So i’m trying to develop and app in which i won’t go into too many details, but i have case where i want to have query calls that returns data depending on the user subscription. The data it self is not something that is sensitive but you can imagine like that: Users without authentication will be able to retrieve only todays data, users with one month subscription will be able to retrieve same data for one month.
And since there will be thousand of users retrieving exactly same data just for different period of time without changing data it self it makes sense to have query calls for that, since that’s what they are made for. But it seems there is no way of doing proper authentication for that… I’m using Internet Identity authentication for now which works fine for update calls. But how can i check user authentication for query calls?
I understand that today authentication has to go through consensus or whatever… but in general authentication is just checking signature of the message with public key, i don’t need consensus of the network for that, why there is no normal authentication that just does that?
Yes maybe i can’t trust single node to verify message without consensus, but there has to be something that i can run my self in an easy way.
For example why not a library who does that:
final user = Principal.getFromRequest(request);
where request is some kind of body of the message and it would verify signature of the message and that would be good enough.
But at the moment i can’t even get body of the request:
this is from AI on internetcomputer.org
It did provide me with some custom solution where i can do it
public query func authenticateQuery(request: Request, signature: Signature) : async Bool {
let publicKey = getPublicKey(request.userPrincipal);
let isValid = verifySignature(request, signature, publicKey);
if (isValid) {
// process the request
} else {
// reject the request
}
};
But when i asked how that verifySignature would look like if i use Internet Identity as authentication it gived me this:
I apologize for any confusion, but the knowledge sources provided do not contain specific code for a verifySignature function using Internet Identity. The Internet Identity service uses the WebAuthn protocol for user authentication, which involves the creation of a public-private key pair on the users device and the use of digital signatures. However, the specific implementation details of how to verify a signature with Internet Identity are not provided in the knowledge sources.
So basically your AI have no idea how to do it, there is no documentation about it as well. How come there is no simple way to have authenticated query function?
I mean really? If i want to have any authentication i have to have only update calls? That just makes no sense for scaling app at all… instead of running light query call that can be run on one node now i have to run every call on all 13 nodes and clog the network for no reason just to retrieve data and on top of that it will work like 10 times slower…