ARC-9: Algorand Wallet Algodv2 and Indexer API
An API for accessing Algod and Indexer through a user's preferred connection.
| Author | DanBurton |
|---|---|
| Discussions-To | https://github.com/algorandfoundation/ARCs/issues/52 |
| Status | Final |
| Type | Standards Track |
| Category | Interface |
| Created | 2021-08-09 |
Table of Contents
Algorand Wallet Algodv2 and Indexer API
Abstract
Functions getAlgodv2Client and getIndexerClient which return a BaseHTTPClient that can be used to construct an Algodv2Client and an IndexerClient respectively (from the JS SDK);
Specification
Interface GetAlgodv2ClientFunction
type GetAlgodv2ClientFunction = () => Promise<BaseHTTPClient>
Returns a promised BaseHTTPClient that can be used to then build an Algodv2Client, where BaseHTTPClient is an interface matching the interface algosdk.BaseHTTPClient from the JS SDK).
Interface GetIndexerClientFunction
type GetIndexerClientFunction = () => Promise<BaseHTTPClient>
Returns a promised BaseHTTPClient that can be used to then build an Indexer, where BaseHTTPClient is an interface matching the interface algosdk.BaseHTTPClient from the JS SDK).
Security considerations
The returned BaseHTTPClient SHOULD filter the queries made to prevent potential attacks and reject (i.e., throw an exception) if this is not satisfied.
A non-exhaustive list of checks is provided below:
- Check that the relative PATH does not contain
... - Check that the only provided headers are the ones used by the SDK (when this ARC was written:
acceptandcontent-type) and their values are the ones provided by the SDK.
BaseHTTPClient MAY impose rate limits.
For higher security, BaseHTTPClient MAY also check the queries with regards to the OpenAPI specification of the node and the indexer.
In case the wallet uses an API service that is secret or provided by the user, the wallet MUST ensure that the URL of the service and the potential tokens/headers are not leaked to the dApp.
Leakage may happen by accidentally including too much information in responses or errors returned by the various methods. For example, if the nodeJS superagent library is used without filtering errors and responses, errors and responses may include the request object, which includes the potentially secret API service URL / secret token headers.
Rationale
Nontrivial dApps often require the ability to query the network for activity. Algorand dApps written without regard to wallets are likely written using Algodv2 and Indexer from algosdk.
This document allows dApps to instantiate Algodv2 and Indexer for a wallet API service, making it easy for JavaScript dApp authors to port their code to work with wallets.
Security Considerations
None.
Copyright
Copyright and related rights waived via CCO.
Citation
Please cite this document as:
DanBurton, "ARC-9: Algorand Wallet Algodv2 and Indexer API," Algorand Requests for Comments, no. 9, August 2021. [Online serial]. Available: https://github.com/algorandfoundation/ARCs/blob/main/ARCs/arc-0009.md.