Can NFT be used for authentication on web apps - ethereum

Can NFT's be used as a mean of authentication? The scenario is a user buys an NFT (ERC721) now he visits the site that uses this Token for authentication, so am guessing the web3.js on the site checks the users wallet if he has the token in wallet then can access the site....but what about server side calls...the server can check the ledger to see who owns the token, but how can it know if the person making the call is the owner..address can be spoofed so sending it with call is out of question. Also the case if users sells his token now a new user owns it
Am thinking something like digital signature but how to get the owners public key and is requiring users to sign messages a hassle...am noob to solidity what do I know but SO requires me to try to answer my question before asking for an answer also some code a requirement for every posts
pragma solidity ^0.4.22;contract helloWorld {
function renderHelloWorld () public pure returns (string) {
return 'helloWorld';
}
}

Checking that the viewer has an address that owns the token is not enough. You would need to confirm that the viewer controls the address by asking them to sign a message.
One system like this is called MetaKey.
If you want to coordinate sessions with a backend, you need to do additional work because the NFT could be transferred. You would need to revoke the session key when the NFT is transferred, which requires that you monitor the blockchain for transfer events.
I don't recommend building sign in infrastructure around an NFTs though. It will be extremely difficult or impossible to avoid security flaws. Better to authenticate people using a wallet signature. There are many tutorials online for building this flow, for example here.

Related

How to recognize and interact with contract of other chains?

I am planning to issue erc20 token on ethereum and I want to use it as a payment for dapps on polygon.
How may I estublish the interaction between the contracts? A potential answer to that question might be bridging. But I tried to look for every platform to understand, how can I use my coin tokens after bridging, but failed to find any definite answer.
so my question is, if two contracts are on the same chain-
IERC20 token = IERC20(some_address);
We use the above line to call our coin token from our dapp. Since, our coin token is on different ethereum chain, after bridging, how do we call it feom a contract that will be deployed on polygon?
Will the above line of code work? Will I get a new address on polygon for my token contract?
(Recently I have seen a technique, but couldn't understand the underlying mechanism. So, there is a website called Coinvise, they let you deploy your coin airdrop contract on polygon and let you set the nft address (to know if user holds that particular nft) as eligibility condition that is deployed on ethereum. They do it on chain using something called 'sub-graph'. I do not know what this is but I'd like to know if it helps in my case.)
I am new to blockchain, please help

Using connected wallet to authenticate endpoint for dApp?

I have a pure Typescript dApp that has no server behind it. The user connects their MetaMask wallet and mints an NFT from the site. I want to provide an affiliate program so partners can give out their affiliate link and anyone who purchases an NFT they will get a percentage fee.
If the affiliate identifier is in the query string parameters, I will write it to the user's cookie. Then I can call an endpoint with the user's public wallet address and transaction identifier when they complete the mint. Or if they leave and come back, the affiliate id is in the cookie to pick up from there.
My challenge is how can I authenticate that endpoint if the dApp is pure javascript with no server behind it? What can stop anyone from just calling this endpoint with a bunch of wallets and affiliate codes?
Could there be a way to use the user's connected wallet to sign a message and authenticate with the endpoint that way? It would almost be like OAuth but for crypto. I want to keep this simple though.
Any suggestions or ideas on how to achieve this?
My challenge is how can I authenticate that endpoint if the dApp is pure javascript with no server behind it? What can stop anyone from just calling this endpoint with a bunch of wallets and affiliate codes?
Usually you don't. You can pass the information in the mint transaction.
My challenge is how can I authenticate that endpoint if the dApp is pure javascript with no server behind it? What can stop anyone from just calling this endpoint with a bunch of wallets and affiliate codes?
You can make users to sign in to your service using Ethereum Sign In. This needs a backend, though. You are not going to get more information than in the mint transaction (the user address).

Is it possible to connect someone else's MetaMask account?

I've been told that signing a message on a Dapp is the only way to prove that you actually own the account you are connecting with (i.e., simply connecting your wallet isn't enough because someone could just send a backend call that uses someone else's wallet).
However, I'm having a tough time understanding how that would work. If I look at libraries like web3modal, web3react, and web3-onboard, they all just use a function like connect() to open up someone's injected wallet in their browser. Can a nefarious actor somehow edit connect() and pass in a wallet address they don't own?
Can a nefarious actor somehow edit connect() and pass in a wallet address they don't own?
You can pass whatever data from the client to the backend or blockchain. If you do not sign the data there is not any kind of verification you own the data.
For the purpose of authenticating addresses and logins, see Sign in with Ethereum.

Multiple ERC20 tokens in a DeFi platform

I'm building a DeFi application on Ethereum, and I would like to implement the Deposit function. Everything works fine between ETH and a ERC20 token that I built, but I would like to add some tokens like aToken for AAVE or cTokens for Compound that the user will receive after a Deposit call.
So the question is: is it possible to add a function in my smart contract to create multiple tokens without creating a smart contract for each of them? If not, I have to create a different contract for each token I want to add in my app or there is a best method to do it?
Yes this is possible. You can transfer the tokens to the user's address after the Compound Protocol mint operation. This can be made generic using the ERC-20 transfer interface. Be sure to account the amounts users are due and beware of the reentrancy vulnerability.

How can ethereum token use as payment gateway on ecommerce website

Everyone can create ethereum token by solidity codes but don't know how can this token integrate as payment gateway in ecommerce website.
For real project . This token need frontend web wallet /android wallet and integration to every website as payment.
Plz suggest me .how can find this way.
What need more to study.
Token is not a payment gateway. If i understand your question correctly, you are asking, how can you interact with a token that you have created through Solidity from frontend. One use case would be how people can use the token that you have created to purchase some item. For this the users should already be holding the tokens. This can be bought from an ICO or from an exchange. Basically there's a couple of functions in ERC20 token i.e., approve() and transfer() that will approve apps like exchanges to perform transactions on behalf of the owner of the token. Once the users have those tokens they can purchase items from it. Again, you have to write the logic how and what you expect users to do.
ERC20 Token is works likes Currency.And solidity is a programming language. which we used for write the smart contract. if you want to invoke your function then you need to create wallet account ,after that you can do transaction using with web3js. you can get ether for testing purpose from faucet.Basically these are functions in ERC20 token i.e., approve() and transfer() that will perform transactions
I don't suggest using ERC20 tokens as payment method.
Ethereum network is not fast enough,you need 30 confirmations to make sure you received the token, some times the delay can be 1 day
Cost is high, when you transfer token ,usually you have a smart contract, it costs lots of gas
Ether price is not stable, it drops 90% of value from Jan 2018 to Dec 2018. it will be hard for estore to maintain profit.
However if you still want to do that, yes, you can create your own gateway using tokens as your accepted currency.