Get date of creation/last authentication of a key/address on web3auth network

Help - Core-Kit
1

Is there a way to get info (ideally a timestamp, not necessarily exact) about when a key got initialized on the web3auth nodes? I would like to know when users interacting with my verifier did so for the first time and have some logic in my app based on it

Moreover, is there a way to tell whether the user ever successfully retrieved the shares from the network? I know the network can watch for an idToken being reused (to prevent replay attacks), so there’s perhaps a way to tell how many idTokens the user submitted (successfully) so far. Knowing this would help me determine if the key got actually ever used by the user or not which is a crucial for my usecase (migration of keys between verifiers, see Import private key to be used by SFA SDK - #7 by rafael.korbas)

2

@rafael.korbas Our team will review your request and get back on Monday.

1 Like
3

Hey @rafael.korbas

As I see the ask here is to get the metrics of each user on when they tried to login, what was their recent login and when the first login happened.
Unfortunately, we don’t store such information in our databases. Such information, ideally is not of any use to us since we just authenticate the id token to relay the information back to the frontend. The metadata can give you information about the share, like on which device it was created and when, however the information about the user interaction is not saved.

You can manually log those information in your database, since all the login triggers are directly going via your frontend.

4

As I see the ask here is to get the metrics of each user on when they tried to login, what was their recent login and when the first login happened.
Unfortunately, we don’t store such information in our databases. Such information, ideally is not of any use to us since we just authenticate the id token to relay the information back to the frontend. The metadata can give you information about the share, like on which device it was created and when, however the information about the user interaction is not saved.

@yashovardhan I see - To clarify, in the question I asked about a stronger information than we actually needed . We don’t really need any granular metrics about our users (timestamp of first/last login), what we essentialy need is a reliable way to detect whether the key stored on the web3auth network for the given verifier has ever been by the user or not.

There is a legacyKeyLookup call to retrieve the public for given user, if it was ever initialized, which at first sight seems to be exactly what we need but the catch is that a key can in theory be initialized by anybody as no authentication is required for the GetPubKeyOrKeyAssign web3auth node RPC call.

A way out from this issue for us could be, if there was a way to get the information whether the user ever successfully authenticated against the web3auth network, which would allow us to weed out such “spam” keys which could have been initialized by anybody and could in theory be abused to break our app’s logic.

I guess the web3auth network already has to somehow track used idTokens for the user (to prevent replay attacks) so I guess there could indeed be a way to at least tell if given user ever provided a valid idToken to the network, or is there some limitation making even this (exposing a did_authenticate true/false flag, or something similar) inherently impossible?

You can manually log those information in your database, since all the login triggers are directly going via your frontend.

We know, and of course, our problem is that we weren’t logging such data on our side so far (web3auth user identifiers/emails) and even if we started, we sadly didn’t find any reliable way to backfill this data for our existing users.

5

Ok, I think I found a solution. Only the properly created/initialized tkeys seem to have metadata set on the metadata server as you hinted @yashovardhan , so something like this

  const res = await legacyKeyLookup([torusNodeEndpoints[0]], "<my verifier>", "rafael.korbas@gmail.com"); 
   const metadataStorage = new MetadataStorageLayer();
   // returns non-empty result for properly initialized keys
   const metadataRes = await metadataStorage.getMetadata(res.keyResult.keys[0], "tkey");

but seems to work only for CustomAuth, as the default verifier seems to store the key metadata differently. But already this should be enough for us

One more question though. I would like to be able to at least tell when a key for the default verifier has been created. I can technically do that with the GetPubKeyOrKeyAssign call but for users with non-existing keys this has the (nasty) side effect of creating the key (which can moreover take several seconds). Is there perhaps a “read-only” version of the call that would outright return an empty response for users without a key yet, and the timestamp of key creation time, if the key exists?

6

ok I think I can answer myself :smiley: To look up the key existence I can just use legacyKeyLookup and if based on this call the key exists, I can then call GetPubKeyOrKeyAssign which will get me the creation timestamp. A bit awkward because it’s two sequential network calls but good enough for me. Still, it would be better to have one call to handle it all and not rely on a apparently “legacy” call

7

correction - it seems to actually be the other way around, i.e. the shared verifiers (on legacy network) use the legacy metadata host and customauth doesn’t