As I said on a previous topic, I’m currenlty developing a dApp that should manage a simple Car Sharing application.
As now, for each trip i will deploy a new app with an encrypted transaction note, and i will recover the trip list with the Algorand Indexer.
For security reasons it suffices to check the application code hash with an expected one?
I would prefer to do something more like this: use a stateless contract to sign my applications and then accept only signed applications from the indexer, but I don’t know if it makes sense compared to checking the application code.
Hi, actually i’m still searching for the best solution, if i couldn’t afford a better one probably i’ll move on with simply checking the approval program and the clear state program code.
Hope that someone with more experience than me will give an answer.
create a single big smart contract where each trip is actually a fresh new account that is rekeyed to the application account and that stores trip details. So now you have two types of accounts with local storage: the trip ones that are rekeyed to the application account (and used instead of global storage), and the current local storage account you’re using. See [NFT marketplace] general smart contract architecture question - #2 by fabrice
create a stateless contract (in contract account mode: Modes of use - Algorand Developer Portal) that would actually be the creator of the application and issue the application creation transaction. The stateless contract would verify the hash in the application transaction. You would then just need to check the creator of the application. Since the application creation transaction increases minimum balance and cost a transaction fee, the stateless smart contract can require to be called with a transaction paying for the above.
create a factory stateful smart contract: smart contracts can now issue any inner transaction and hence can create smart contracts from their application account (not to be confused with contract account that exists only for stateless contract). It works very similarly to the option above but you may hit size limits of code.
Thaks a lot, i think that the second solution is what i need!
One last thing: i’ve already a stateless contract that is funded and created after the application creation in order to be used as an escrow, maybe i should use that contract also to make this checks? Or is better to keep these logics separated?