My question is about how to have a mobile app interact with a Multichain blockchain.
I know that I can interact with a node using JSON-RPC calls, and I'm able to do this without any problems from localhost (I also understand how and why those RPC calls are restricted to localhost only)
I also know that I can create multiple addresses within a single node/wallet by calling getnewaddress, and by using dumpprivkey in my test environment I can see that each of those addresses has it's own private key stored within the node the address was created from - This is can essentially be used as the concept of multiple wallets within a single node.
One approach I can see, which I'm not convinced is the correct way to go (but could work) is to create an address for each user within one of the nodes, this would mean that node that was setup specifically to control input from the mobile apps would have access to all of the addresses (which in this case i'm treating as individual wallets)
I could put a custom service in-between (running on localhost where the node itself is) that will take requests from the app, and then call the relevant command, for the relevant address ("wallet" in this case). The custom service would then be responsible for controlling who can issue a command that affects which wallet, through some sort of user credential. This should allow me to have multiple distinct users interacting with a node via the additional service layer.
Some issues I see with this are that:
1. The service and node itself are both points of failure that if compromised, ALL users of the mobile app are compromised, as it contains the private keys for every single address.
2. The user doesn't have direct control of their private key because the node itself has this and the user is just authenticating with a username/password or some other mechanism with the service.
Using this in a purely private blockchain between multiple companies this approach could still allow each company to control it's users private keys - Each company would host it's own node and run it's own service in the middle (running locally on the node server), and the user would point the mobile app to the server defined by their company
I can't see off the top of my head a simpler way of achieving this, and if I wanted to ensure each user had control of their private key I would need to have each user run a server with their node and the service layer the app would talk to (The reason I think the service layer would still be needed here is that otherwise RPC would have to be allowed from outside of localhost, by having the service layer the app talks to on the same machine, the actual service layer talks to MultiChain via RPC from localhost, thus not needing to allow calls from anywhere else)
Hopefully I haven't totally missed something here, but if anybody could chime in and offer thoughts on this approach or potential pitfalls that would be appreciated.
I am not looking at exactly how the service layer will authenticate the users, but a username/password controlled by the custom service layer is just an easy example - I'm more interested in thoughts on the general approach of enabling mobile apps to interact.