24/7 access to profile data


#1

Hey there,

I am trying to create a service which should have access to a certain section of the user’s profile, even when the user is not logged in. This section is created by my app and user granted me access. Now I need the following scenario:

  1. The user has full control over his data
  2. My service should read this data once per day (without the user logged in)
  3. My service should be fully transparent and guarantee I do not store the user data anyhow. I just have permission to read it from profile and user can deny access at any moment.

Is this possible? what to read? As I understood, the access to profile is granted through the private key which is then stored in app domain and should not be sent to any service as this could violate the security.


#2

The user’s public profile is always available. Use lookupProfile in blockstack.js https://blockstack.github.io/blockstack.js/#lookupprofile

If you need to store private profile data, do so in app storage. It’s saved wherever the user has chosen to store their data.


#3

Thanks! But this is not actually what I am looking for…I have found the solution, but not sure how to implement it as it looks like there is no API to do that: I need an API to create shared ownership on user’s Profile Section,e.g. user grants another Blockstack user (me) and access to read/write the section in his profile. This is implemented in Graphit app, but the approach is not quite elegant, as I need to create an intermediate file where I need to list the all users with access and if I change something in profile, it goes to that intermediate one, check who else has the access and do the changes in their Profiles.

This is the discussion for correct API: https://forum.blockstack.org/t/multiplayer-access-sharing-with-the-public-vs-just-trusted-users/4225/8

And looks like it is still not implemented


#4

We do not plan to let apps have arbitrary write privilege to a user’s profile.json file. This is not meant to be used by apps - it’s only meant to be a ‘top-level’ file of your profile and gaia-related data.

If I’m understanding you correctly, you want to be able to share certain data with only a certain set of users. This is entirely possible without having write access to the profile file. You could look into radiks, which does this for you in an easier way. Or, you could do this on your own using just blockstack.js. We don’t have good tutorials or docs for doing this with just blockstack.js, but this is a need that we recognize and were just discussing in our open engineering meeting this morning.


#5

Thank you for your answer. As a high level scenario, I would like to have following concept: I, as a business, want to write certain data to user’s profile which could be accessed by user and by my business only. As a security model, user can read what i wrote and i can write and read. My app is going to create a very sensitive information which i thought decentralized blockstack profile could store,e.g. the DB that is owned by user with privilege access to my app. I will investigate radiks and in general, i have a solution but I am continue looking/asking for a better one:)


#6

It seems like what you’re looking for could be done just as well with a user’s “app data”, as opposed to their actual profile.json file. You can definitely do what you want to do with the standard approach for storing data in Gaia, you would just need to use shared encryption keys so that only the user and your backend can see the data.