Skip to content

near/mpc

Repository files navigation

MPC Account Recovery (WIP)

The aim of this project is to offer NEAR users the opportunity to create and restore their accounts by utilizing OIDC protocol. By linking their NEAR account to Pagoda, Gmail, Github, or other authentication provider, they can then add a new Full Access key, which will be managed by the trusted network of servers. Should they lose all the keys they possess, they can reauthorize themselves, create a new key, and add it into their NEAR account using a transaction that will be signed by MPC servers through their recovery key. All the transaction cost will be covered by a relayer server and metatransactions.

How the MPC system will work

  • The system consists of N (4+) trusted nodes
  • Each node holds a unique secret key
  • Each action must be signed by N-1 node

Currently everything is signed by a single node with a single private key.

External API

The recovery service is currently hosted at https://mpc-recovery-7tk2cmmtcq-ue.a.run.app.

Create New Account

URL: /new_account
Request parameters: {
    near_account_id: String,
    oidc_token: String,
    public_key: String
}
Response:
Ok {
    user_public_key: String,
    user_recovery_public_key: String,
    near_account_id: String,
} /
Err {
    msg: String
}

This creates an account with the name in near_account_id. If this name is already taken then this operation will fail with no action having been taken.

This service will send a create_account message to the relayer from tmp_acount_creator.serhii.testnet creating from the request field near_account_id. If this operation is successful the near.org relayer will make an allowance for the created account.

Newly created NEAR account will have two full access keys. One that was provided by the user, and the recovery one that is controlled by the MPC system.

Recover Account

URL: /add_key
Request parameters: {
    // in case NEAR AccointId is not provided,
    // it will be determined using recovery PK and NEAR Wallet APIs
    near_account_id: Option(String),
    public_key: String,
    oidc_token: String
}
Response:
Ok {
    user_public_key: String,
    near_account_id: String,
} /
Err{
    msg: String
}

OIDC (OAuth 2.0) authentication

We are using OpenID Connect (OIDC) standard to authenticate users (built on top of OAuth 2.0). Check OIDC standard docs here and Google OIDC docs here

Client integration

There are several ways to get and use the ID token. The flow that we are using is called the "server" flow, you can find more info here. The system will be able to process any token that is following the core OpenID Connect standard. In order to receive the ID token from OpenID provider you will need to include the openid scope value to the Authorization Request.

Server integration

Internally, we are identifying users by their issuer id (iss) and their unique ID (sub) retrieved form the ID token and separated by a colon: <issuer_iss>:<user_sub>. It means that each recovery method (like GitHub and Google) is separated from one another even if they have the same email.

Contribute

In order to build the project, you will need to have protoc and gmp installed. Refer to your system's package manager on how to do this.

If you have nix and direnv installed, you can set up a development environment by running:

direnv allow

Run unit tests with:

cargo test -p mpc-recovery

Integration tests

Running integration tests requires you to have relayer docker image present on your machine:

# TODO: upstream these changes
git clone -b mpc/entrypoint git@github.com:near/pagoda-relayer-rs-fastauth.git
docker build pagoda-relayer-rs-fastauth -t pagoda-relayer-rs-fastauth

Now, build mpc-recovery from this repository:

docker build . -t near/mpc-recovery

Note. You will need to re-build the Docker image each time you make a code change and want to run the integration tests.

Finally, run the integration tests:

cargo test -p mpc-recovery-integration-tests