Closed tomholford closed 2 years ago
Per out of band conversations with @Fang-, @nerveharp, and @jyng, we've come up with an approach with significantly better UX. Instead of providing the option to the user upon Login, instead at the time of keyfile generation, we will derive tokens using both sha256 and keccak256 and see if either matches the on-chain keys.
Context
See the recent comments in #549 for details, but in short:
This commit introduced a discrepancy between how auth tokens are generated between custodial and non-custodial wallets. Specifically, per the docs for
personal_sign
,keccak256
is used by Ethereum Providers to sign a message.When I first joined the Bridge project and had little insight into how things worked, I instead used the subtly different
sha256
for the default auth token case (i.e, for master tickets and mnemonics). As such, for roughly the past 6 months, any actions performed in Bridge (generating invites, setting keys, etc) using these login methods were with a logically incorrect auth token.Changes
This resolves #549 by:
keccak256
for default auth token derivationsha256
instead ofkeccak256
to allow users to re-derive deterministic keysPreview
Legacy Toggle
When Keyfile is Unavailable
Info Modal
Testing
Confirmed using the dev mnemonic on Ropsten.