I’m considering using blockstack to build a (p2p) dApp. More specifically, I’m building a dicussion dApp where users might comment on several topics, in real-time. I have a few questions though:
How can I fetch users DID document?
It seems that blockstack is DID compliant, but there’s not many information on that. How can I retrieve the DID document of a user?
How can I sign arbitrary payload?
Users will need to sign comments so that they can be seen as authentic. Ideally, Bob should be able to verify Alice’s comment like so:
- Bob sees Alice’s comment, which contains her DID, the public key, the comment signature and the comment text
- Bob verifies the signature of the comment
- Bob fetches Alice’s DID document and checks if the public key is listed in the DDO
- Bob may further analyze Alice’s social claims & proofs, like her twitter and facebook account.
- If everything looks good, Bob is 100% sure that the comment was made by the real Alice.
Looking into the JS library documentation, it’s unclear how a dApp can request to sign arbitrary payload, like a comment. There’s a
appPrivateKey that can be used to sign, but how does one know that it’s associated with the real user?
Does blockstack-js works for a dApp being developed as a browser extension?
Besides a regular website, the dApp I’m developing will be available as an installable Chrome extension. I’ve not tested it yet, but it seems that the redirect on the authentication flow will be a problem, unless I’m able to register a protocol handler within an extension. Any ideas?
Update: I’ve made some tests and indeed blockstack doesn’t work well inside an extension for 2 reasons:
- Tries to do
window.location = 'blockstack:xxx'which fails in extensions
- Even if the previous point was somehow fixed, chrome extensions do not have a regular “origin/domain”
Update 2: Even using a inject code approach, there’s another issue related with CORS and manifest.json, see: https://github.com/ipfs-shipyard/discussify/issues/3#issuecomment-400679073. Shouldn’t fetching errors of manifest.json files be handled gracefully?