Thoughts on a time-based authentication scheme

With EOSIO’s flexible permissions, would it be possible for an application to allow a user authorize a signature provider sign any permitted transactions on their behalf for a specified time duration? For example, if a social media contract had a “like”, “post”, and “comment” actions, the user could agree to any number of “like” actions for a defined period of time. but all other actions like “post” or “comment” would not be permitted and would require their approval to sign.

Yeah, this would be possible, and is something we’re planning on exploring within the user layer once we get the onboarding and resource management processes ironed out.

The hurdle in doing it now is resource management, in that most users have no concept of RAM, and most likely if we were to use the permission system within EOSIO users would stumble in the creation of these permissions if they didn’t have enough. Once we have the complexities of RAM eliminated from the user experience (which we’re working on within both the transport layer and in Fuel), experiments like this will be a lot easier to accomplish.

The way I imagine it working is that the application would generate a keypair and request the user to set a permission on their account for the specific contract/actions (a “like” action for example). The application would save this key pair in the users web browser (localstorage?) and whenever the user liked a post, it’d just use the local key in the browser to sign and broadcast the transaction. Sort of like an OAuth flow where you’re granting something else permission to use an account on another platform.

Another tricky part in this is making sure that the user isn’t setting a permission that could do something dangerous…