Experiment: use JWT action token to implement the feature of 'send token by email adress'

[dadiorchen]

As proposed in this picture below, we want to use wallet API to issue Action Token and send token to an account that will be registered in the future. So in this issue, we will implement a integration test that covers:

1. An endpoint to issue a JWT token with the content shown on the picture: the example action token.
2. An endpoint to receive this action token and verify the token then do wallet transfer.
3. The edge case that action token is expired, the request is denied.

In details, the integration tests are:

1. A test: a wallet account that owns tokens, the account issue a Action Token, simulates a new user coming in and create new wallet account, then apply the token that specified in the action token, wallet API verify the action token, if okay, then do the transfer, if not, deny it.
2. Based on the test story above, simulate the token expiration, at this case, the token application is denied.

Reference reading:

• https://jwt.io/
• https://www.janua.fr/action-token-in-keycloak/

[sebastiangaertner]

Thank Dadio, it looks good. jwt is an open standard so that ticks the main box.

A question regarding the 7 day expire case. Is the wallet at that point created already and the tokens transfered? If so how can the user retrieve that data?

[dadiorchen]

The wallet is not created till the new user receive and click the link to register, so nothing happen before that, that’s a intention of transfer stored in the action token, it will be executed when new user coming in and login into wallet app, so this solution has possibility that the promised token can not be transfer because the change by the owner side, so solve this problem would bring huge complex and workload to system, it don’t worth the price at this stage, we can add it in the future.

[sebastiangaertner]

ok. So we would need to block those tokens to be in transfer, right? So thats "pending" state or?

[dadiorchen]

In this first version we don’t do that, because it bring much more work into the project, we simply give the responsibility to the owner to take care it, when it release and we get feedback on this feature, we can start to consider an complete mechanism on this.