cosmos-sdk/docs/sdk/core/app3.md

13 KiB

Modules

In the previous app, we introduced a new Msg type and used Amino to encode transactions. We also introduced additional data to the Tx, and used a simple AnteHandler to validate it.

Here, in App3, we introduce two built-in SDK modules to replace the Msg, Tx, Handler, and AnteHandler implementations we've seen so far: x/auth and x/bank.

The x/auth module implements Tx and AnteHandler - it has everything we need to authenticate transactions. It also includes a new Account type that simplifies working with accounts in the store.

The x/bank module implements Msg and Handler - it has everything we need to transfer coins between accounts.

Here, we'll introduce the important types from x/auth and x/bank, and use them to build App3, our shortest app yet. The complete code can be found in app3.go, and at the end of this section.

For more details, see the x/auth and x/bank API documentation.

Accounts

The x/auth module defines a model of accounts much like Ethereum. In this model, an account contains:

  • Address for identification
  • PubKey for authentication
  • AccountNumber to prune empty accounts
  • Sequence to prevent transaction replays
  • Coins to carry a balance

Note that the AccountNumber is a unique number that is assigned when the account is created, and the Sequence is incremented by one every time a transaction is sent from the account.

Account

The Account interface captures this account model with getters and setters:

// Account is a standard account using a sequence number for replay protection
// and a pubkey for authentication.
type Account interface {
	GetAddress() sdk.AccAddress
	SetAddress(sdk.AccAddress) error // errors if already set.

	GetPubKey() crypto.PubKey // can return nil.
	SetPubKey(crypto.PubKey) error

	GetAccountNumber() int64
	SetAccountNumber(int64) error

	GetSequence() int64
	SetSequence(int64) error

	GetCoins() sdk.Coins
	SetCoins(sdk.Coins) error
}

Note this is a low-level interface - it allows any of the fields to be over written. As we'll soon see, access can be restricted using the Keeper paradigm.

BaseAccount

The default implementation of Account is the BaseAccount:

// BaseAccount - base account structure.
// Extend this by embedding this in your AppAccount.
// See the examples/basecoin/types/account.go for an example.
type BaseAccount struct {
	Address       sdk.AccAddress `json:"address"`
	Coins         sdk.Coins      `json:"coins"`
	PubKey        crypto.PubKey  `json:"public_key"`
	AccountNumber int64          `json:"account_number"`
	Sequence      int64          `json:"sequence"`
}

It simply contains a field for each of the methods.

AccountMapper

In previous apps using our appAccount, we handled marshaling/unmarshaling the account from the store ourselves, by performing operations directly on the KVStore. But unrestricted access to a KVStore isn't really the interface we want to work with in our applications. In the SDK, we use the term Mapper to refer to an abstaction over a KVStore that handles marshalling and unmarshalling a particular data type to and from the underlying store.

The x/auth module provides an AccountMapper that allows us to get and set Account types to the store. Note the benefit of using the Account interface here - developers can implement their own account type that extends the BaseAccount to store additional data without requiring another lookup from the store.

Creating an AccountMapper is easy - we just need to specify a codec, a capability key, and a prototype of the object being encoded

accountMapper := auth.NewAccountMapper(cdc, keyAccount, auth.ProtoBaseAccount)

Then we can get, modify, and set accounts. For instance, we could double the amount of coins in an account:

acc := accountMapper.GetAccount(ctx, addr)
acc.SetCoins(acc.Coins.Plus(acc.Coins))
accountMapper.SetAccount(ctx, addr)

Note that the AccountMapper takes a Context as the first argument, and will load the KVStore from there using the capability key it was granted on creation.

Also note that you must explicitly call SetAccount after mutating an account for the change to persist!

See the AccountMapper API docs for more information.

StdTx

Now that we have a native model for accounts, it's time to introduce the native Tx type, the auth.StdTx:

// StdTx is a standard way to wrap a Msg with Fee and Signatures.
// NOTE: the first signature is the FeePayer (Signatures must not be nil).
type StdTx struct {
	Msgs       []sdk.Msg      `json:"msg"`
	Fee        StdFee         `json:"fee"`
	Signatures []StdSignature `json:"signatures"`
	Memo       string         `json:"memo"`
}

This is the standard form for a transaction in the SDK. Besides the Msgs, it includes:

  • a fee to be paid by the first signer
  • replay protecting nonces in the signature
  • a memo of prunable additional data

Details on how these components are validated is provided under auth.AnteHandler below.

The standard form for signatures is StdSignature:

// StdSignature wraps the Signature and includes counters for replay protection.
// It also includes an optional public key, which must be provided at least in
// the first transaction made by the account.
type StdSignature struct {
	crypto.PubKey    `json:"pub_key"` // optional
	[]byte `json:"signature"`
	AccountNumber    int64 `json:"account_number"`
	Sequence         int64 `json:"sequence"`
}

The signature includes both an AccountNumber and a Sequence. The Sequence must match the one in the corresponding account when the transaction is processed, and will increment by one with every transaction. This prevents the same transaction from being replayed multiple times, resolving the insecurity that remains in App2.

The AccountNumber is also for replay protection - it allows accounts to be deleted from the store when they run out of accounts. If an account receives coins after it is deleted, the account will be re-created, with the Sequence reset to 0, but a new AccountNumber. If it weren't for the AccountNumber, the last sequence of transactions made by the account before it was deleted could be replayed!

Finally, the standard form for a transaction fee is StdFee:

// StdFee includes the amount of coins paid in fees and the maximum
// gas to be used by the transaction. The ratio yields an effective "gasprice",
// which must be above some miminum to be accepted into the mempool.
type StdFee struct {
	Amount sdk.Coins `json:"amount"`
	Gas    int64     `json:"gas"`
}

The fee must be paid by the first signer. This allows us to quickly check if the transaction fee can be paid, and reject the transaction if not.

Signing

The StdTx supports multiple messages and multiple signers. To sign the transaction, each signer must collect the following information:

  • the ChainID
  • the AccountNumber and Sequence for the given signer's account (from the blockchain)
  • the transaction fee
  • the list of transaction messages
  • an optional memo

Then they can compute the transaction bytes to sign using the auth.StdSignBytes function:

bytesToSign := StdSignBytes(chainID, accNum, accSequence, fee, msgs, memo)

Note these bytes are unique for each signer, as they depend on the particular signers AccountNumber, Sequence, and optional memo. To facilitate easy inspection before signing, the bytes are actually just a JSON encoded form of all the relevant information.

AnteHandler

As we saw in App2, we can use an AnteHandler to authenticate transactions before we handle any of their internal messages. While previously we implemented our own simple AnteHandler, the x/auth module provides a much more advanced one that uses AccountMapper and works with StdTx:

app.SetAnteHandler(auth.NewAnteHandler(accountMapper, feeKeeper))

The AnteHandler provided by x/auth enforces the following rules:

  • the memo must not be too big
  • the right number of signatures must be provided (one for each unique signer returned by msg.GetSigner for each msg)
  • any account signing for the first-time must include a public key in the StdSignature
  • the signatures must be valid when authenticated in the same order as specified by the messages

Note that validating signatures requires checking that the correct account number and sequence was used by each signer, as this information is required in the StdSignBytes.

If any of the above are not satisfied, the AnteHandelr returns an error.

If all of the above verifications pass, the AnteHandler makes the following changes to the state:

  • increment account sequence by one for all signers
  • set the pubkey in the account for any first-time signers
  • deduct the fee from the first signer's account

Recall that incrementing the Sequence prevents "replay attacks" where the same message could be executed over and over again.

The PubKey is required for signature verification, but it is only required in the StdSignature once. From that point on, it will be stored in the account.

The fee is paid by the first address returned by msg.GetSigners() for the first Msg, as provided by the FeePayer(tx Tx) sdk.AccAddress function.

CoinKeeper

Now that we've seen the auth.AccountMapper and how its used to build a complete AnteHandler, it's time to look at how to build higher-level abstractions for taking action on accounts.

Earlier, we noted that Mappers are abstactions over KVStores that handle marshalling and unmarshalling data types to and from underlying stores. We can build another abstraction on top of Mappers that we call Keepers, which expose only limitted functionality on the underlying types stored by the Mapper.

For instance, the x/bank module defines the canonical versions of MsgSend and MsgIssue for the SDK, as well as a Handler for processing them. However, rather than passing a KVStore or even an AccountMapper directly to the handler, we introduce a bank.Keeper, which can only be used to transfer coins in and out of accounts. This allows us to determine up front that the only effect the bank module's Handler can have on the store is to change the amount of coins in an account - it can't increment sequence numbers, change PubKeys, or otherwise.

A bank.Keeper is easily instantiated from an AccountMapper:

bankKeeper = bank.NewBaseKeeper(accountMapper)

We can then use it within a handler, instead of working directly with the AccountMapper. For instance, to add coins to an account:

// Finds account with addr in AccountMapper.
// Adds coins to account's coin array.
// Sets updated account in AccountMapper
app.bankKeeper.AddCoins(ctx, addr, coins)

See the bank.Keeper API docs for the full set of methods.

Note we can refine the bank.Keeper by restricting it's method set. For instance, the bank.ViewKeeper is a read-only version, while the bank.SendKeeper only executes transfers of coins from input accounts to output accounts.

We use this Keeper paradigm extensively in the SDK as the way to define what kind of functionality each module gets access to. In particular, we try to follow the principle of least authority. Rather than providing full blown access to the KVStore or the AccountMapper, we restrict access to a small number of functions that do very specific things.

App3

With the auth.AccountMapper and bank.Keeper in hand, we're now ready to build App3. The x/auth and x/bank modules do all the heavy lifting:

func NewApp3(logger log.Logger, db dbm.DB) *bapp.BaseApp {

	// Create the codec with registered Msg types
	cdc := NewCodec()

	// Create the base application object.
	app := bapp.NewBaseApp(app3Name, logger, db, auth.DefaultTxDecoder(cdc))

	// Create a key for accessing the account store.
	keyAccount := sdk.NewKVStoreKey("acc")
	keyFees := sdk.NewKVStoreKey("fee")  // TODO

	// Set various mappers/keepers to interact easily with underlying stores
	accountMapper := auth.NewAccountMapper(cdc, keyAccount, auth.ProtoBaseAccount)
	bankKeeper := bank.NewBaseKeeper(accountMapper)
	feeKeeper := auth.NewFeeCollectionKeeper(cdc, keyFees)

	app.SetAnteHandler(auth.NewAnteHandler(accountMapper, feeKeeper))

	// Register message routes.
	// Note the handler gets access to
	app.Router().
		AddRoute("send", bank.NewHandler(bankKeeper))

	// Mount stores and load the latest state.
	app.MountStoresIAVL(keyAccount, keyFees)
	err := app.LoadLatestVersion(keyAccount)
	if err != nil {
		cmn.Exit(err.Error())
	}
	return app
}

Note we use bank.NewHandler, which handles only bank.MsgSend, and receives only the bank.Keeper. See the x/bank API docs for more details.

We also use the default txDecoder in x/auth, which decodes amino-encoded auth.StdTx transactions.

Conclusion

Armed with native modules for authentication and coin transfer, emboldened by the paradigm of mappers and keepers, and ever invigorated by the desire to build secure state-machines, we find ourselves here with a full-blown, all-checks-in-place, multi-asset cryptocurrency - the beating heart of the Cosmos-SDK.