feat: verify legitimate claim↔︎redeem by assigning a random phrase during email validation #432
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
🤖 I have created a release *beep* *boop* --- ## 1.0.0 (2022-12-01) ### Bug Fixes * add exports to packages/capabilities/readme.md, add workflow to check for conventional-commits names in PRs ([#233](#233)) ([c567d25](c567d25)) --- This PR was generated with [Release Please](https://github.com/googleapis/release-please). See [documentation](https://github.com/googleapis/release-please#release-please).
Motivation: * part of #237 * we need this version of ucanto libs because they include updated types to handle non-key-dids and dids with more than one key Parts * [x] build/test works in packages/access-client * [x] build/test works in packages/upload-client * [x] [blocked by needed ucanto release](storacha/ucanto#163) * [x] build/test works in packages/access-api * [x] [blocked by needed ucanto release](storacha/ucanto#163) Co-authored-by: Irakli Gozalishvili <[email protected]>
…0" (#245) Reverts #238 (requested by @hugomrdias )
- update tests and types to handle upload/list items with a shards array property. - update upload/add fn to return an UploadAddResponse as shards out may be more than shards in. - update README see also: storacha/w3infra#56 Signed-off-by: Oli Evans <[email protected]>
This will be the keyring
access-client cli should support #153 changes - [x] improve d1 errors .ie space already registered - [x] tests to validate that register space saves all the delegations and updates isRegistered - [x] setup cmd - [x] whoami cmd - [x] create space cmd - [x] space info - [x] delegate caps - [x] import space from delegation - [x] recover with client - [x] tests migrations actually handles it properly and keeps track of migration already applied - [x] d1 spaces table now stores metadata and the invocation that registered the space - [x] we need some names on the delegations recovered so the user can know what they are, maybe put it in the facts ? - [x] remove duplication on the on `waitForSpaceRecover` and `waitForVoucherRedeem`
Motivation: * latest commit on main branch was failing release workflow [here](https://github.com/web3-storage/w3protocol/actions/runs/3621669639/jobs/6105393187#step:2:35) * I think it's because the release-please config/manifest still referred to `package/wallet`, which this PR removes * seems like logical followup to #248 Co-authored-by: Hugo Dias <[email protected]>
superseedes #139 <img width="897" alt="Screenshot 2022-12-06 at 16 47 14" src="https://user-images.githubusercontent.com/314190/205972386-05fec7b8-e17b-4a3d-8f18-ede71e4b5ad1.png"> closes #139
Goals: 1. Decouple store from agent 2. Simplify agent creation 3. Agent governs data format not store 4. Initialization of agent data, not store 5. DRY initialization in agent, not repeated in each store impl ~~See: https://gist.github.com/alanshaw/ea4bd2b0ab215ade696eac1300be577d~~ outdated ```js // In regular use: const store = new StoreIndexedDB() const data = await store.load() const agent = data ? Agent.from(data, { store }) : await Agent.create({}, { store }) // Then StoreMemory can be deleted, since the AgentData already stores all data in // memory. It's equivalent to: const agent = await Agent.create() ```
🤖 I have created a release *beep* *boop* --- ## [8.0.0](access-v7.0.2...access-v8.0.0) (2022-12-06) ### ⚠ BREAKING CHANGES * access-client store decoupling ([#228](#228)) * upgrade to `@ucanto/{interface,principal}`@^4.0.0 ([#238](#238)) * follow up on the capabilities extract ([#239](#239)) ### Features * **access-client:** cli and recover ([#207](#207)) ([720dafb](720dafb)) * follow up on the capabilities extract ([#239](#239)) ([717fcaa](717fcaa)) * Revert "feat!: upgrade to `@ucanto/{interface,principal}`@^4.0.0" ([#245](#245)) ([197439e](197439e)) * upgrade to `@ucanto/{interface,principal}`@^4.0.0 ([#238](#238)) ([309aff0](309aff0)) ### Bug Fixes * connection method is not async ([#222](#222)) ([7c4e0b6](7c4e0b6)) ### Code Refactoring * access-client store decoupling ([#228](#228)) ([64c7496](64c7496)) --- This PR was generated with [Release Please](https://github.com/googleapis/release-please). See [documentation](https://github.com/googleapis/release-please#release-please).
🤖 I have created a release *beep* *boop* --- ## [3.0.0](upload-client-v2.1.0...upload-client-v3.0.0) (2022-12-06) ### ⚠ BREAKING CHANGES * upload/list items have a shards array property ([#229](#229)) * upgrade to `@ucanto/{interface,principal}`@^4.0.0 ([#238](#238)) * follow up on the capabilities extract ([#239](#239)) ### Features * **access-client:** cli and recover ([#207](#207)) ([720dafb](720dafb)) * follow up on the capabilities extract ([#239](#239)) ([717fcaa](717fcaa)) * Revert "feat!: upgrade to `@ucanto/{interface,principal}`@^4.0.0" ([#245](#245)) ([197439e](197439e)) * upgrade to `@ucanto/{interface,principal}`@^4.0.0 ([#238](#238)) ([309aff0](309aff0)) * upload/list items have a shards array property ([#229](#229)) ([723b281](723b281)) ### Bug Fixes * list response results return type ([#206](#206)) ([e49c685](e49c685)) --- This PR was generated with [Release Please](https://github.com/googleapis/release-please). See [documentation](https://github.com/googleapis/release-please#release-please).
🤖 I have created a release *beep* *boop* --- ## [8.0.1](access-v8.0.0...access-v8.0.1) (2022-12-07) ### Bug Fixes * conf driver can store top level undefined ([5abc522](5abc522)) --- This PR was generated with [Release Please](https://github.com/googleapis/release-please). See [documentation](https://github.com/googleapis/release-please#release-please).
…#246) Motivation: * second attempt at this #238 * after first was reverted #245 Warning: * the versions of ucanto we're upgrading to were backward-incompatible. storacha/ucanto#149 * Old 'SignerArchive' exports will probably no longer import using the new `@ucanto/principal@^4.0.0` `SignerArchive` * in slack, @alanshaw said he thinks this is unlikely to cause problems: "There’s no code in production that uses toArchive" Blockers * [x] Wait for these two to land first (@hugomrdias says so) * [x] @hugomrdias #207 * [x] @alanshaw #228 * [x] then will need to resolve merge conflicts on this branch * [x] @gobengo resolve conflicts after #207 * [x] @gobengo resolve conflicts after #228 Co-authored-by: Irakli Gozalishvili <[email protected]>
🤖 I have created a release *beep* *boop* --- ## [9.0.0](access-v8.0.1...access-v9.0.0) (2022-12-07) ### ⚠ BREAKING CHANGES * upgrade access-api @ucanto/* and @ipld/dag-ucan major versions ([#246](#246)) ### Features * upgrade access-api @ucanto/* and @ipld/dag-ucan major versions ([#246](#246)) ([65d191c](65d191c)) --- This PR was generated with [Release Please](https://github.com/googleapis/release-please). See [documentation](https://github.com/googleapis/release-please#release-please).
🤖 I have created a release *beep* *boop* --- ## [4.0.0](upload-client-v3.0.0...upload-client-v4.0.0) (2022-12-07) ### ⚠ BREAKING CHANGES * upgrade access-api @ucanto/* and @ipld/dag-ucan major versions ([#246](#246)) ### Features * upgrade access-api @ucanto/* and @ipld/dag-ucan major versions ([#246](#246)) ([65d191c](65d191c)) --- This PR was generated with [Release Please](https://github.com/googleapis/release-please). See [documentation](https://github.com/googleapis/release-please#release-please).
🤖 I have created a release *beep* *boop* --- ## [5.0.0](upload-client-v4.0.0...upload-client-v5.0.0) (2022-12-07) ### ⚠ BREAKING CHANGES * upgrade access-api @ucanto/* and @ipld/dag-ucan major versions ([#246](#246)) * upload/list items have a shards array property ([#229](#229)) * upgrade to `@ucanto/{interface,principal}`@^4.0.0 ([#238](#238)) * follow up on the capabilities extract ([#239](#239)) * rename callback ([#198](#198)) ### Features * [#153](#153) ([#177](#177)) ([7fbf2a1](7fbf2a1)) * a base for a new web3.storage upload-client ([#141](#141)) ([72c08d7](72c08d7)) * **access-client:** cli and recover ([#207](#207)) ([720dafb](720dafb)) * account recover with email ([#149](#149)) ([91ad47d](91ad47d)) * add static uploads API ([#148](#148)) ([8b735fa](8b735fa)) * allow custom shard size ([#185](#185)) ([2130405](2130405)) * explicit resource ([#181](#181)) ([c127431](c127431)) * follow up on the capabilities extract ([#239](#239)) ([717fcaa](717fcaa)) * Revert "feat!: upgrade to `@ucanto/{interface,principal}`@^4.0.0" ([#245](#245)) ([197439e](197439e)) * support pagination ([#204](#204)) ([363e3ac](363e3ac)), closes [#201](#201) * upgrade access-api @ucanto/* and @ipld/dag-ucan major versions ([#246](#246)) ([65d191c](65d191c)) * upgrade to `@ucanto/{interface,principal}`@^4.0.0 ([#238](#238)) ([309aff0](309aff0)) * upload/list items have a shards array property ([#229](#229)) ([723b281](723b281)) ### Bug Fixes * export types ([c44a252](c44a252)) * list response results return type ([#206](#206)) ([e49c685](e49c685)) * store export ([#197](#197)) ([d2296c5](d2296c5)) * upload client list needs empty nb ([#194](#194)) ([7894fb9](7894fb9)) * uploadFile requires BlobLike not Blob ([56ec496](56ec496)) ### Code Refactoring * rename callback ([#198](#198)) ([2349763](2349763)) --- This PR was generated with [Release Please](https://github.com/googleapis/release-please). See [documentation](https://github.com/googleapis/release-please#release-please).
🤖 I have created a release *beep* *boop* --- ## [2.0.0](capabilities-v1.0.0...capabilities-v2.0.0) (2022-12-07) ### ⚠ BREAKING CHANGES * upgrade access-api @ucanto/* and @ipld/dag-ucan major versions ([#246](#246)) * upgrade to `@ucanto/{interface,principal}`@^4.0.0 ([#238](#238)) * follow up on the capabilities extract ([#239](#239)) ### Features * **access-client:** cli and recover ([#207](#207)) ([720dafb](720dafb)) * follow up on the capabilities extract ([#239](#239)) ([717fcaa](717fcaa)) * Revert "feat!: upgrade to `@ucanto/{interface,principal}`@^4.0.0" ([#245](#245)) ([197439e](197439e)) * upgrade access-api @ucanto/* and @ipld/dag-ucan major versions ([#246](#246)) ([65d191c](65d191c)) * upgrade to `@ucanto/{interface,principal}`@^4.0.0 ([#238](#238)) ([309aff0](309aff0)) ### Bug Fixes * fix Access API cannot get space/info [#243](#243) ([#255](#255)) ([1a74031](1a74031)) * generated typdefs ([#258](#258)) ([dfd2bd5](dfd2bd5)) --- This PR was generated with [Release Please](https://github.com/googleapis/release-please). See [documentation](https://github.com/googleapis/release-please#release-please). Co-authored-by: Benjamin Goering <[email protected]>
Cannot put `undefined` in UCANs
🤖 I have created a release *beep* *boop* --- ## [9.0.1](access-v9.0.0...access-v9.0.1) (2022-12-08) ### Bug Fixes * validate agent name ([#271](#271)) ([5a1fdb2](5a1fdb2)) --- This PR was generated with [Release Please](https://github.com/googleapis/release-please). See [documentation](https://github.com/googleapis/release-please#release-please).
I noticed earlier today that running `pnpm run docs` fails with a bunch of typescript errors unless you run `pnpm run build` first. This just updates the `docs` npm script to `pnpm run build && typedoc --out docs`, so we'll always have build output to make typedoc happy.
Buffer has a toJSON implementation which is called before our replacer
function when serialising. It's JSON form is an object like `{ type:
'Buffer, data: number[] }`.
This means it doesn't get identfied as $bytes, and does not get
deserialised in the reviver. I think we'd rather have `Uint8Array`
everywhere so this PR fixes it so that it gets revived as that.
License: MIT
Signed-off-by: Oli Evans <[email protected]>
…r id (#275) Motivation: * #237 Notes * This is intended to be safe to merge/deploy as is. The new functionality can be opted-into via env vars * The ucanto server will only be constructed with an opts.id that is a signer `withDID(...)` iff `process.env.DID` is set to a DID * If `process.env.DID` is unset, the ucanto server id signer will have a `did()` corresponding to `config.PRIVATE_KEY` (it will be a `did:key` of the corresponding public key) * Before this PR, many tests of the access-api worker were configured implicitly via dotenv with whatever the `/.env.local` file happened to contain. I added a worker test that asserts functionality that is dependent on the details of the env vars, so I made an affordance for [tests to be able to configure the access-api worker with environment variables defined in the test case itself](https://github.com/web3-storage/w3protocol/pull/275/files#diff-e20ffc550d006747790e7b67da280446c1cd1d2d4f72ccb5df04f62cbb6423daR149).
- add methods toBytes and fromBytes useful to store as bytes instead of strings - `encodeDelegations` is now `delegationsToString`` - `decodeDelegations` is now `stringToDelegations`` - all functions are sync now Writing delegations to a car uses `@ipld/car/buffer-writer` now to make it sync, reading from a CAR it's more complicated 🤫. `ipld/car` does not support sync reading so this PR includes a refactor of `CarReader` to be sync, this is a temporary solution until i can get a proper PR to `ipld/car` to add support for sync reading. It's not trivial to do so because of the way ipld/car code is structured and i dont want to just add a sync copy/paste of the decoder functions to it.
The release workflow wasnt running the docs job because of an `if` clause leftover from the manual workflow.
Remove sync car reader code in favour of CarBufferReader that landed upstream in [@ipld/car](ipld/js-car#121 (comment)) Fixes #401 ❤️ License: MIT Signed-off-by: Oli Evans <[email protected]> --------- Signed-off-by: Oli Evans <[email protected]> Co-authored-by: Benjamin Goering <[email protected]> Co-authored-by: Alan Shaw <[email protected]>
🤖 I have created a release *beep* *boop* --- ## [4.0.1](capabilities-v4.0.0...capabilities-v4.0.1) (2023-03-27) ### Features * allow multiple providers ([#595](#595)) ([aba57b3](aba57b3)) ### Miscellaneous Chores * **access-client:** release 11.0.0-rc.0 ([#573](#573)) ([29daa02](29daa02)) --- This PR was generated with [Release Please](https://github.com/googleapis/release-please). See [documentation](https://github.com/googleapis/release-please#release-please).
now that we've released a new version in #589
…aim (#656) Motivation: * #633 Note: * this was an unintentional addition to our package exports and not an intentional addition to our public API, so this PR conventional commit message is not marked as a breaking api change * I notified the only person I expect to have relied on it #602 (comment)
This PR adds a callback that is called when a directory entry has been
encoded as a DAG. The callback recieves a parameter with the following
data:
```ts
interface DirectoryEntryLink {
/** Content Identifier */
cid: Link
/** Name (full path) */
name: string
/** Cumulative number of bytes in the target DAG, that is number of bytes in the block and all the blocks it links to. */
dagByteLength: number
}
```
You'd use it like:
```js
client.uploadDirectory(conf, files, { onDirectoryEntryLink: l => console.log(l) })
```
This allows users to easily discover the CID and (DAG) size of all the
files and directories within a directory as well as the root directory.
Specifically, thirdweb are uploading files separately and want to later
tie them all together in a directory. For that they need to know the DAG
size of each of the entries.
---------
Co-authored-by: Vasco Santos <[email protected]>
🤖 I have created a release *beep* *boop* --- ## [8.1.0](upload-client-v8.0.0...upload-client-v8.1.0) (2023-03-28) ### Features * docs for DirectoryEntryLinkCallback ([73c0775](73c0775)) --- This PR was generated with [Release Please](https://github.com/googleapis/release-please). See [documentation](https://github.com/googleapis/release-please#release-please).
Motivation: * #648 * e.g. so we can iterate on w3up-client and its dependencies like `@web3-storage/access/agent` at the same time within the workspace (and modifying tests/types) without having to release anything. We can only do releases once we are sure that everything in the monorepo (now incl w3up-client) works together to accomplish a useful goal * round 2, this time not using `git subtree add` #649 (comment) How * [x] this git technique: https://stackoverflow.com/a/20974621 (via [this tip](https://github.com/web3-storage/w3protocol /pull/649#pullrequestreview-1358869478)) * [x] add `@web3-storage/w3up-client` to release-please-config * [x] add latest npm release for w3up-client to this monorepo's [release-please-config following release-please 'initial version' docs](https://github.com/googleapis/release-please/blob/main/docs/manifest-releaser.md#initial-version) * [x] w3protocol monorepo github workflows call appropriate w3up-client workflows * [x] on push/pr, do w3up-client build and test f9b8e65#diff-eefdf870850494ad962a679c802b7733805b6996d8f1c6a992ae8760a366f82eR16 * [x] on commit to main branch do release-please-action to prepare a release-please pr for w3up-client publishing to npm * @gobengo: I believe this will happen via unified [`/.github/workflow/release.yml`](https://github.com/web3-storage/w3protocol/blob/main/.github/workflows/release.yml#L15) workflow, since I added w3up-client to release-please-config and manifest * [x] when w3up-client release-please pr is merged, release `@web3-storage/w3up-client` to https://www.npmjs.com/package/@web3-storage/w3up-client * should happen [via release.yml](2f8ae22#diff-87db21a973eed4fef5f32b267aa60fcee5cbdf03c67fafdc2a9b553bb0b15f34R39) * [x] [add w3up-client to monorepo root docs build](2f8ae22#diff-b55cdbef4907b7045f32cc5360d48d262cca5f94062e353089f189f4460039e0R42) * [x] ensure w3up-client has intra-monorepo dependencies set up [using `workspace:` protocol](https://pnpm.io/workspaces#workspace-protocol-workspace) and similar use of tsconfig.json [project references](8b87fcc#diff-78dc2f52fc9c2ed3593f53799153a338a7f20eb6f16309a1175fbfcbae270118R49) * [x] w3up-client tsconfig extends monorepo root Unblocks: * add "./test" to tsconfig.json in w3up-client to type check the tests like the rest of packages in this monorepo * based on https://github.com/web3-storage/w3up-client/issues/96 --------- Co-authored-by: ice.breaker <[email protected]> Co-authored-by: Yusef Napora <[email protected]> Co-authored-by: ice.breaker <[email protected]> Co-authored-by: Jesse Harlin <[email protected]> Co-authored-by: Daniel <[email protected]> Co-authored-by: Vasco Santos <[email protected]> Co-authored-by: Hugo Dias <[email protected]> Co-authored-by: Irakli Gozalishvili <[email protected]> Co-authored-by: David Choi <[email protected]> Co-authored-by: Alan Shaw <[email protected]> Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com> Co-authored-by: Yusef Napora <[email protected]> Co-authored-by: Travis Vachon <[email protected]> Co-authored-by: omahs <[email protected]>
…s 5.2.0 (#662) Motivation: * instruct release-please what the w3up-client version number should be so it doesn't try 11.0.x
🤖 I have created a release *beep* *boop* --- ## [5.2.0](w3up-client-v5.1.0...w3up-client-v5.2.0) (2023-03-28) ### Features * add w3up-client at /packages/w3up-client ([#653](#653)) ([7129181](7129181)) ### Miscellaneous Chores * **access-client:** release 11.0.0-rc.0 ([#573](#573)) ([29daa02](29daa02)) --- This PR was generated with [Release Please](https://github.com/googleapis/release-please). See [documentation](https://github.com/googleapis/release-please#release-please).
🤖 I have created a release *beep* *boop* --- ## [11.0.1](access-v11.0.0...access-v11.0.1) (2023-03-28) ### Bug Fixes * @web3-storage/access/agent no longer exports authorizeWithPollClaim ([#656](#656)) ([5d78a5a](5d78a5a)) --- This PR was generated with [Release Please](https://github.com/googleapis/release-please). See [documentation](https://github.com/googleapis/release-please#release-please).
make it consistent with other packages in this monorepo so that the top level prettier format command doesn't make unexpected changes when trying to format other packages
This is web3-storage/w3up-client#74 ported here. --- This PR allows passing your own principal to the client `create` factory function instead of loading one from a pre-existing store. The caveat is that if you pass your own and the store is not empty then it needs to match the principal that was loaded from the store (otherwise any saved delegations will be unusable). This makes https://gist.github.com/alanshaw/e949abfcf6728f590ac9fa083dba5648#on-the-server a little easier, you won't need to install `@web3-storage/access` or deal with the `AgentData` class. Currently: ```js import * as Signer from '@ucanto/principal/ed25519' import { AgentData } from '@web3-storage/access/agent' import { Client } from '@web3-storage/w3up-client' const principal = Signer.parse(process.env.KEY) const data = await AgentData.create({ principal }) const client = new Client(data) ``` After this PR: ```js import * as Signer from '@ucanto/principal/ed25519' import * as Client from '@web3-storage/w3up-client' const principal = Signer.parse(process.env.KEY) const client = await Client.create({ principal }) ```
🤖 I have created a release *beep* *boop* --- ## [5.4.0](w3up-client-v5.3.0...w3up-client-v5.4.0) (2023-03-29) ### Features * bring your own principal ([#672](#672)) ([afade7c](afade7c)) --- This PR was generated with [Release Please](https://github.com/googleapis/release-please). See [documentation](https://github.com/googleapis/release-please#release-please).
…ve some type checking (#669)
Previously `this.proofs(caps)` was returning `[]` when you request capabilities the agent is not authorized to use, the call to `delegate` would succeed and you get a useless delegation because there are no proofs.
Build on @Bengo's `access/claim`-polling-based `waitForDelegationOnSocket` replacement. This will let us replace the websocket-based authorization wait function which makes the UX much more responsive - rather than waiting an indeterminate amount of time after clicking the email link, the process completes almost immediately with this change. The wait function is also pluggable so we that clients can implement different polling strategies, which should make it easier to test and use a receipt-based version of this in the future. Added tests for this that use `sinon` to mock out service handlers and ensure they are called the right number of times.
gobengo
force-pushed
the
feat/random-phrase-auth
branch
from
a44ea97 to
43f9fff
Compare
Draft
8 tasks
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Originally PR #399, moving here to merge main and make it easier to move forward.
Original message:
This branch fulfills the key piece of issue #347, adding a "validation phrase" that serves as a human-friendly nonce — enabling definitive verification of the validity of an email request.
(The other request metadata mentioned can help savvy users investigate any abuse further, but the phrase links one specific request to one specific email, completely out of the control of an attacker.)
Problem summary
The idea here is to avoid malicious account validation: currently, Eve can generate a new space keypair and request delegation against Alice's email address. Alice may not be able to tell if the request is legitimate (or may follow the activation link simply out of curiousity/confusion) and grant Eve access!
Solution provided
carat tender electronic tee guessed.[At the moment can preview phrases via http://localhost:8787/phrase-test?bits=50 but that should likely get dropped before this PR is merged….]The
Agent.registerSpaceandAgent.recovermethods in this repo's@web3-storage/access/agentpackage now take an (optional but strongly encouraged!) callback viaopts.handlePhrasewhich will be called when the API provides amatch_phrasein its response to each method's respective invocation. Thew3uicomponents and any protocol documentation for third-party clients will need updating to support this on the requestor side!So this is a somewhat breaking change, but:
Note also that the phrase generation is done at an MVP or proof-of-concept level. I've generated a small word back and left the
DEFAULT_ENTROPYforgenerateNoncePhrasecorrespondingly low as well. Next steps here would be:TODO
Here:
{{ match_phrase }}in HTML+plain emailsaccess-clienthere to parse out responseOver in UI:
w3uilow-level keyring stuff to handle phrasew3uihigh-level examples/components to display phraseThis is tracked in storacha/w3ui#307, and isn't a total blocker since you can either wait to update the templates in Postmark and/or just have the user click through even without being able to see the phrase.