Migrating Auth to SDK 0.6.0
This is a guide about migrating authorization code in contracts written before SDK 0.6.0 to the new version of auth (Soroban authorization framework).
For general information on authorization in Soroban see the authorization overview and the example.
Migrating env.invoker()
The simplest authorization approach previously was to use env.invoker(). This
concept is no longer present in Soroban SDK or host (it is available at the
transaction building time though, details).
In order to migrate a contract that uses env.invoker() do the following:
- Add an
Addressargument to the function signature, for example,addr: Address. This is the authorized entity that we will use instead of invoker. - Call
addr.require_auth()at the top of the function code to ensure that the address has authorized the function call. - Replace all the instances of
env.invoker()withaddr.
A small example of migration:
Before:
struct MyContract;
impl MyContract {
fn set_val(env: Env, val: i128) {
env.storage().set(&env.invoker(), &val);
}
}
After:
struct MyContract;
impl MyContract {
fn set_val(env: Env, addr: Address, val: i128) {
addr.require_auth();
env.storage().set(&addr, &val);
}
}
A more detailed example can be found in the Soroban timelock example migration PR.
Migrating soroban-auth
For more advanced auth use cases the soroban-auth library could be used.
In order to migrate from this library to Soroban authorization framework do the
following steps:
- Change the type of all the
Identifiervariables toAddress. - Change the type of all the
Signaturetypes toAddress. - Replace signature verification code with a call of
require_auth/require_auth_for_argsfor the respectiveAddressthat has been represented by aSignaturebefore. - Remove nonces and nonce-related code as the replay protection is already ensured by the Soroban host.
An example of soroban-auth migration can be found in the Soroban token
example migration PR.