You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: content/stellar-contracts/accounts/authorization-flow.mdx
+38-68Lines changed: 38 additions & 68 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -2,7 +2,7 @@
2
2
title: Authorization Flow
3
3
---
4
4
5
-
Authorization in smart accounts is determined by matching the current context against the account's context rules. Rules are gathered, ordered by recency, and evaluated until one satisfies the requirements. If a matching rule is found, its policies (if any) are enforced. Otherwise, authorization fails.
5
+
Authorization in smart accounts is determined by matching each auth context against explicitly selected context rules. The off-chain client specifies which rule to use for each operation via `context_rule_ids` in the `AuthPayload`. The selected rule is validated, its signers authenticated, and its policies enforced. If any step fails, authorization is denied.
6
6
7
7
## Detailed Flow
8
8
```mermaid
@@ -14,11 +14,13 @@ sequenceDiagram
14
14
participant Verifier
15
15
participant Policy
16
16
17
-
User->>SmartAccount: Signatures
18
-
SmartAccount->>ContextRule: Match context<br/>(CallContract, Default, ...)
19
-
ContextRule->>ContextRule: Filter expired rules<br/>Sort newest first
Note over ContextRule,Policy: Policy enforcement (panics on failure)
33
+
ContextRule->>Policy: enforce()
34
+
Policy->>Policy: Validate + update state
35
+
36
+
ContextRule-->>SmartAccount: ✓ Authorized
41
37
end
42
38
43
39
SmartAccount-->>User: Success
44
40
```
45
41
46
-
### 1. Rule Collection
42
+
### 1. Rule Lookup
47
43
48
-
The smart account gathers all relevant context rules for evaluation:
44
+
The smart account reads the `context_rule_ids` from the `AuthPayload`. There must be exactly one rule ID per auth context — a mismatch is rejected with `ContextRuleIdsLengthMismatch`.
49
45
50
-
- Retrieve all non-expired rules for the specific context type
51
-
- Include default rules that apply to any context
52
-
- Sort specific and default rules by creation time (newest first)
46
+
For each auth context, the corresponding rule ID is used to look up the context rule directly. The rule must:
53
47
54
-
**Context Type Matching:**
55
-
- For a `CallContract(address)` context, both specific `CallContract(address)` rules and `Default` rules are collected
56
-
- For a `CreateContract(wasm_hash)` context, both specific `CreateContract(wasm_hash)` rules and `Default` rules are collected
57
-
- For any other context, only `Default` rules are collected
58
-
59
-
**Expiration Filtering:**
60
-
Rules with `valid_until` set to a ledger sequence that has passed are automatically filtered out during collection.
48
+
- Exist in the account's storage
49
+
- Not be expired (if `valid_until` is set, it must be ≥ current ledger sequence)
50
+
- Match the context type: a `CallContract(address)` rule matches a `CallContract(address)` context, and `Default` rules match any context
61
51
62
52
### 2. Rule Evaluation
63
53
@@ -72,51 +62,33 @@ Extract authenticated signers from the rule's signer list. A signer is considere
72
62
73
63
Only authenticated signers proceed to the next step.
74
64
75
-
#### Step 2.2: Policy Validation
65
+
#### Step 2.2: Policy Enforcement
76
66
77
-
If the rule has attached policies, verify that all can be enforced:
67
+
If the rule has attached policies, the smart account calls `enforce()` on each policy. The `enforce()` method both validates conditions and applies state changes — it panics if the policy conditions are not satisfied:
This triggers any necessary state changes such as updating spending counters, recording timestamps, emitting audit events, or modifying allowances.
116
-
117
-
Policy enforcement requires the smart account's authorization, ensuring that policies can only be enforced by the account itself.
118
-
119
-
### 4. Result
91
+
### 3. Result
120
92
121
93
**Success:** Authorization is granted and the transaction proceeds. All policy state changes are committed.
122
94
@@ -151,13 +123,13 @@ ContextRule {
151
123
**Authorization Entries:**`[passkey_signature]`
152
124
153
125
**Flow:**
154
-
1.Collect: Rules 2 (specific) and 1 (default)
126
+
1.Lookup: Client specifies rule ID 2 in `context_rule_ids`
155
127
2. Evaluate Rule 2:
128
+
- Rule matches `CallContract(dex_address)` context and is not expired
156
129
- Signer filtering: Passkey authenticated
157
-
- Policy validation: Spending limit check passes
158
-
- Authorization check: All policies enforceable → Success
159
-
3. Enforce: Update spending counters, emit events
160
-
4. Result: Authorized
130
+
- Policy enforcement: Spending limit validates and updates counters
131
+
- Authorization check: All policies enforced successfully → Success
132
+
3. Result: Authorized
161
133
162
134
If the spending limit had been exceeded, Rule 2 would fail and evaluation would continue to Rule 1 (which would also fail since the passkey doesn't match Alice or Bob).
Copy file name to clipboardExpand all lines: content/stellar-contracts/accounts/context-rules.mdx
+13-14Lines changed: 13 additions & 14 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -44,28 +44,27 @@ Each rule must contain at least one signer OR one policy. This enables pure poli
44
44
### Multiple Rules Per Context
45
45
Multiple rules can exist for the same context type with different signer sets and policies. This allows progressive authorization models where different combinations of credentials grant access to the same operations.
46
46
47
-
### Rule Precedence
48
-
Rules are evaluated in reverse chronological order (newest first). The first matching rule wins. This enables seamless permission updates: adding a new rule with different requirements immediately takes precedence over older rules for the same context.
47
+
### Explicit Rule Selection
48
+
Rules are not iterated or auto-discovered. Instead, off-chain clients specify exactly which context rule to use for each operation via the `context_rule_ids` field in `AuthPayload`. This explicit selection prevents downgrade attacks where an attacker could force the system to fall back to a weaker rule.
49
49
50
50
### Automatic Expiration
51
-
Expired rules are automatically filtered out during authorization evaluation.
51
+
Expired rules are rejected during authorization evaluation.
52
52
53
53
## Context Rule Limits
54
54
55
-
The framework enforces limits to keep costs predictable and encourage proactive context rule management (remove expired or non-valid rules):
56
-
57
-
- Maximum context rules per smart account: 15
58
55
- Maximum signers per context rule: 15
59
56
- Maximum policies per context rule: 5
57
+
- Maximum context rule name size: 20 bytes
58
+
- Maximum external signer key size: 256 bytes
60
59
61
60
## Authorization Matching
62
61
63
62
During authorization, the framework:
64
63
65
-
1.Gathers all non-expired rules matching the context type plus default rules
66
-
2.Sorts rules by creation time (newest first)
67
-
3.Evaluates rules in order until one matches
68
-
4.Returns the first matching rule or fails if none match
64
+
1.Reads the `context_rule_ids` from the `AuthPayload` (one rule ID per auth context)
65
+
2.Looks up each rule directly by ID
66
+
3.Validates the rule is not expired and matches the context type
67
+
4.Authenticates signers and enforces policies, or fails if conditions aren't met
69
68
70
69
For detailed documentation on the authorization flow, see [Authorization Flow](/stellar-contracts/accounts/authorization-flow).
0 commit comments