basically signing it. So the Discord bot could just generate a random string/numbers that the user could also post on the forum to verify. This removes the entire "signing" aspect. So rather than explain the whole concept of what signing is and having to tell users how to use the signing tool which is quite technically complex, we could maybe reduce it to just "post on the forum" which is practically general knowledge for people.
Love the idea with posting on forum, but again, this brings the question of how scalable this approach is. (Imagine thousands of users doing this.)
The forum can scale quite significantly actually. It works very differently to the old one. But in any case if/when we hit scaling issues, then we may just need to custom design an approach for something like this.
I personally don't think Discord itself can scale to that many users beyond just being a notification/information tool. So whether or not 10k users really need to verify Discord accounts, I don't know what the value of that is in the long term (Discord may change)
@mochet Can you sketch out the flow involving posting on forum? It's not clear to me how you envision the Discord side of it.
One approach to identifying a Discord identity using a wallet is described here: https://portto.com/blocto-crypto-blog/discord-blocto-guild/
@mochet Can you sketch out the flow involving posting on forum? It's not clear to me how you envision the Discord side of it.
unverified
verified
Still waiting for feedback from @mochet on the proposed flow. Unclear way forward in terms of Story Points estimate. FYI @bwhm @dmtrjsg
Still waiting for feedback from @mochet on the proposed flow. Unclear way forward in terms of Story Points estimate. FYI @bwhm @dmtrjsg
I was going to ask about this to bedeho but it was already bought up here: https://github.com/Joystream/pioneer/issues/1977 (and on Discord more recently: https://discord.com/channels/811216481340751934/813361923172335648/968133015370879036)
In short, there will be profile fields added to Pioneer at some point. I had already searched through the runtime/QN code to see how custom fields could be added but couldn't find an answer.
I guess then its a question of whether to wait for this feature?
Current state of affairs
It is evident that the current state of things is not ideal on many levels and needs improvements. Therefore, we propose the following novel functionality to be built for the Joystream Discord:
Proposed added value
What this means technically
A breakdown of the flow steps
/claim <joystream membership handle> <joystream wallet address>
/solve <signed challenge>
In cases of any error situation, a user is supposed to receive an easy to understand plain text explanation.
Additionally, the system would run scheduled periodic checks to find out which Joystream DAO roles does a particular verified user have: Council Member, Workgroup worker, Workgroup Lead, and so on. This feature gives an opportunity to assign additional custom server roles based on Joystream on-chain roles. These Discord roles may or may not bear specialised server permissions. But, at the very minimum, they would serve as visual indicators of Joystream DAO roles inside Discord, so that newcomers get a perfect impression of the variety of opportunities within Joystream.
Budget breakdown
/claim
command - 4h/solve
command - 4hTotal: 25h