Got a few questions - considering using blockstack


#1

Hello everyone.

I’m considering using blockstack to build a (p2p) dApp. More specifically, I’m building a dicussion dApp where users might comment on several topics, in real-time. I have a few questions though:

How can I fetch users DID document?

It seems that blockstack is DID compliant, but there’s not many information on that. How can I retrieve the DID document of a user?

How can I sign arbitrary payload?

Users will need to sign comments so that they can be seen as authentic. Ideally, Bob should be able to verify Alice’s comment like so:

  1. Bob sees Alice’s comment, which contains her DID, the public key, the comment signature and the comment text
  2. Bob verifies the signature of the comment
  3. Bob fetches Alice’s DID document and checks if the public key is listed in the DDO publicKey field.
  4. Bob may further analyze Alice’s social claims & proofs, like her twitter and facebook account.
  5. If everything looks good, Bob is 100% sure that the comment was made by the real Alice.

Looking into the JS library documentation, it’s unclear how a dApp can request to sign arbitrary payload, like a comment. There’s a appPrivateKey that can be used to sign, but how does one know that it’s associated with the real user?

Does blockstack-js works for a dApp being developed as a browser extension?

Besides a regular website, the dApp I’m developing will be available as an installable Chrome extension. I’ve not tested it yet, but it seems that the redirect on the authentication flow will be a problem, unless I’m able to register a protocol handler within an extension. Any ideas?

Update: I’ve made some tests and indeed blockstack doesn’t work well inside an extension for 2 reasons:

  • Tries to do window.location = 'blockstack:xxx' which fails in extensions
  • Even if the previous point was somehow fixed, chrome extensions do not have a regular “origin/domain”

Here’s a video: https://user-images.githubusercontent.com/1017236/41974893-1f71883a-7a11-11e8-9fb6-863778041d53.gif

Update 2: Even using a inject code approach, there’s another issue related with CORS and manifest.json, see: https://github.com/ipfs-shipyard/discussify/issues/3#issuecomment-400679073. Shouldn’t fetching errors of manifest.json files be handled gracefully?

Thanks!


#2

I am a new user of the Blockstack and bought a username. Actually, I am not able to see my username on the dashboard. I have also asked Apple iPhone Support and wanted to know about this. so is there any solution to fix it?


#3

Hi @andrecruz ! I’m sorry to leave this unanswered so long - working through email and forum backlogs!

I haven’t ever actually done this, but I think you can use the decentralized identity foundation’s universal resolver: https://github.com/decentralized-identity/universal-resolver/tree/master/implementations/java/driver-did-stack/src/main/java/uniresolver/driver/did/stack

I can see how this would be a problem. I opened an issue for this: https://github.com/blockstack/blockstack.js/issues/518

One possible work around is to use makeAuthRequest to generate the authentication token and then redirect to a website with an endpoint you create that then calls redirectToSignInWithAuthRequest

That’s a good question. We don’t have a mechanism for that.

We would need to add support for that to the authentication flow. An app could request signing ability and we could publish the public key of the app private key along with a signed statement indicating ownership of it to the profile file.

@aaron and @yukan will probably have additional thoughts on this.


#4

We sort of have a mechanism for this. For multi-player applications, we associate the app key with the user using the “apps” property in the user’s profile, which contains the Base58-check encoding of the hash of the app public key (i.e., the bitcoin address corresponding to the app public key). This is used by the sign and verify modes in blockstack.js's storage in the case of multi-player reads.


#5

I can confirm, the universal resolver works. I’ve used it a few times now.

Also, it looks like with blockstack.js v18.0.3 the did-compliant address is returned with loadUserData ().