forked from dfinity/internet-identity
-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathinternet_identity.did
237 lines (205 loc) · 7.31 KB
/
internet_identity.did
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
type UserNumber = nat64;
type PublicKey = blob;
type CredentialId = blob;
type DeviceKey = PublicKey;
type UserKey = PublicKey;
type SessionKey = PublicKey;
type FrontendHostname = text;
type Timestamp = nat64;
type HeaderField = record {
text;
text;
};
type HttpRequest = record {
method: text;
url: text;
headers: vec HeaderField;
body: blob;
};
type HttpResponse = record {
status_code: nat16;
headers: vec HeaderField;
body: blob;
streaming_strategy: opt StreamingStrategy;
};
type StreamingCallbackHttpResponse = record {
body: blob;
token: opt Token;
};
type Token = record {};
type StreamingStrategy = variant {
Callback: record {
callback: func (Token) -> (StreamingCallbackHttpResponse) query;
token: Token;
};
};
type Purpose = variant {
recovery;
authentication;
};
type KeyType = variant {
unknown;
platform;
cross_platform;
seed_phrase;
};
// This describes whether a device is "protected" or not.
// When protected, a device can only be updated or removed if the
// user is authenticated with that very device.
type DeviceProtection = variant {
protected;
unprotected;
};
type Challenge = record {
png_base64: text;
challenge_key: ChallengeKey;
};
type DeviceData = record {
pubkey : DeviceKey;
alias : text;
credential_id : opt CredentialId;
purpose: Purpose;
key_type: KeyType;
protection: DeviceProtection;
};
type RegisterResponse = variant {
// A new user was successfully registered.
registered: record {
user_number: UserNumber;
};
// No more registrations are possible in this instance of the II service canister.
canister_full;
// The challenge was not successful.
bad_challenge;
};
type AddTentativeDeviceResponse = variant {
// The device was tentatively added.
added_tentatively: record {
verification_code: text;
device_registration_timeout: Timestamp;
};
// Device registration mode is off, either due to timeout or because it was never enabled.
device_registration_mode_off;
// There is another device already added tentatively
another_device_tentatively_added;
};
type VerifyTentativeDeviceResponse = variant {
// The device was successfully verified.
verified;
// Wrong verification code entered. Retry with correct code.
wrong_code: record {
retries_left: nat8
};
// Device registration mode is off, either due to timeout or because it was never enabled.
device_registration_mode_off;
// There is no tentative device to be verified.
no_device_to_verify;
};
type Delegation = record {
pubkey: PublicKey;
expiration: Timestamp;
targets: opt vec principal;
};
type SignedDelegation = record {
delegation: Delegation;
signature: blob;
};
type GetDelegationResponse = variant {
// The signed delegation was successfully retrieved.
signed_delegation: SignedDelegation;
// The signature is not ready. Maybe retry by calling `prepare_delegation`
no_such_delegation
};
type MigrationState = variant {
not_started;
started: record {
// number of anchors that still need migration. Once it reaches 0, the migration is finished.
anchors_left: nat64;
batch_size: nat64;
};
finished;
};
type InternetIdentityStats = record {
users_registered: nat64;
storage_layout_version: nat8;
assigned_user_number_range: record {
nat64;
nat64;
};
archive_info: ArchiveInfo;
canister_creation_cycles_cost: nat64;
// this is opt so that we can remove the migration state after the migration without breaking any clients
memory_migration_state: opt MigrationState;
};
// Information about the archive.
type ArchiveInfo = record {
// Canister id of the archive or empty if no archive has been deployed yet.
archive_canister : opt principal;
// Expected hash of the archive wasm module. II will accept wasm modules hashing to this hash in the canister call
// deploy_archive. The actual installed archive wasm hash might be different if the archive has not yet been upgraded.
// When empty, deployment of the archive is disabled and II will not accept any wasm module.
expected_wasm_hash: opt blob;
};
// Init arguments of II which can be supplied on install and upgrade.
// Setting a value to null keeps the previous value.
type InternetIdentityInit = record {
// Set lowest and highest anchor
assigned_user_number_range : opt record {
nat64;
nat64;
};
// Set the module hash of the archive canister
archive_module_hash : opt blob;
// Set the amounts of cycles sent with the create canister message.
// This is configurable because in the staging environment cycles are required.
// The canister creation cost on mainnet is currently 100'000'000'000 cycles. If this value is higher thant the
// canister creation cost, the newly created canister will keep extra cycles.
canister_creation_cycles_cost : opt nat64;
// Anchor migration batch size for the stable memory migration.
// If set to 0, migration is disabled (if the migration was already started, it will be paused in the current state).
memory_migration_batch_size: opt nat32;
};
type ChallengeKey = text;
type ChallengeResult = record {
key : ChallengeKey;
chars : text;
};
type DeviceRegistrationInfo = record {
tentative_device : opt DeviceData;
expiration: Timestamp;
};
type IdentityAnchorInfo = record {
devices : vec DeviceData;
device_registration: opt DeviceRegistrationInfo;
};
type DeployArchiveResult = variant {
// The archive was deployed successfully and the supplied wasm module has been installed. The principal of the archive
// canister is returned.
success: principal;
// Initial archive creation is already in progress.
creation_in_progress;
// Archive deployment failed. An error description is returned.
failed: text;
};
service : (opt InternetIdentityInit) -> {
init_salt: () -> ();
create_challenge : () -> (Challenge);
register : (DeviceData, ChallengeResult) -> (RegisterResponse);
add : (UserNumber, DeviceData) -> ();
update : (UserNumber, DeviceKey, DeviceData) -> ();
remove : (UserNumber, DeviceKey) -> ();
// Returns all devices of the user (authentication and recovery) but no information about device registrations.
// Note: Will be changed in the future to be more consistent with get_anchor_info.
lookup : (UserNumber) -> (vec DeviceData) query;
get_anchor_info : (UserNumber) -> (IdentityAnchorInfo);
get_principal : (UserNumber, FrontendHostname) -> (principal) query;
stats : () -> (InternetIdentityStats) query;
enter_device_registration_mode : (UserNumber) -> (Timestamp);
exit_device_registration_mode : (UserNumber) -> ();
add_tentative_device : (UserNumber, DeviceData) -> (AddTentativeDeviceResponse);
verify_tentative_device : (UserNumber, verification_code: text) -> (VerifyTentativeDeviceResponse);
prepare_delegation : (UserNumber, FrontendHostname, SessionKey, maxTimeToLive : opt nat64) -> (UserKey, Timestamp);
get_delegation: (UserNumber, FrontendHostname, SessionKey, Timestamp) -> (GetDelegationResponse) query;
http_request: (request: HttpRequest) -> (HttpResponse) query;
deploy_archive: (wasm: blob) -> (DeployArchiveResult);
}