Tony D’Addeo pfp

Tony D’Addeo

@deodad

646 Following
9363 Followers
Tony D’Addeo pfp
Tony D’Addeo
@deodad
the bad situation is something like: - user logs into Warpcast on a public computer - user opens a Mini App and logs into it - user logs out of Warpcast but leaves browser tab open - malicious user inspect browser state directly to extract a credential and makes requests directly to server unlikely and something like a 15 minute expiration on the JWT would another layer of mitigation
0 reply
0 recast
0 reaction
Tony D’Addeo pfp
Tony D’Addeo
@deodad
something we might do is use this credentialess flag in the future on the iframe so that sessionStorage so that each session is forced to be incognito https://developer.mozilla.org/en-US/docs/Web/Security/IFrame_credentialless
0 reply
0 recast
1 reaction
Tony D’Addeo pfp
Tony D’Addeo
@deodad
yup that'd work not completely totally perfect since the unconscious assumption of a user would be if log out of Warpcast I'd also be logged out of the the Mini Apps and technically there'd be some authed state laying around but in practice having your client code ignore this / start new session is sufficient for the time being / the majority of use cases
1 reply
0 recast
1 reaction
Tony D’Addeo pfp
Tony D’Addeo
@deodad
see this for a similar explanation https://miniapps.farcaster.xyz/docs/guides/auth
0 reply
0 recast
1 reaction
Tony D’Addeo pfp
Tony D’Addeo
@deodad
just looked over the template—this is really nice! callout on storing the jwt in the sessionStorage: if a user signs out of Warpcast and signs back in as another user they could still be logged into the Mini App as the previous user. it looks like you automatically sign in on each mini app load which is great / the recommended approach so this will overwrite the previous session a security improvement would be to store the jwt in memory instead of session storage so it gets flushed when the app is closed the UX on web will suck for now but in < 1 month we should have silent and seamless SIWF everywhere and so getting a fresh session on each mini app load will still give excellent UX
2 replies
0 recast
1 reaction
Tony D’Addeo pfp
Tony D’Addeo
@deodad
thanks for the great bug report with repro steps and video, looking into this
0 reply
0 recast
1 reaction
Tony D’Addeo pfp
Tony D’Addeo
@deodad
maybe end of week
0 reply
0 recast
1 reaction
Gabriel Ayuso pfp
Gabriel Ayuso
@gabrielayuso.eth
New proposal to extend Mini App metadata so clients can provide richer experiences. Please leave comments https://github.com/farcasterxyz/miniapps/discussions/191
8 replies
8 recasts
48 reactions
Tony D’Addeo pfp
Tony D’Addeo
@deodad
calling the ideal extraction conditions for coffee beans the perfect cup of coffee is unforgivable
0 reply
0 recast
1 reaction
Tony D’Addeo pfp
Tony D’Addeo
@deodad
ok I think it happens when a user doesn't have money to pay for gas. obv this should show a error message in the preview rather than letting user continue but can let them know as a workaround while we fix cc @pirosb3
1 reply
0 recast
2 reactions
Tony D’Addeo pfp
Tony D’Addeo
@deodad
what data is returned to your app in this case?
1 reply
0 recast
1 reaction
Tony D’Addeo pfp
Tony D’Addeo
@deodad
can you take a screen shot of where you are stuck
0 reply
0 recast
2 reactions
Tony D’Addeo pfp
Tony D’Addeo
@deodad
do you have eth to pay for gas?
2 replies
0 recast
1 reaction
Tony D’Addeo pfp
Tony D’Addeo
@deodad
we will add an export feature which is also useful if you missed events at your webhook url. will recommended all hosts do this in the spec. but doing it cross client will be a bit of a pain since you’ll need to do it from each one so likely would be a good offering for providers as well
1 reply
0 recast
1 reaction
Tony D’Addeo pfp
Tony D’Addeo
@deodad
good call we should update to use the correct unique constraint
0 reply
0 recast
1 reaction
Tony D’Addeo pfp
Tony D’Addeo
@deodad
what are you grafting onto what
1 reply
0 recast
1 reaction
Tony D’Addeo pfp
Tony D’Addeo
@deodad
https://github.com/farcasterxyz/protocol/discussions/225
0 reply
0 recast
1 reaction
Tony D’Addeo pfp
Tony D’Addeo
@deodad
no this would require getting two signed messages from each of the wallets there is this FIP that will be implemented soon but it still won't work for every connected address. it'd be too complex of a security model if every connected wallet also could impersonate your farcaster identity
1 reply
0 recast
1 reaction
Tony D’Addeo pfp
Tony D’Addeo
@deodad
dayum if when i go to London with my family want to do a scone cooking class would you recommend this specific one if so what’s it called
1 reply
0 recast
1 reaction
Tony D’Addeo pfp
Tony D’Addeo
@deodad
good framing
0 reply
0 recast
1 reaction