How to limit a function call to the UI

rbolog · August 22, 2022, 9:38am

Hello,

I want to limit/control the call of a function only from the embedded interface in the application. Not from Candid UI or dfx with an anonymous call.

I thought about:

A shared token, but you need to store that token.
OTP but there is also a secret to share and store.
A very short-lived code.

Do you have another suggestion or ICP trick that I don’t know ?

dymayday · August 22, 2022, 9:55am

Hi,
I’m not sure if it answers your question but you can filter the caller based on its key with this api caller in ic_cdk::api - Rust

rbolog · August 22, 2022, 10:13am

Thanks for the answer @dymayday , but no I don’t think so, because the call is anonymous. My use case is: I have a contact form that before sending the message performs some checks to avoid spam. These checks are done on the client side, I would like to limit the function call to the interface to avoid bypassing the checks with a dfx or candid UI direct call.

AdamS · August 22, 2022, 4:34pm

There is nothing you can do that makes the client trustworthy to execute operations under your control rather than theirs. This is universal among client-server applications; not even web3 can change that.

peterparker · August 22, 2022, 7:34pm

Agree with @AdamS don’t think there is an option.

To kind of solve the feature you are looking for, I added a secret as a constructor parameter of one of the last actor canister I created and then set that parameter as an environment variable of my frontend dapp.

actor class MyCanister(secret: Text) {
    public shared({ caller }) func something(secret: Text, myObject: MyObject) : async () {
        if (not validSecret(secret)) {
            throw Error.reject("Caller does not have the permission.");
        };

        ...
    };

}

It does not prevent anyone to find it, since it gets bundled in the JS code it’s public, but I thought that at least it’s a bit less obvious for those who want to query my canister with dfx.

rbolog · August 23, 2022, 9:31am

Thank you all for your answers

GLdev · August 23, 2022, 9:56am

Perhaps you should get in contact with Rick from DSCVR - @rckprtr . I know they implemented some captcha at some point, and they had to have solved the captcha → canister communication. Maybe they can help?

kentosugama · August 25, 2022, 6:23pm

If all you care about is sanitizing ingress messages from someone using DFX, this might help Message inspection | Internet Computer Home

But this doesn’t apply to inter-canister calls

rbolog · August 25, 2022, 6:41pm

@kentosugama
Excellent thank you very much, I had read this material some time ago and had completely forgotten about it. Yes indeed associated with a secret I must be able to achieve my goals.

Thank you

Topic		Replies	Views
How to restrict/encrypt canister calls Developers	6	300	December 15, 2023
I want a function on a canister to be callable only by another canister on the IC, and not by an API call or any other canister Developers	7	414	February 22, 2022
Using the Candid UI when an identity is required Developers	7	968	February 4, 2024
Any External canister integration how to guides Developers	7	479	November 14, 2022
Is it possible to call a function in a motoko canister deployed on the IC network locally from terminal? Developers	4	261	May 22, 2023

How to limit a function call to the UI

Related Topics