[Archive] Persistent session: is it safe to store postboxKey from TorusServiceProvider in localStorage?

Embedded Wallets (Web3Auth)
1

:classical_building: Archived Content from Web3Auth Community

This topic was originally posted by andriyantonenko3.16 on 8/1/2023.
This content has been migrated from our previous community forum to preserve valuable discussions.

  • SDK Version: 10.1.0

Hello! I am trying to make login with Auth0 to my dapp, using tKey SDK. So, currently I have a problem, every time I am refreshing the page, I have to log in again. I don’t want to push my users to log in on every refresh and want to keep my session persistent. Here is how my login function looks now:

  const login = async () => {
    try {
      if (localStorage.getItem("postboxKey")) {
        const prefetchedMetadata = await tKey.storageLayer.getMetadata({
          privKey: new BN(localStorage.getItem("postboxKey")!, "hex"),
        });
        await tKey.initialize({ withShare: prefetchedMetadata as any });
      } else {
        const directAuthResponse = await (
          tKey.serviceProvider as TorusServiceProvider
        ).triggerLogin({
          typeOfLogin: "jwt",
          verifier: WEB3AUTH_AUTH0_VERIFIER,
          clientId: AUTH_ZERO_CLIENT_ID,
          jwtParams: {
            domain: AUTH_ZERO_DOMAIN,
          },
        });

    console.info(directAuthResponse);

    const postboxKey = tKey.serviceProvider.postboxKey;
    localStorage.setItem("postboxKey", postboxKey.toString("hex"));

    const shareStore = await tKey.storageLayer.getMetadata<{
      message: string;
    }>({
      serviceProvider: tKey.serviceProvider,
      privKey: postboxKey,
    });

    await tKey.initialize({ withShare: shareStore as any }); // metadata is from the above step
  }

I am trying to store postboxKey to the localStorage, but I don’t understand what is this key doing and if is it actually safe to use it in this way

2

@andriyantonenko3.16 Thanks for reaching out.

Your issue has been forwarded to our team and we will get back to you with further updates once more information becomes available.

3

Ok, I have found that you use @toruslabs/openlogin-session-manager for mpc-core-kit. Can I use it to store sessions for my application?

Here session data:

export interface SessionData {
  oAuthKey: string;
  userInfo: any;
}

Then, I am going to initialize tKey in the next way:

tKey.serviceProvider.postboxKey = new BN(sessionData.oAuthKey, "hex");
await tKey.initialize({ neverInitializeNewKey: true });
await (
   tKey.modules.webStorage as WebStorageModule
).inputShareFromWebStorage();
await reconstructPrivateKey();

const { requiredShares } = tKey.getKeyDetails();

if (requiredShares <= 0) {

const reconstructedKey = await tKey.reconstructKey();

setPrivateKey(reconstructedKey.privKey.toString(“hex”));

// This private key will be used to make blockchain calls.

} else {

toast.error(

“Critical Error: key reconstruction failed, not enough shares”

);

console.warn(“Not enough shares to reconstruct key”, requiredShares);

}

I am not sure that this is a good way to do it. Please, help me with your suggestions)