I've been told that signing a message on a Dapp is the only way to prove that you actually own the account you are connecting with (i.e., simply connecting your wallet isn't enough because someone could just send a backend call that uses someone else's wallet).
However, I'm having a tough time understanding how that would work. If I look at libraries like web3modal, web3react, and web3-onboard, they all just use a function like connect() to open up someone's injected wallet in their browser. Can a nefarious actor somehow edit connect() and pass in a wallet address they don't own?
Can a nefarious actor somehow edit connect() and pass in a wallet address they don't own?
You can pass whatever data from the client to the backend or blockchain. If you do not sign the data there is not any kind of verification you own the data.
For the purpose of authenticating addresses and logins, see Sign in with Ethereum.
Related
I have a pure Typescript dApp that has no server behind it. The user connects their MetaMask wallet and mints an NFT from the site. I want to provide an affiliate program so partners can give out their affiliate link and anyone who purchases an NFT they will get a percentage fee.
If the affiliate identifier is in the query string parameters, I will write it to the user's cookie. Then I can call an endpoint with the user's public wallet address and transaction identifier when they complete the mint. Or if they leave and come back, the affiliate id is in the cookie to pick up from there.
My challenge is how can I authenticate that endpoint if the dApp is pure javascript with no server behind it? What can stop anyone from just calling this endpoint with a bunch of wallets and affiliate codes?
Could there be a way to use the user's connected wallet to sign a message and authenticate with the endpoint that way? It would almost be like OAuth but for crypto. I want to keep this simple though.
Any suggestions or ideas on how to achieve this?
My challenge is how can I authenticate that endpoint if the dApp is pure javascript with no server behind it? What can stop anyone from just calling this endpoint with a bunch of wallets and affiliate codes?
Usually you don't. You can pass the information in the mint transaction.
My challenge is how can I authenticate that endpoint if the dApp is pure javascript with no server behind it? What can stop anyone from just calling this endpoint with a bunch of wallets and affiliate codes?
You can make users to sign in to your service using Ethereum Sign In. This needs a backend, though. You are not going to get more information than in the mint transaction (the user address).
Can NFT's be used as a mean of authentication? The scenario is a user buys an NFT (ERC721) now he visits the site that uses this Token for authentication, so am guessing the web3.js on the site checks the users wallet if he has the token in wallet then can access the site....but what about server side calls...the server can check the ledger to see who owns the token, but how can it know if the person making the call is the owner..address can be spoofed so sending it with call is out of question. Also the case if users sells his token now a new user owns it
Am thinking something like digital signature but how to get the owners public key and is requiring users to sign messages a hassle...am noob to solidity what do I know but SO requires me to try to answer my question before asking for an answer also some code a requirement for every posts
pragma solidity ^0.4.22;contract helloWorld {
function renderHelloWorld () public pure returns (string) {
return 'helloWorld';
}
}
Checking that the viewer has an address that owns the token is not enough. You would need to confirm that the viewer controls the address by asking them to sign a message.
One system like this is called MetaKey.
If you want to coordinate sessions with a backend, you need to do additional work because the NFT could be transferred. You would need to revoke the session key when the NFT is transferred, which requires that you monitor the blockchain for transfer events.
I don't recommend building sign in infrastructure around an NFTs though. It will be extremely difficult or impossible to avoid security flaws. Better to authenticate people using a wallet signature. There are many tutorials online for building this flow, for example here.
How to recreate problem:
Go to this build...
https://gateway.pinata.cloud/ipfs/QmYv2TAkFNcDGG5jj9TT4G2qpVubgVP2NgHNoqn2wB71CR/build/#/swap
*DO NOT USE THIS IN MAINNET-ONLY RINKEBY
Click on the "pool" tab on the navbar after connecting your web3 enabled wallet such as metamask (make sure that your network is set to rinkeby, I only deployed contracts to that testnet!), and create a pool by clicking on "add liquidity" or "create".
The interface should let you go through with the transaction so make sure you have some test ETH on hand. The contracts created from that transaction will produce "Sushi LP Tokens"(Again not real ones, that just what I set the name to be so that it would be easily recognized.)I made sure to replace all of the contract addresses precompiled in the frontend interface with my own contracts that are listed below, even the uniswap/sdk mods.
The problem that I am having specifically is that the pool doesn't show up on the list of pairs in the modal as it usually does if you have used uniswap before. The strange thing is that it will show pools that I created on the live uniswap site using the rinkeby network.
I even created an init code hash just as instructed in this tutorial:https://blockchain.news/wiki/how-to-build-an-uniswap-exchange
I apologize in advance if this is not the correct way, place, or time to ask for help, but here I am, I am willing to work with anyone that knows how to set this up correctly.
Github:https://github.com/DarriusAlexander/uniswap-interface
My reputation is not very high so please refer to this reddit post that I created to get the contract address and metadata links.
https://www.reddit.com/r/ethdev/comments/n0hegy/please_helpi_forked_uniswap_for_a_personal/
I'm new to Logic Apps. What I would like to achieve is to sign and send raw transactions to Ethereum network using Logic Apps service. Currently, what I have done is to transfer ERC20 tokens from the token contract itself in Logic Apps.
What I would like to achieve is to transfer tokens from account to account which is the transfer from the method the ERC20 protocol.
How can I do that in Logic Apps? In my opinion, it's required the sender to sign the raw transaction message.
While I am not familiar with ERC20, since you seem to be using web3py, I believe you can offload the signing to an Python Azure Function which you can invoke from within a Logic App.
As for signing a transaction, looks like this is covered in the web3py docs.
Since we can get a user's email address from the Gmail Add-on API, I'm wondering if we need to authenticate users with OAuth before they interact with our external service or whether we can rely on a stored secret to ensure that requests made with the user's email address are actually coming from a user using the Gmail add-on.
Since app scripts run on Google's servers and aren't modifiable by the user, we could just HMAC the request bodies in the requests to our external API with a secret stored in the Code.gs file. This would (maybe?) ensure that it this endpoint was actually being hit by Google and that the person making the request was the owner of the given email address.
For this approach to work though the secret in the code would actually need to stay secret, otherwise anyone could just hit that endpoint with any email address and post data on behalf of other users. So does this approach actually work, or is there another similar solution that might be feasible?
Otherwise we can just implement OAuth, but if there is a simpler approach that's secure then that would be preferable.
Let's say your external API just need an API key(a secret) to authorize users. You can definitely store it using Properties Service .
But the tricky part is that different user might have different API keys. To solve it , we could ask the user to enter the API key in the UI (can't be masked, though).
This is a very simple approach.
However, I would recommend using OAuth , as it is a more cleaner way.