ARC-8: Algorand Wallet Sign and Post API
A function used to simultaneously sign and post transactions to the network.
| Author | DanBurton |
|---|---|
| Discussions-To | https://github.com/algorandfoundation/ARCs/issues/52 |
| Status | Final |
| Type | Standards Track |
| Category | Interface |
| Created | 2021-08-09 |
Table of Contents
Algorand Wallet Sign and Post API
Abstract
A function signAndPostTxns, which accepts an array of WalletTransactions, and posts them to the network.
Accepts the inputs to ARC-0001’s / ARC-0005’s signTxns, and produces the output of ARC-0007’s postTxns.
Specification
Interface SignAndPostTxnsFunction
export type SignAndPostTxnsFunction = (
txns: WalletTransaction[],
opts?: any,
) => Promise<PostTxnsResult>;
Errors are handled exactly as specified by ARC-0001 and ARC-0007
Rationale
Allows the user to be sure that what they are signing is in fact all that is being sent. Doesn’t necessarily grant the DApp direct access to the signed txns, though they are posted to the network, so they should not be considered private.
Exposing only this API instead of exposing postTxns directly is potentially safer for the wallet user, since it only allows the posting of transactions which the user has explicitly approved.
Security Considerations
In case the wallet uses an API service that is secret or provided by the user, the wallet MUST ensure that the URL of the service and the potential tokens/headers are not leaked to the dApp.
Leakage may happen by accidentally including too much information in responses or errors returned by the various methods. For example, if the nodeJS superagent library is used without filtering errors and responses, errors and responses may include the request object, which includes the potentially secret API service URL / secret token headers.
For dApps using the signAndPostTxns function, it is RECOMMENDED to display a Waiting/Loading Screen to wait until the transaction is confirmed to prevent potential issues.
The reasoning is the following: the pop-up/window in which the wallet is showing the waiting/loading screen may disappear in some cases (e.g., if the user clicks away from it). If it disappears, the user may be tempted to perform again the action, causing significant damages.
Copyright
Copyright and related rights waived via CCO.
Citation
Please cite this document as:
DanBurton, "ARC-8: Algorand Wallet Sign and Post API," Algorand Requests for Comments, no. 8, August 2021. [Online serial]. Available: https://github.com/algorandfoundation/ARCs/blob/main/ARCs/arc-0008.md.