Libraries for zebra-scan RPC Interface

[mpguerra]

Let's use this discussion to evaluate various different RPC libraries against our requirements.

---

Requirements

Security requirements

• Authenticates connections to make sure they are authorised to add or remove keys, or get results
• Encrypts connections to avoid leaking keys or results
• Requires proof of knowledge of keys before accessing results or deleting that key
• The client should authenticate the server before sending private viewing keys.

Other requirements

• Can be used via Tor

---

Let's add each potential library as a new comment and add the evaluation against the criteria as comments under each library

[arya2]

I think Tonic is the best choice here:

Security requirements

• Authenticates connections to make sure they are authorised to add or remove keys, or get results

Auth can be handled with an Interceptor.

• Encrypts connections to avoid leaking keys or results

It includes TLS via rustls.

• Requires proof of knowledge of keys before accessing results or deleting that key

This could be checked in an interceptor for those routes.

• The client should authenticate the server before sending private viewing keys.

The self-signed certificate needed for TLS should work here if I understand this correctly.

Other requirements

• Can be used via Tor

The provided transport can accept http1, and it should be possible to write our own server so it can be used via Tor.

https://docs.rs/tonic/latest/tonic/transport/server/struct.Server.html#method.accept_http1

Advantages

• Transport agnostic and could be extended to work with Tor
• Supports http1
• Encoding agnostic and could be extended to support JSON, rkyv, flatbuffers, or other encodings
• More popular and complete than grpc crate, good developer experience

Drawbacks

• Tonic only includes a Codec implementation for protobufs, supporting JSON may require us to implement a JSON codec.
• It seems it may need to be used with another version of Server so it can be used via Tor

[mpguerra]

I had a quick look and it does seem like tonic is the best bet.

The only thing that might not be straightforward is using it via Tor but we can investigate that later on.

[mpguerra]

@upbqdn @oxarbitrage Any other thoughts or shall we just go ahead and use tonic?

[oxarbitrage]

I think tonic is a good choice for our purposes. I think we can go ahead and use it.

[upbqdn]

I also think tonic is the only suitable option.

[arya2]

It seems Solana uses tarpc, that could be another option. I'm not sure if it supports protobufs/prost, but it does seem to support bincode which looks comparable/slightly-better among compact formats in these benchmarks.

[mpguerra]

@arya2 have you managed to do any additional research on whether we might want to use any other libraries for authentication?

[arya2]

I'm looking at argon2 for password key hashing and jsonwebtoken for signing cookies/tokens.

[upbqdn]

We could use one of these https://github.com/RustCrypto/password-hashes for passwords, argon2 is among them.