feat: bech32 Address Hooks

[michaelfig]

closes: #10614
refs: #10249 #10250

Description

Pack a bech32 "base address" (like "agoric1...") plus HTTP query string "hook parameter" bytes into a bech32 "address hook". These address hooks are bech32-encoded (i.e., all of their data is encoded and part of the bech32 checksum), but they may be up to 1024 characters in length (instead of the default 90-character length limit).

Example

import {
  encodeAddressHook,
  decodeAddressHook,
} from '@agoric/cosmic-proto/address-hooks.js';

const baseAddress = 'agoric1qqp0e5ys';
const query = { key: 'value', foo: ['bar', 'baz'] };

const addressHook = encodeAddressHook(baseAddress, query);
// 'agoric10rchqqplvehk70tzv9ezven0du7kyct6ye4k27faweskcat9qqqstnf2eq'

addressHook.startsWith('agoric10rch');
// true

const decoded = decodeAddressHook(addressHook);
// {
//   baseAddress: 'agoric1qqp0e5ys',
//   query: [Object: null prototype] { foo: [ 'bar', 'baz' ], key: 'value' }
// }

Encoding

Specifically, an address hook looks like "agoric10rch...", and its binary payload consists of:

offset	0	3	3+len(baseAddress)	len(payload)-2
data	magic	baseAddress	hookData	len(baseAddress)

magic is a 3-byte prefix that identifies a hooked address and its version nibble,
whose value is 4 bits (between 0 and 0xf (15)). Currently, the only supported version is 0.

0x78, 0xf1, (0x70 | ADDRESS_HOOK_VERSION),

This magic prefix encodes as 0rch, regardless of the version or HRP (e.g.
'agoric10rch<rest of payload as bech32><bech32 checksum>').

Security Considerations

Improves robustness of address hook extraction with magic bytes and version nibble, as well as length validation.

Scaling Considerations

n/a

Documentation Considerations

Needs to be documented as part of Orch Core Address Hooks.

Testing Considerations

Should be tested as part of a regular contract. Already verified that encoding/decoding unit tests can pass in a JS compartment without any special powers.

Upgrade Considerations

Layered to facilitate the construction of arbitrary hookData, not just URL query strings. Should be extensible if needed.

[cloudflare-workers-and-pages]

Deploying agoric-sdk with    Cloudflare Pages

Latest commit:	c8ad417
Status:	✅  Deploy successful!
Preview URL:	https://03d783f9.agoric-sdk.pages.dev
Branch Preview URL:	https://mfig-bech32-address-hooks.agoric-sdk.pages.dev

View logs

[dckc]

I finished reviewing the JS part, which is handy, cuz now I grok the design...

[dckc]

nice docs. 👏

Bummer they don't show up in https://mfig-bech32-address-hooks.agoric-sdk.pages.dev/ 😢

Looks like cosmic-proto is entirely missing from our generated docs.

[michaelfig]

I wired up some docs now, which are better than nothing IMO. If they need much more work, I'd advocate for doing that in a new PR.

[dckc]

nice!

[dckc]

supports array values. interesting.

cc @0xpatrickdev

[dckc]

NTS: What does null represent here, I wonder? Is this a convention from the query-string package?

[michaelfig]

I've documented the format in this JSDoc block... it is inherited from query-string, but I don't want to use query-string's types directly.

[dckc]

This is API documentation, not an implementation detail comment, right?

Suggested change

	// The default maximum number of characters in a bech32-encoded hooked address.
	export const DEFAULT_HOOKED_ADDRESS_CHAR_LIMIT = 1024;
	/** The default maximum number of characters in a bech32-encoded hooked address. */
	export const DEFAULT_HOOKED_ADDRESS_CHAR_LIMIT = 1024;

[dckc]

re Security Considerations, I see:

Advanced
BIP173 enforces a limitation of 90 characters, if extend the LIMIT parameter beyond this, be aware that the effectiveness of checksum decreases as the length increases.

I don't suppose we're relying on a bech32 checksum for security beyond helping detect typos, though.

[michaelfig]

That's right. The checksum is just to avoid typo footguns, not providing any kind of authentication.

[dckc]

Here we use hookData.length without any dynamic check on the type of hookData. So joinHookedAddress is exported but not as defensive as, say, ERTP stuff.

I wonder about documentation conventions for levels of defensiveness.

I've been living in a world of exo interface guards, so reviewing this sort of thing is slightly different.

[michaelfig]

I added some code to check that hookData.length is a non-negative safe integer. As for verifying the rest of its structure, I'll leave that up to hookBuf.set(hookData, ...).

[dckc]

after mulling over what this test establishes, I thought about property testing / fuzzing to be sure the encoding is unambiguous - that no 2 distinct inputs lead to the same encoded address.

But that would say that the design is flawed. And as noted above, I assume the design is agreed by the relevant parties.

[michaelfig]

I'm not entirely enamoured with the tests as they exist now. They're that way by attrition, less so by intention.

And they don't cover any of the error cases, just manual happy paths.

[dckc]

To check default length limits against expected fast-usdc usage, let's please add a test to replace what's currently in the fast usdc test fixture: agoric16kv2g7snfc4q24vg3pjdlnnqgngtjpwtetd2h689nz09lcklvh5s8u37ek?EUD=osmo183dejcnmkka5dzcu9xw6mywq0p2m5peks28men

• base address is agoric16kv2g7snfc4q24vg3pjdlnnqgngtjpwtetd2h689nz09lcklvh5s8u37ek
• query is { EUD: 'osmo183dejcnmkka5dzcu9xw6mywq0p2m5peks28men' }

[michaelfig]

Encoded as agoric10rchp4vc53apxn32q42c3zryml8xq3xshyzuhjk6405wtxy7tl3d7e0f8az423padaek6me38qekget2vdhx66mtvy6kg7nrw5uhsaekd4uhwufswqex6dtsv44hxv3cd4jkuqpqvduyhf

Length: 149

We're mostly paying the 8/5 bech32 encoding tax on every byte of the query string. If we really need a smaller string, we'd have to resort to adding some compression.

[dckc]

supply chain audit notes: I don't see any yarn.lock changes re bech32, so I'll pass on that without further remark.

query-string@^9.1.1 seems to be new. npm shows 13M weekly downloads. Clearly pretty mature stuff.

[dckc]

Sometimes I wonder whether I should be using ses-ava. For my edification: what motivated you to use it here?

[michaelfig]

It was available from @endo, so it didn't cause dependency cycles like @agoric/swingset-vat/tools/prepare-test-env-ava.js would.

[dckc]

I don't know how to read this change. What does it do?

[michaelfig]

I moved .../x/vtransfer/types/baseaddr.go to .../types/address_hooks.go. This change gets the types.Whatever functions (whose callers were unmodified in this PR, so they don't show up in its commits) from the new Golang package (stuff in a single directory) where I moved address_hooks.go.

[dckc]

dealing with byte slices and such is quite a bit nicer in go than JS, isn't it :)

Before I approve, I think I should understand the change in golang/cosmos/x/vtransfer/keeper/keeper.go.

[dckc]

subpath... I don't remember that in the JS stuff.

[michaelfig]

It's a stale comment. In the new encoding, there is never a "subpath" since the baseAddr isn't actually in the same string as the query.

[dckc]

bz is mnemonic for something like "bytez", a play on "bytes"?

[michaelfig]

Yes, it's a Golang convention I picked up from Golang json and protobuf codecs.

[dckc]

now we have by and bz, as if it were an x, y, z thing. But z is a slice and y is a byte. ouch. hurts my brain.

[michaelfig]

I can't call it byte because that's a builtin data type. I'll try byteVal.

[dckc]

elsewhere we act like the number of bytes in a base address length is a parameter, and we do loops and stuff. Why not hard-code 2 bytes everywhere?

[michaelfig]

Thanks for pointing this out. I think this was half-finished as I rewrote the JS encoder (in my first upgrade from 1 length byte to 2 length bytes).

I want to leave it as a parameter, so I did that.

[dckc]

another place where BaseAddressLengthBytes has to be 2.

[michaelfig]

Noted.

[dckc]

go has nice table literals!

[dckc]

This seems to test only that the call does not err. Is that right?

I'm curious what happens to #fragment.

[michaelfig]

I tested SplitHookedAddress and verified the results. That turned up a bug (wasn't stripping the baseAddr length bytes from the end of an Address Hook). Thanks!

[mergify]

This pull request has been removed from the queue for the following reason: checks failed.

The merge conditions cannot be satisfied due to failing checks:

• ❌ integration-test-result
• ☑️ no-fixup-commits

You should look at the reason for the failure and decide if the pull request needs to be fixed or if you want to requeue it.

If you want to requeue this pull request, you need to post a comment with the text: @mergifyio requeue

[gibson042]

Looks like I didn't finish reviewing before this was merged, but I think it's a bad idea for these implementation to pass through hooked addresses with nonzero version nibble as if they were not hooked. Instead, such addresses should be rejected for using an unsupported version, allowing us to actually introduce such functionality in the future.

[gibson042]

For forward compatibility, this should probably error upon encountering a hooked address with an unknown version.

Suggested change

	bz := bytes.TrimPrefix(payload, AddressHookMagic)
	if len(bz) == len(payload) {
	// Return an unhooked address.
	return addr, []byte{}, nil
	}
	bz := bytes.TrimPrefix(payload, AddressHookMagic[:2])
	if len(bz) == len(payload) || len(bz) == 0 || bz[0] & 0x70 != 0x70 {
	// Return an unhooked address.
	return addr, []byte{}, nil
	}
	version := bz[0] & 0x0F
	bz = bz[1:]
	if version != AddressHookVersion {
	return "", []byte{}, fmt.Errorf("unsupported version %d", version)
	}

(and likewise in the JS version)

[dckc]

@turadg , @LuqiPan ,

I suppose this shows that my assumption that the design was agreed by all the relevant parties is not correct.