Address Giveaway Enhancement

[pawmmm]

Abstract

This enhancement adds the following functionality:

• Adds CAPTCHA when price of FIO Address is 0
• Add limits on how many FIO Addresses can be registered on each domain
• Supports custom authorizations

Motivation

The Foundation has been allocated 125M FIO tokens at Mainnet to be spent on FIO Address registrations. In fact these tokens are locked and can only be spent on fees.

The Foundation has already funded the development of the Registration Site to enable integrating wallets to easily accommodate FIO Address registration.

The proposal recommends additional functionality be added to the Registration Site to enable Address Giveaways:

• CAPTCHA and limits will limit abuse.
• Custom authorizations are required to use existing Foundation Address Giveaway accounts as those accounts are controlled via msig and transfer is prohibited, and will also allow the Registration site to register FIO Addresses on private domains, if proper permissions are granted.

Specification

Add CAPTCHA

Add Google Invisible reCAPTCHA v2 to registration site when price of FIO Address is set to 0.

Add FIO Address registration limits

Each domain being added to wallet profile in Admin interface should have a limit of addresses which can be registered on that domain. Once that limit is reached, an error message should be shown to the user when checking availability of FIO Address: "FIO Address registrations no longer available for that domain."

It should be possible to specify unlimited, e.g. by leaving the field blank.

This limit only tracks registrations on that domain via the registration site and on the specific wallet profile. The same domain may exist on another wallet profile and may have different limits.

A counter of registrations completed for each domain via the specific wallet profile should be shown next to each domain.

Registrations via Admin, e.g. via Retry should not enforce these limits, but should be included in count.

Support custom authorizations

The wallet profile in Admin should be extended to optionally include:

• actor
• permission

If specified, it will be used in the authorization node (actor, permission) as well as data node (actor). Example:

{
    "account": "fio.address",
    "name": "regaddress",
    "authorization": [{
            "actor": "actor_from_wallet_profile",
            "permission": "permission_from_wallet_profile"
        }
    ],
    "data": {
        "fio_address": "bob@domain",
        "owner_fio_public_key": "FIO69UqrQQg5BBneqj723i7esZT4fbp6sH2rabo6bRyHTpoyuDiSu",
        "max_fee": 40000000000,
        "tpid": "",
        "actor": "actor_from_wallet_profile"
    }
}

The request will still be signed by the master private key.

If custom authorizations are not specified, the actor/permission should be used as it is today.

[lukestokes]

GeeTest_CAPTCHA_Product_Brochure.pdf

I think a Slide Catpcha like this is the way to go. Most exchanges seem to use it, it comes with multiple languages, and won't be blocked in China which is important. I don't know how much they charge, but I am looking into it.

https://www.geetest.com/en/Solution

Serving 290,000+ enterprises worldwide,

More about the right up here: https://cryptobriefing.com/captcha-binance-jigsaw-defeat-scammers/

I've registered with them to get a test account going. I haven't seen pricing on the website yet, but I see this from Googling around:

GeeTest CAPTCHA Pricing Overview GeeTest CAPTCHA pricing starts at $100.00 per month.There is a free version.GeeTest CAPTCHA offers a free trial.

[jcalfee]

Off to a good start. It appears that the captcha code is self-hosted and has server components to install, so adds to security and privacy:

<script src="gt.js"></script>

Installation

I like this, they proxy through the server to get / check the challenge. Very private, non-invasive..

https://github.com/GeeTeam/gt3-node-sdk/blob/master/gt-sdk.js

Just check things like this, and see how it works if we don't submit an IP address. It looks like they are expecting that, they put 'unknown' in ip_address: data.ip_address || 'unknown' https://github.com/GeeTeam/gt3-node-sdk/blob/master/gt-sdk.js#L69

It might be worth it to seed randint with a little secure random data too.. Math.random is deterministic unless it is seeded properly.

[jcalfee]

Looks like gt.js has their API server and is connecting from the client. I'm not sure if this will work securely and privately or not..

https://github.com/GeeTeam/gt3-node-sdk/blob/master/demo/static/libs/gt.js#L37

I'll just ask about this: https://github.com/GeeTeam/gt3-node-sdk/issues/9

[jcalfee]

For database changes see: https://github.com/fioprotocol/fio-registrations/issues/15

[lukestokes]

Going to close this out as I think the main issues have been resolved now.