I have a pure Typescript dApp that has no server behind it. The user connects their MetaMask wallet and mints an NFT from the site. I want to provide an affiliate program so partners can give out their affiliate link and anyone who purchases an NFT they will get a percentage fee.
If the affiliate identifier is in the query string parameters, I will write it to the user's cookie. Then I can call an endpoint with the user's public wallet address and transaction identifier when they complete the mint. Or if they leave and come back, the affiliate id is in the cookie to pick up from there.
My challenge is how can I authenticate that endpoint if the dApp is pure javascript with no server behind it? What can stop anyone from just calling this endpoint with a bunch of wallets and affiliate codes?
Could there be a way to use the user's connected wallet to sign a message and authenticate with the endpoint that way? It would almost be like OAuth but for crypto. I want to keep this simple though.
Any suggestions or ideas on how to achieve this?
My challenge is how can I authenticate that endpoint if the dApp is pure javascript with no server behind it? What can stop anyone from just calling this endpoint with a bunch of wallets and affiliate codes?
Usually you don't. You can pass the information in the mint transaction.
My challenge is how can I authenticate that endpoint if the dApp is pure javascript with no server behind it? What can stop anyone from just calling this endpoint with a bunch of wallets and affiliate codes?
You can make users to sign in to your service using Ethereum Sign In. This needs a backend, though. You are not going to get more information than in the mint transaction (the user address).
Related
I want to integrate cybersource as a HOP i.e. the user will be redirected to the service provider to complete the payment. I am not able to find proper APIs for generating the hosted order pay for redirecting the user. Have gone through a documentation of Cybersource:
https://developer.cybersource.com/library/documentation/dev_guides/Secure_Acceptance_Checkout_API/Secure_Acceptance_Checkout_API.pdf
But it doesn't seems to be helpful. Can anyone help me with this.
a better way to do this is through java script redirect. You don't have
to use the gateway to host anything.
This method is completely PCI compliant in that it will keep you out of scope.
You generate the payment page from your web site and use a java script to
redirect PAN data to the payment server.
I don't know if Cyber Source supports this. This is the same pattern that is
used by wallet payments. Your Direct debit payments can use the same method even though PCI requirements do not apply there ( yet ).
If you want a sample java script to do this let me know
I've been told that signing a message on a Dapp is the only way to prove that you actually own the account you are connecting with (i.e., simply connecting your wallet isn't enough because someone could just send a backend call that uses someone else's wallet).
However, I'm having a tough time understanding how that would work. If I look at libraries like web3modal, web3react, and web3-onboard, they all just use a function like connect() to open up someone's injected wallet in their browser. Can a nefarious actor somehow edit connect() and pass in a wallet address they don't own?
Can a nefarious actor somehow edit connect() and pass in a wallet address they don't own?
You can pass whatever data from the client to the backend or blockchain. If you do not sign the data there is not any kind of verification you own the data.
For the purpose of authenticating addresses and logins, see Sign in with Ethereum.
Can NFT's be used as a mean of authentication? The scenario is a user buys an NFT (ERC721) now he visits the site that uses this Token for authentication, so am guessing the web3.js on the site checks the users wallet if he has the token in wallet then can access the site....but what about server side calls...the server can check the ledger to see who owns the token, but how can it know if the person making the call is the owner..address can be spoofed so sending it with call is out of question. Also the case if users sells his token now a new user owns it
Am thinking something like digital signature but how to get the owners public key and is requiring users to sign messages a hassle...am noob to solidity what do I know but SO requires me to try to answer my question before asking for an answer also some code a requirement for every posts
pragma solidity ^0.4.22;contract helloWorld {
function renderHelloWorld () public pure returns (string) {
return 'helloWorld';
}
}
Checking that the viewer has an address that owns the token is not enough. You would need to confirm that the viewer controls the address by asking them to sign a message.
One system like this is called MetaKey.
If you want to coordinate sessions with a backend, you need to do additional work because the NFT could be transferred. You would need to revoke the session key when the NFT is transferred, which requires that you monitor the blockchain for transfer events.
I don't recommend building sign in infrastructure around an NFTs though. It will be extremely difficult or impossible to avoid security flaws. Better to authenticate people using a wallet signature. There are many tutorials online for building this flow, for example here.
Im trying to create an applet in IFTTT however i need to obtain an auth token to allow the lights to call the service each time.
Im trying to obtain an auth token via the below:
Account information
GET Request auth token
https://environexus-us-oem-autha1.mios.com/autha/auth/username/{{user}}?SHA1Password={{sha1-password}}&PK_Oem=6&TokenVersion=2
The Nero API is RESTful and stateless and therefore requires authentication tokens to accompany every request. Once these tokens are requested they can be stored in a database for quick reuse.
This is the intial request to the API servers that collects the tokens and various IDs required for all subsequent calls. Tokens are valid 24 hours but should always be checked against the response in case this changes.
Request
{{user}} is the portal login
{{sha1-password}} is the hash of:
sha1(lowercase({username}).{password}.oZ7QE6LcLJp6fiWzdqZc)
(concatenated together - no additional characters should be inserted,
salt at end is static for all accounts)
PK_Oem and TokenVersion are static and provided above.
However im not sure what to put in for the "sha1-password"section.
Any help would be appreciated?
You need to calculate the SHA1 hash for the information above, which is the username, password and 'static salt' concatenated together with each value separated by a period.
Don't know what language you are using but most languages have libraries that will do this for you (e.g. Apache Commons library for Java)
This API is not particularly well designed in this respect, as client side hashing does not bring any benefits (when transmitting over HTTPS) and the 'static salt' as they call it is utterly pointless, as it's public.
Everyone can create ethereum token by solidity codes but don't know how can this token integrate as payment gateway in ecommerce website.
For real project . This token need frontend web wallet /android wallet and integration to every website as payment.
Plz suggest me .how can find this way.
What need more to study.
Token is not a payment gateway. If i understand your question correctly, you are asking, how can you interact with a token that you have created through Solidity from frontend. One use case would be how people can use the token that you have created to purchase some item. For this the users should already be holding the tokens. This can be bought from an ICO or from an exchange. Basically there's a couple of functions in ERC20 token i.e., approve() and transfer() that will approve apps like exchanges to perform transactions on behalf of the owner of the token. Once the users have those tokens they can purchase items from it. Again, you have to write the logic how and what you expect users to do.
ERC20 Token is works likes Currency.And solidity is a programming language. which we used for write the smart contract. if you want to invoke your function then you need to create wallet account ,after that you can do transaction using with web3js. you can get ether for testing purpose from faucet.Basically these are functions in ERC20 token i.e., approve() and transfer() that will perform transactions
I don't suggest using ERC20 tokens as payment method.
Ethereum network is not fast enough,you need 30 confirmations to make sure you received the token, some times the delay can be 1 day
Cost is high, when you transfer token ,usually you have a smart contract, it costs lots of gas
Ether price is not stable, it drops 90% of value from Jan 2018 to Dec 2018. it will be hard for estore to maintain profit.
However if you still want to do that, yes, you can create your own gateway using tokens as your accepted currency.