-
Notifications
You must be signed in to change notification settings - Fork 3.8k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Support cosmos.msg.v1.signer as alternative to Msg.GetSigners #11275
Comments
this can be closed right? |
It's still relevant. The issue should just reference AnteHandler's and not Middleware. |
Planning to pick this one up this week. |
@aaronc tl;dr Is it a fair assumption that the SDK verifies the message is signed by For example, I was looking in message MsgClaimBudget {
option (cosmos.msg.v1.signer) = "recipient_address";
string recipient_address = 1 [(cosmos_proto.scalar) = "cosmos.AddressString"];
} Whose implementation looks like this: func (k MsgServer) ClaimBudget(ctx context.Context, msg *types.MsgClaimBudget) (*types.MsgClaimBudgetResponse, error) {
recipient, err := k.Keeper.authKeeper.AddressCodec().StringToBytes(msg.RecipientAddress)
if err != nil {
return nil, sdkerrors.ErrInvalidAddress.Wrapf("invalid recipient address: %s", err)
}
// ...
} The validity of the address is verified but not the underlying signature. However, when it comes to the governance check (which is a bit different), looking in func (k msgServer) SetSendEnabled(ctx context.Context, msg *types.MsgSetSendEnabled) (*types.MsgSetSendEnabledResponse, error) {
if k.GetAuthority() != msg.Authority {
return nil, errorsmod.Wrapf(types.ErrInvalidSigner, "invalid authority; expected %s, got %s", k.GetAuthority(), msg.Authority)
} We find the extra Here is the proto for reference: message MsgSetSendEnabled {
option (cosmos.msg.v1.signer) = "authority";
option (amino.name) = "cosmos-sdk/MsgSetSendEnabled";
// authority is the address that controls the module.
string authority = 1 [(cosmos_proto.scalar) = "cosmos.AddressString"]; cc @tac0turtle for visibility as well. |
signature verification happens at a higher level. It is safe to assume that if modules receive a message either verification has happened or the message is coming from internally. |
Thanks @tac0turtle! |
Summary
sdk.Msg
implementation should be able to omit theGetSigners()
(which depends on global bech32 prefixes) and instead use thecosmos.msg.v1.signer
protobuf annotation.Problem Definition
Currently all
sdk.Msg
types must implement a methodGetSigners() []sdk.AccAddress
which both depends on a type definition (sdk.AccAddress
) which depends on a globalsdk.Config
variable. This is problematic both because of many issues with the global variable (see #13140 and other linked issues) and because we want to make it so that a module can be written with a dependency just oncosmossdk.io/core
and not the full SDK.Proposal
All messages must define the
cosmos.msg.v1.signer
protobuf annotation which declaratively defines which fields are required to sign messages. We can utilize this in theAnteHandler
andTx
implementation instead ofGetSigners
.Previously we refactored
GetSigners()
to return[]string
in #9239 but that was unfortunately reverted in #9885 because it was considered too big of a breaking change.An alternative would be to allow
Msg
s to either implement the current interface or to just implement the methodValidateBasic() error
. We would primarily need to make changes toTx.GetSigners
andBaseApp.createEvents
to accomodate this change. IfGetSigners()
is not defined then the protoreflect API would be used to read thecosmos.msg.v1.signer
annotation and extract the signers from the message. To support gogo proto messages which don't support protoreflect, we can use the file descriptors extracted from gogo proto with dynamicpb to use protoreflect for this.In this way, modules can be written which just depend on
cosmossdk.io/core
and don't use eithersdk.AccAddress
or the bech32 global.The text was updated successfully, but these errors were encountered: