YIP-0005 change #146
Description
Generating a session key in the Ethereum ecosystem typically involves creating a new Ethereum account (which inherently means generating a new public-private key pair) that is authorized to act on behalf of the main account under specific conditions. This new account acts as the session key. Ethereum itself doesn't have a built-in "session key" type or interface per se, but you can implement this concept through smart contract logic.
Here's a simplified approach to generating and using a session key:
1. Generate a New Ethereum Account:
- This can be done using standard Ethereum wallet software or libraries like
ethers.jsorweb3.js. This new account will be your session key.
2. Set Permissions in Your Main Account's Smart Contract:
- Modify the smart contract controlling your main account to recognize and accept transactions from this new session key under specific conditions. This could be implemented through a function that checks if the sender is the authorized session key and validates the transaction based on predefined rules (like transaction limits, function access, time bounds, etc.).
Example Smart Contract:
Here’s a basic example using Solidity:
// SPDX-License-Identifier: MIT
pragma solidity ^0.8.0;
contract SessionKeyManager {
address public mainAccount;
address public sessionKey;
uint256 public sessionKeyExpiration;
constructor() {
mainAccount = msg.sender;
}
// Set a new session key with an expiration time
function setSessionKey(address _sessionKey, uint256 duration) external {
require(msg.sender == mainAccount, "Only main account can set session key");
sessionKey = _sessionKey;
sessionKeyExpiration = block.timestamp + duration;
}
// Function that checks if the caller is the valid session key
modifier onlySessionKey() {
require(msg.sender == sessionKey, "Caller is not the session key");
require(block.timestamp <= sessionKeyExpiration, "Session key expired");
_;
}
// Example of a restricted function
function doSomethingRestricted() external onlySessionKey {
// Restricted logic here
}
// Function to clear the session key
function clearSessionKey() external {
require(msg.sender == mainAccount || msg.sender == sessionKey, "Unauthorized");
sessionKey = address(0);
sessionKeyExpiration = 0;
}
}In this contract:
- The
mainAccountcan set asessionKeywith a specific expiration time. - The
doSomethingRestrictedfunction can only be called by thesessionKeyand only if it hasn't expired. - The
sessionKeycan be cleared by either themainAccountor thesessionKeyitself.
Generating the Session Key with Web3.js:
Using Web3.js, you can generate a new account like this:
const Web3 = require('web3');
const web3 = new Web3(Web3.givenProvider || 'ws://localhost:8545');
const sessionKeyAccount = web3.eth.accounts.create();
console.log("Session Key Address:", sessionKeyAccount.address);
console.log("Session Key Private Key:", sessionKeyAccount.privateKey);Important Considerations:
- Security: Make sure that the session key is securely stored and transmitted. If the session key is compromised, the attacker can perform any action that the session key is authorized to do.
- Audit and Testing: Smart contracts should be thoroughly tested and audited, especially those handling permissions and financial transactions.
- Gas Fees: Transactions made by the session key will incur gas fees, which must be paid by the account executing the transaction (the session key account in this case).
- Revocation: Ensure that your contract logic allows the main account to revoke or change the session key.
This implementation is quite basic. Depending on your specific requirements, you might need a more sophisticated system with additional checks, balances, and features.