blink-km
commented
2 years ago "Authenticate access to Prime Deals at Thu, 21 Apr 2022 08:44:56 [user's timezone]"
Open paweljanicki opened 2 years ago
blink-km
commented
2 years ago "Authenticate access to Prime Deals at Thu, 21 Apr 2022 08:44:56 [user's timezone]"
BartuCulha
commented
2 years ago Message says: Verify authentication attempt at Wed, 27 Apr 2022 08:42:52 GMT
Message to say: "Authenticate access to Prime Deals at Thu, 21 Apr 2022 08:44:56 [user's timezone]"
User has to sign the authentication message everytime they connect their wallet. Is this expected? @dkent600 @paweljanicki
hiaux0
commented
2 years ago Signing metamask at every login User has to sign the authentication message everytime they connect their wallet. Is this expected?
Have you accepted the signature request or cancelled it before "login" (or refresh or new connect attempt). When you cancelled, I'm experiencing the same #813
@BartuCulha
BartuCulha
commented
2 years ago Hey, what do you mean by login? 😀
dkent600
commented
2 years ago The message is going to be a separate ticket, so I'm sending back to QA.
Likewise re: the cancellation question
hiaux0
commented
2 years ago Hey, what do you mean by login? grinning
connecting. (you used "login" in your post haha) @BartuCulha
Firebase Authentication and security
Background In order for users to see their private Deals or perform updates to a deal, we need to authenticate them to Firebase.
Current authentication Currently users connect to a wallet and we can read their wallet address. It all happens in the browser and we trust Metamask (and other wallet providers) that the wallet address we get is actually a wallet address that user owns.
Challenge We need to authenticate users to Firebase which works as a Backend and we need to send a request over the network saying “Please authenticate a user whose wallet address is 0x….”. We should make sure that no-one can use a back door, bypass our dApp and send that request directly to Firebase, trying to authenticate with a wallet address they don’t own.
Risk Is someone would successfully authenticate with Firebase bypassing our dApp they could make updates to a deal (stored in Firebase), pretending they are a proposal lead or a representative.
Solution In order to verify that a user who is trying to authenticate with Firebase with a wallet address actually owns it, we have to request a signature from them. This is how it would work: ⁃ dApp prompts user to sign in a message via their wallet provider. Metamask automatically opens and asks user to sign the message. ⁃ When user signs the message in Metamask, dApp receives the signed message (aka signature) ⁃ dApp sends request to authenticate with Firebase and it includes the signature ⁃ Firebase retrieves the wallet address from the signature and therefore we know that they own it (because they signed the message with it)
NOTE