Persistent session: is it safe to store postboxKey from TorusServiceProvider in localStorage?

andriyantonenko3.16 · August 1, 2023, 10:12am

SDK Version: 10.1.0

Hello! I am trying to make login with Auth0 to my dapp, using tKey SDK. So, currently I have a problem, every time I am refreshing the page, I have to log in again. I don’t want to push my users to log in on every refresh and want to keep my session persistent. Here is how my login function looks now:

  const login = async () => {
    try {
      if (localStorage.getItem("postboxKey")) {
        const prefetchedMetadata = await tKey.storageLayer.getMetadata({
          privKey: new BN(localStorage.getItem("postboxKey")!, "hex"),
        });
        await tKey.initialize({ withShare: prefetchedMetadata as any });
      } else {
        const directAuthResponse = await (
          tKey.serviceProvider as TorusServiceProvider
        ).triggerLogin({
          typeOfLogin: "jwt",
          verifier: WEB3AUTH_AUTH0_VERIFIER,
          clientId: AUTH_ZERO_CLIENT_ID,
          jwtParams: {
            domain: AUTH_ZERO_DOMAIN,
          },
        });

        console.info(directAuthResponse);

        const postboxKey = tKey.serviceProvider.postboxKey;
        localStorage.setItem("postboxKey", postboxKey.toString("hex"));

        const shareStore = await tKey.storageLayer.getMetadata<{
          message: string;
        }>({
          serviceProvider: tKey.serviceProvider,
          privKey: postboxKey,
        });

        await tKey.initialize({ withShare: shareStore as any }); // metadata is from the above step
      }

I am trying to store postboxKey to the localStorage, but I don’t understand what is this key doing and if is it actually safe to use it in this way

vjgee · August 1, 2023, 11:05am

@andriyantonenko3.16 Thanks for reaching out.

Your issue has been forwarded to our team and we will get back to you with further updates once more information becomes available.

andriyantonenko3.16 · August 2, 2023, 11:20am

Ok, I have found that you use @toruslabs/openlogin-session-manager for mpc-core-kit. Can I use it to store sessions for my application?

Here session data:

export interface SessionData {
  oAuthKey: string;
  userInfo: any;
}

Then, I am going to initialize tKey in the next way:

tKey.serviceProvider.postboxKey = new BN(sessionData.oAuthKey, "hex");
await tKey.initialize({ neverInitializeNewKey: true });
await (
   tKey.modules.webStorage as WebStorageModule
).inputShareFromWebStorage();
await reconstructPrivateKey();

const { requiredShares } = tKey.getKeyDetails();
if (requiredShares <= 0) {
const reconstructedKey = await tKey.reconstructKey();
setPrivateKey(reconstructedKey.privKey.toString("hex"));
// This private key will be used to make blockchain calls.
} else {
toast.error(
   "Critical Error: key reconstruction failed, not enough shares"
);
console.warn("Not enough shares to reconstruct key", requiredShares);
}

I am not sure that this is a good way to do it. Please, help me with your suggestions)