Problem: How does Orion validates the `AppActionMetadata` information coming from external actors?

[zeeshanakram3]

Sometimes Orion is unaware of all the information that will be part of AppActionMetadata, and it needs that information from trusted external sources. The problem is how does Orion trust/validate that the AppActionMetadata info that it got from external sources/actors is actually correct?

Problem Context

As mentioned in Joystream/youtube-synch#139, We want the channels/videos youtube attribution information to be part of AppActionMetadata and not the raw action (i.e. CreateVideo). We also discussed that Orion will be doing the signing (there is also an endpoint for that).
However, Orion is not aware of the video attribution (ytVideoId) information.
So Yt-synch backend need to send to send both VideoMetadata & ytVideoId. But the problem is that Orion does not really verify what it is signing or what actor is asking for a signature from it, so someone can create a video with the same fake ytVideoId (which is part of AppActionMetadata), and it won't be possible to distinguish a fake from a real one

There are two possible solutions I can think of:

1. Orion should authenticate YT-synch backend so that it can trust that the YT backend is sending the correct attribution information that Orion needs to sign.
2. Along with Orion, YT-synch infra also hosts the same signing private key; this way YT-synch infra can do the signing itself.

[bedeho]

The problem is how does Orion trust/validate that the AppActionMetadata info that it got from external sources/actors is actually correct?

In general it does not, this is a problem outside of youtube-synch. For example, someone may be publishing a video which does not match guidelines of an app, through Orion, and Orion may not be able to do automated validation of this. This has the consequence that third parties looking at metadata published via an app may not, depending on context, be able to fully trust that the content and its metadata matches the intended semantics of the app.

In the specific context of youtube-synch, my understanding is that this causes the following problem: A malicious user can publish videos, with youtube attribution link in the appaction metadata,speaking directly to Orion API, and while Orion can read the youtube-attribution link, it cannot actually verify that it is correct, i.e. that it matches the content. The end result is that content enters the network, looking like Gleev has said "yes, I synced this from youtube video X", while this is not true. This then undermines the extent to which the council can trust the metadata apps use, even if they know the app operators themselves are in fact honest".

Please confirm if this is the full extent of the problem on your end also, w.r.t. youtube-synch.

If we are in agreement, I indeed agree that this is bad, not a disaster though, and while I think it should be fixed, I think we are fine to not fix it in v1.

2. Along with Orion, YT-synch infra also hosts the same signing private key, this way YT-synch infra can do the signing itself.

This would not only require having an additional copy of the key, but also replicating all the synching logic there also, and there will be a challenge of keeping both keys in synch when there are key changes. This seems to be inferior to the alternative.

1. Orion should authenticate YT-synch backend, so that it could trust that YT backend is sending the correct attribution information that Orion needs to sign.

1. This would also require some sort of filtering which then would block attempts to make app actions with youtube attribution link, if you are not yt-synch backend, otherwise this has no real effect.
2. Let us first of all recall that we have to try to keep Orion, as much as possible, deoupled from yt-synch infrastructure, so ideally it should not know it exist or depend on it. I think this probably is achievable with this type of remedy.
3. We could go even further, and say that validation logic on publishing in Orion should be configurable, as a plugin or something similar with hooks, and there should be minimal yt-synch specific business logic that should make its way into Orion, and likewise allow others to filter in other ways. For example, perhaps someone wants to run a machine learning pipeline to detect harmful content before signing off. I'm not sure whether this should be done now, but seems like a useful goal at some point.
4. There are alreayd plans to do authentication in Orion, and it would be nice if whatever way we eventually do authentication for the purpose of validating publishing attempts to piggy back off this, I am speaking of this work: User Accounts #60. Witht his approach, yt-synch infra would just be another user, and the publishing vlidation logic would only allow youtube attribution from this user ID.
5. However, I think this work is some way off, so a temporary fix (which breaks the principles above) is something like just having a hardcoded publihing check that requires that for youtube attribution link to be set, the member doing the action has to be the collaborator set in youtube-synch?
6. Alternatively, if this just ends up complicating things, we just wait for user accoutns, don't worry about this in the mean time.

My preference would be 6, as its easy to make an emergency fix if something really goes wrong.

[zeeshanakram3]

Please confirm if this is the full extent of the problem on your end also, w.r.t. youtube-synch.

Correct, this is the actual problem

This would not only require having an additional copy of the key, but also replicating all the synching logic there also, and there will be a challenge of keeping both keys in synch when there are key changes. This seems to be inferior to the alternative.

I agree this solution is inferior, and there are some apparent problems i.e. multiple copies & keeping both keys in synch when there are key changes. However, I think for any given App (say Gleev) both Orion & YT-synch infra will be managed by the same entity/company. So there is no harm in sharing the keys, moreover, these key also won't hold any funds. So my POV is that we should go with this temporary solution till we have better alternatives available in Orion (as you described above).

but also replicating all the synching logic there also,

I don't understand what syncing logic you are referring to that will be replicated? Youtube syncing logic in YT-synch backend? We will need to replicate YT-synch logic in Orion too? I don't think so, since based on my understanding of the apps feature, singing authority (Orion's) public endpoint for AppAction signing should only accept the raw_action metadata (e.g. VideoMetadata) & assets (if any), then it should internally populate the fields of AppActionMetadata and prepare the app commitment for signing. So even if some malicious actor tries to put some proprietary information in raw_action, the QN will not associate that information with given entity since information was not part of AppActionMetadata. Is my understanding correct?

My preference would be 6, as its easy to make an emergency fix if something really goes wrong.

Finally, just to confirm for YPP v1 scope, we are fine with Orion signing unverified AppActionMetadata

If yes, then I think we should just keep YouTube attribution link as part of raw_metadata(VideoMetadata) instead of AppActionMetatdata, since it doesn't make sense to put unverified values in AppActionMetatdata?

[bedeho]

but also replicating all the synching logic there also,

Forgive me, I meant to say signing logic. So now yt-synch also has to learn how to sign appaction messages, which currently only Orion understands.

So my POV is that we should go with this temporary solution

So to finalize, this means

• yt-synch also holds copy of app key
• yt-synch constructs its own app action messages, and signs itself, and now includes yt attribution in metadata.
• orion no longer accepts signing app-action messages with non-null app action metadata.

is this what you mean?

If so, I'm 💯 fine with that, you make a good case.

[zeeshanakram3]

If so, I'm 💯 fine with that, you make a good case.

Yes, I mean this. Ok, let's go with this. Thanks for your input.

[bedeho]

orion no longer accepts signing app-action messages with non-null app action metadata.

ok @Lezek123 , will you add this in Orionv2 at leasst?

[Lezek123]

Addressed for:

• Orion v1: Update app action commitment, disallow signing arbitrary appActionMetadata #81
• Orion v2: 39f2de8