I’m considering using blockstack to build a (p2p) dApp. More specifically, I’m building a dicussion dApp where users might comment on several topics, in real-time. I have a few questions though:
How can I fetch users DID document?
It seems that blockstack is DID compliant, but there’s not many information on that. How can I retrieve the DID document of a user?
How can I sign arbitrary payload?
Users will need to sign comments so that they can be seen as authentic. Ideally, Bob should be able to verify Alice’s comment like so:
Bob sees Alice’s comment, which contains her DID, the public key, the comment signature and the comment text
Bob verifies the signature of the comment
Bob fetches Alice’s DID document and checks if the public key is listed in the DDO publicKey field.
Bob may further analyze Alice’s social claims & proofs, like her twitter and facebook account.
If everything looks good, Bob is 100% sure that the comment was made by the real Alice.
Looking into the JS library documentation, it’s unclear how a dApp can request to sign arbitrary payload, like a comment. There’s a appPrivateKey that can be used to sign, but how does one know that it’s associated with the real user?
Does blockstack-js works for a dApp being developed as a browser extension?
Besides a regular website, the dApp I’m developing will be available as an installable Chrome extension. I’ve not tested it yet, but it seems that the redirect on the authentication flow will be a problem, unless I’m able to register a protocol handler within an extension. Any ideas?
Update: I’ve made some tests and indeed blockstack doesn’t work well inside an extension for 2 reasons:
Tries to do window.location = 'blockstack:xxx' which fails in extensions
Even if the previous point was somehow fixed, chrome extensions do not have a regular “origin/domain”
I am a new user of the Blockstack and bought a username. Actually, I am not able to see my username on the dashboard. I have also asked Apple iPhone Support and wanted to know about this. so is there any solution to fix it?
One possible work around is to use makeAuthRequest to generate the authentication token and then redirect to a website with an endpoint you create that then calls redirectToSignInWithAuthRequest
That’s a good question. We don’t have a mechanism for that.
We would need to add support for that to the authentication flow. An app could request signing ability and we could publish the public key of the app private key along with a signed statement indicating ownership of it to the profile file.
@aaron and @yukan will probably have additional thoughts on this.
We sort of have a mechanism for this. For multi-player applications, we associate the app key with the user using the “apps” property in the user’s profile, which contains the Base58-check encoding of the hash of the app public key (i.e., the bitcoin address corresponding to the app public key). This is used by the sign and verify modes in blockstack.js's storage in the case of multi-player reads.
