In addition to messages to be signed by the API, the API also accepts signed (raw) blockchain transactions containing a Whiteflag message.
Rationale
This makes it possible to send messages without the API having the private key (e.g. the application has the private key and signs the transaction). The API can still do the encoding and encryption on the /messages/encode endpoint before the encoded message is included in the transaction by the application.
Solution
Specification
Raw transactions should be sent by a POST on the /blockchains/{blockchain}/transactions/send endpoint. The request body should contain a JSON formatted raw transaction i.a.w. the specification for the specific blockchain.
Affected components
Probably the operations/blockchains.js and each blockchain-specific module in blockchains/ are affected.
Alternatives
Alternatively, do not implement this feature, requiring all messages to be signed by the API.
This issue triggers the discussion whether we should push the API beyond being "just" an MVP implementation for protocol evaluation which was not intended for production environments.
Description
In addition to messages to be signed by the API, the API also accepts signed (raw) blockchain transactions containing a Whiteflag message.
Rationale
This makes it possible to send messages without the API having the private key (e.g. the application has the private key and signs the transaction). The API can still do the encoding and encryption on the
/messages/encode
endpoint before the encoded message is included in the transaction by the application.Solution
Specification
Raw transactions should be sent by a POST on the
/blockchains/{blockchain}/transactions/send
endpoint. The request body should contain a JSON formatted raw transaction i.a.w. the specification for the specific blockchain.Affected components
Probably the
operations/blockchains.js
and each blockchain-specific module inblockchains/
are affected.Alternatives
Alternatively, do not implement this feature, requiring all messages to be signed by the API.