Support linking multiple auth principals to an OC account (#5852)

open-chat-labs · Jul 12, 2024 · 0ccabef · 0ccabef
1 parent c39d6e8
commit 0ccabef
Show file tree

Hide file tree

Showing 28 changed files with 662 additions and 21 deletions.
diff --git a/Cargo.lock b/Cargo.lock
diff --git a/Cargo.toml b/Cargo.toml
@@ -181,9 +181,11 @@ hex = "0.4.3"
 hmac-sha256 = { version = "1.1.7", features = ["traits010"] }
 ic-agent = "0.35.0"
 ic-captcha = "1.0.0"
+ic-cbor = "2.5.0"
 ic-cdk = "0.14.0"
 ic-cdk-macros = "0.14.0"
 ic-cdk-timers = "0.8.0"
+ic-certificate-verification = "2.4.0"
 ic-certification = "2.5.0"
 ic-ledger-types = "0.11.0"
 ic-stable-structures = "0.6.4"

diff --git a/backend/canisters/identity/CHANGELOG.md b/backend/canisters/identity/CHANGELOG.md
@@ -9,6 +9,7 @@ The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/).
 ### Added
 
 - Sync userIds to Identity canister ([#6027](https://github.com/open-chat-labs/open-chat/pull/6027))
+- Support linking multiple auth principals to an OC account ([#5852](https://github.com/open-chat-labs/open-chat/pull/5852))
 
 ## [[2.0.1209](https://github.com/open-chat-labs/open-chat/releases/tag/v2.0.1209-identity)] - 2024-06-20
 

diff --git a/backend/canisters/identity/api/can.did b/backend/canisters/identity/api/can.did
@@ -34,6 +34,21 @@ type GenerateChallengeResponse = variant {
     Throttled;
 };
 
+type ApproveIdentityLinkArgs = record {
+    delegation : SignedDelegation;
+    public_key : blob;
+    link_initiated_by : principal;
+};
+
+type ApproveIdentityLinkResponse = variant {
+    Success;
+    CallerNotRecognised;
+    LinkRequestNotFound;
+    MalformedSignature : text;
+    InvalidSignature;
+    DelegationTooOld;
+};
+
 type CreateIdentityArgs = record {
     public_key : PublicKey;
     session_key : PublicKey;
@@ -52,6 +67,18 @@ type CreateIdentityResponse = variant {
     ChallengeFailed;
 };
 
+type InitiateIdentityLinkArgs = record {
+    public_key : blob;
+    link_to_principal : principal;
+};
+
+type InitiateIdentityLinkResponse = variant {
+    Success;
+    AlreadyRegistered;
+    TargetUserNotFound;
+    PublicKeyInvalid : text;
+};
+
 type PrepareDelegationArgs = record {
     session_key : PublicKey;
     max_time_to_live : opt Nanoseconds;
@@ -70,7 +97,9 @@ type PrepareDelegationSuccess = record {
 service : {
     check_auth_principal : (record {}) -> (CheckAuthPrincipalResponse) query;
     get_delegation : (GetDelegationArgs) -> (GetDelegationResponse) query;
-    generate_challenge : (record {}) -> (GenerateChallengeResponse);
+    approve_identity_link : (ApproveIdentityLinkArgs) -> (ApproveIdentityLinkResponse);
     create_identity : (CreateIdentityArgs) -> (CreateIdentityResponse);
+    generate_challenge : (record {}) -> (GenerateChallengeResponse);
+    initiate_identity_link : (InitiateIdentityLinkArgs) -> (InitiateIdentityLinkResponse);
     prepare_delegation : (PrepareDelegationArgs) -> (PrepareDelegationResponse);
 }
diff --git a/backend/canisters/identity/api/src/lifecycle/init.rs b/backend/canisters/identity/api/src/lifecycle/init.rs
@@ -8,6 +8,7 @@ pub struct Args {
     pub user_index_canister_id: CanisterId,
     pub cycles_dispenser_canister_id: CanisterId,
     pub skip_captcha_whitelist: Vec<CanisterId>,
+    pub ic_root_key: Vec<u8>,
     pub wasm_version: BuildVersion,
     pub test_mode: bool,
 }
diff --git a/backend/canisters/identity/api/src/main.rs b/backend/canisters/identity/api/src/main.rs
@@ -4,8 +4,10 @@ fn main() {
     generate_candid_method!(identity, check_auth_principal, query);
     generate_candid_method!(identity, get_delegation, query);
 
+    generate_candid_method!(identity, approve_identity_link, update);
     generate_candid_method!(identity, create_identity, update);
     generate_candid_method!(identity, generate_challenge, update);
+    generate_candid_method!(identity, initiate_identity_link, update);
     generate_candid_method!(identity, prepare_delegation, update);
 
     candid::export_service!();

diff --git a/backend/canisters/identity/api/src/updates/approve_identity_link.rs b/backend/canisters/identity/api/src/updates/approve_identity_link.rs
@@ -0,0 +1,21 @@
+use crate::SignedDelegation;
+use candid::{CandidType, Deserialize, Principal};
+use serde::Serialize;
+
+#[derive(CandidType, Serialize, Deserialize, Debug)]
+pub struct Args {
+    pub delegation: SignedDelegation,
+    #[serde(with = "serde_bytes")]
+    pub public_key: Vec<u8>,
+    pub link_initiated_by: Principal,
+}
+
+#[derive(CandidType, Serialize, Deserialize, Debug)]
+pub enum Response {
+    Success,
+    CallerNotRecognised,
+    LinkRequestNotFound,
+    MalformedSignature(String),
+    InvalidSignature,
+    DelegationTooOld,
+}
diff --git a/backend/canisters/identity/api/src/updates/initiate_identity_link.rs b/backend/canisters/identity/api/src/updates/initiate_identity_link.rs
@@ -0,0 +1,17 @@
+use candid::{CandidType, Deserialize, Principal};
+use serde::Serialize;
+
+#[derive(CandidType, Serialize, Deserialize, Debug)]
+pub struct Args {
+    #[serde(with = "serde_bytes")]
+    pub public_key: Vec<u8>,
+    pub link_to_principal: Principal,
+}
+
+#[derive(CandidType, Serialize, Deserialize, Debug)]
+pub enum Response {
+    Success,
+    AlreadyRegistered,
+    TargetUserNotFound,
+    PublicKeyInvalid(String),
+}
diff --git a/backend/canisters/identity/api/src/updates/mod.rs b/backend/canisters/identity/api/src/updates/mod.rs
@@ -1,4 +1,6 @@
+pub mod approve_identity_link;
 pub mod c2c_set_user_ids;
 pub mod create_identity;
 pub mod generate_challenge;
+pub mod initiate_identity_link;
 pub mod prepare_delegation;
diff --git a/backend/canisters/identity/impl/Cargo.toml b/backend/canisters/identity/impl/Cargo.toml
@@ -18,8 +18,10 @@ canister_state_macros = { path = "../../../libraries/canister_state_macros" }
 canister_tracing_macros = { path = "../../../libraries/canister_tracing_macros" }
 http_request = { path = "../../../libraries/http_request" }
 ic-captcha = { workspace = true }
+ic-cbor = { workspace = true }
 ic-cdk = { workspace = true }
 ic-cdk-timers = { workspace = true }
+ic-certificate-verification = { workspace = true }
 ic-certification = { workspace = true }
 ic-stable-structures = { workspace = true }
 identity_canister = { path = "../api" }