Add window.ipfs.enable(opts) (Bulk Permission Prompt) #619
Conversation
ghost
assigned This simply changes the flow and API for getting IPFS proxy instance, does not implement UX nor decrease the size of injected content script.
lidel
force-pushed
the
feat/window.ipfs-2.0
branch
from
f755c5e
to
4e6f65d
Compare
This change adds async `enable` function that takes optional list of commands
to grant access to via user prompt.
The goal is to move away from synchronous way of accessing API instance
and provide UX incentive to use `window.ipfs.enable` instead.
When called without any arguments, command will just return API instance
equal to the old `window.ipfs` or throw an error if IPFS Proxy is
disabled in Preferences.
When called with options object `{ commands: ['id','peers'] }`
access rights for specified commands will be validated:
- if any of the commands is denied or blocked, function will throw
- if any of the commands require user approval, user will be presented
with a single prompt dialog that lists all requested permissions and URL
that requests them
- if user approves, ACLs are saved and future calls will not trigger
prompt
- if user denies, ACLs are saved and an error is thrown for current
and all future executions (unless user removed scope from blacklist)
TODO (to be addressed in future commits)
- add deprecation warning to API calls executed on `window.ipfs`
- improve UX of permission dialog
- add ability to return `ipfsx` version fo the API
- disable `window.ipfs` injection via manifest in Chromium
- stop exposing methods on `window.ipfs`
- minimize the size of content script responsible for `window.ipfs`
- lazy-init IPFS Proxy client on first call to `window.ipfs.enable()`
lidel
force-pushed
the
feat/window.ipfs-2.0
branch
2 times, most recently
from
8c700c0
to
8b08439
Compare
- also switch to terser-webpack-plugin
lidel
force-pushed
the
feat/window.ipfs-2.0
branch
from
8b08439
to
fb27d28
Compare
lidel
changed the title
lidel
changed the title
acl and api looked too similar and made code hard to follow, ipfs api core uses 'command' term to identify each endpoint so we follow that practice here
To avoid breaking changes we should deprecate old error codes first. This commit: - restores `permission` attribute and adds a deprecation warning when it is accessed. - adds error `code` to simplify error handling and alight convention with js-ipfs - updates docs
This adds an opt-in ipfsx experiment.
In short, if `experiments:{ipfsx:true}` is passed `window.ipfs.enable`
will return IPFS API instance wrapped in ipfsx prototype from
https://github.com/ipfs-shipyard/ipfsx
```
let ipfs = await window.ipfs.enable({
commands: ['add','files.addPullStream'],
experiments: { ipfsx: true }
})
```
lidel
force-pushed
the
feat/window.ipfs-2.0
branch
from
b464b9f
to
b633eb4
Compare
| await require('postmsg-rpc').call('proxy.enable', opts) | ||
| // Additional client-side features | ||
| if (opts && opts.experiments) { | ||
| if (opts.experiments.ipfsx) { |
There was a problem hiding this comment.
The idea is to enable opt-in experiments such as ipfsx which is used as an example:
let ipfsx = await window.ipfs.enable({
commands: ['add','files.addPullStream'],
experiments: { ipfsx: true }
})
I go for "deprecate old use for 3 months and then remove support for old ways" and use something like https://www.npmjs.com/package/deprecate to help communicate it to developers. Perhaps we could search github for projects using it and open an issue for them?
What would be the reason for this change? |
|
Good points for keeping
My thinking was around enabling "privacy by default", where dapps have no access to IPFS node unless user granted access. Rationale:
|
Presumably you'd need permission to add something first to become a provider for that content? ...I appreciate that isn't the point and that there will be other ways to exploit things like this that we haven't considered. I also think this will encourage people to swtich to using |
This change means no command can be run without explicit approval from the user. Rationale can be found in #619 (comment)
This change means no command can be run without explicit approval from the user. Rationale can be found in #619 (comment)
lidel
force-pushed
the
feat/window.ipfs-2.0
branch
from
18c98b7
to
756b177
Compare
|
Thanks, I've added deprecation warning to Does the text look ok?
Yeah, someone else could pre-generate unique CIDs and just request them and see who is the second provider. Anyway, I removed ACL whitelist and updated docs in 756b177. I'd like to ship it to Beta this week to start the clock ticking and continue in separate PR – any final feedback before we merge this? |
|
Continued in #589 |
This PR adds
await window.ipfs.enable(opts)as the new way of obtaining IPFS API Proxy object. When provided with a list of commands it will request access rights in bulk and return a promise with IPFS API instance or throw an error (details below).The goal is to move away from synchronous way of accessing API instance and provide UX incentive for developers to use
window.ipfs.enableinstead of old API.This change is backward compatible, old API remains to be exposed on
window.ipfsfor the time being.ACL Management
When called without any arguments, command will just return API instance equal to the old
window.ipfsor throw an error if IPFS Proxy is disabled in Preferences.When called with options object (eg.
{ commands: ['id','peers'] }) ACLs for specified commands will be validated:with a single prompt dialog that lists all requested permissions and URL
that requests them
prompt
and all future executions (unless user removed scope from blacklist)
To keep change set small I'd like to merge this as-is and work on "Future TODOs" (below) in separate PRs.
Tasks
window.ipfs.enable.enable()(no parms) and keep no-dialog for things likeipfs.cator display no initial dialog but prompt every api insteadwindow.ipfs.enable({commands: ['id','version'] })experimentsawait window.ipfs.enable({ experiments: { ipfsx: true } })will returnipfsxversion of the APIwindow.ipfsOpen Questions
window.ipfsProxy.enable? (to avoid breaking websites that manually detectwindow.ipfsand executewindow.ipfs.<command>) or is it enough to deprecate old use for 3 months and then remove support for old ways?window.ipfs.enableshould we require permission from user for all commands? (remove acl-whitelist for things likedag.get?)Future TODOs (separate PRs)
window.ipfsinjection via manifest in Chromiumwindow.ipfs.enablewe should revisitwindow.ipfsinjection via manifest in Chromiumwindow.ipfs.enablewe should revisitwindow.ipfswindow.ipfswindow.ipfs.enable()