docs(be,fe): design doc for persisting the multiple-accounts toggle#4003
Closed
MRmarioruci wants to merge 4 commits into
Closed
docs(be,fe): design doc for persisting the multiple-accounts toggle#4003MRmarioruci wants to merge 4 commits into
MRmarioruci wants to merge 4 commits into
Conversation
|
✅ No security or compliance issues detected. Reviewed everything up to cd2927e. Security Overview
Detected Code Changes
|
Contributor
There was a problem hiding this comment.
Pull request overview
Adds a design document proposing how to persist the “Enable multiple accounts” toggle server-side so it survives reloads, identity switches, and device changes by storing the preference per (anchor, application) alongside existing per-application account configuration.
Changes:
- Proposes extending the stable
AnchorApplicationConfig(CBOR map) with an additivemultiple_accounts_enabledfield for upgrade-safe persistence. - Proposes adding dedicated Candid endpoints to read/write per-application config (including the toggle).
- Describes frontend wiring in
ContinueView.svelte, rollout/rollback considerations, and suggested unit/E2E tests.
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
Comment on lines
+96
to
+99
| get_anchor_application_config : | ||
| (IdentityNumber, FrontendHostname) -> | ||
| (variant { Ok : AnchorApplicationConfigInfo; | ||
| Err : GetAnchorApplicationConfigError }) query; |
Comment on lines
+101
to
+104
| set_anchor_application_config : | ||
| (IdentityNumber, FrontendHostname, AnchorApplicationConfigInfo) -> | ||
| (variant { Ok; | ||
| Err : SetAnchorApplicationConfigError }); |
Contributor
Author
|
Closing this in favor of the implementation in #4014 |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Problem
The "Enable multiple accounts" toggle on the authorize screen is in-memory only — it resets on every page load and on every identity switch. Account data is persisted backend-side, but the UI gate is not, so users who enable multi-account on a dapp lose their per-app account list on the next visit and have to re-toggle to see their own accounts.
Persisting the toggle backend-side also surfaces a second problem: every II canister call rides on a device-rooted delegation capped at ~30 minutes, so a returning user would pay a full WebAuthn ceremony just to render their persisted preference.
Changes
Adds
docs/persist-multiple-accounts-toggle.md— a design doc in two parts:(anchor, application)persistence of the toggle by extending the existingAnchorApplicationConfigstable structure. Covers context, alternatives considered (incl. why not localStorage), backend Candid surface, frontend wiring, and upgrade-safety considerations.get_accounts,get/set_anchor_application_config,get/set_default_account). II stamps a longer-lived delegation (default 7 days) on a principal derived from(salt, anchor, scope, epoch), recognized by re-derivation in a new opt-in authz branch — the existingcheck_authorizationis untouched, so everything else stays full-auth by construction. Revocation is an additive epoch field on the anchor, bumped on any auth-method removal or explicitly. Zero new stable-memory structures; includes a mermaid flow diagram, failure modes, security analysis, and the stored-rows alternative with its adoption trigger.No code changes.
Tests
Doc only.
🤖 Generated with Claude Code