search

greymass / ual-anchor

Identity and session through ESR using EOSIO/universal-authenticator-library
MIT License
23 stars 16 forks source link

Need authenticate func #7

Closed gtolarc closed 4 years ago

gtolarc commented 4 years ago

ual-scatter has the following authenticate implementation: https://github.com/EOSIO/ual-scatter/blob/master/src/ScatterUser.ts#L111

This is useful when receiving user signup from a centralized server, separate from client-wallet communication. This is because sending a signature, data, nonce, and publicKey to the server enables data validation with the ecc.recoverHash command. Can you provide a function to verify the possession of a private key through a signature like this?

aaroncox commented 4 years ago

The login process in ual-anchor does already verify the possession of a private key and return a proof through the use of identity requests as it uses anchor-link to call the identify method.

The proofs are returned via the callback method, which could also be listened for on a centralized server.

It doesn't look like we're exposing that proof right now in UAL though, which is returned as identity in this part of ual-anchor. We'll add that information to the returned AnchorUser object so that other applications can also verify the signature being returned and provide proof of ownership.

gtolarc commented 4 years ago

I confirmed that I can get the desired value by returning the login function manually. As you mentioned, it would be really nice to add the return content to the anchorUser object at the login.

gtolarc commented 4 years ago

We'll add that information to the returned AnchorUser object so that other applications can also verify the signature being returned and provide proof of ownership.

When can you implement this part? @aaroncox

aaroncox commented 4 years ago

Sorry for the delay, we had a few external things impacting us getting back on top of UAL.

I pushed this up on my priorities list, I'll see if we can get it exposed soon in a new release of ual-anchor.

aaroncox commented 4 years ago

Alright, ual-anchor@0.5.1 is published now and does expose the proofs themselves.

I have also updated our ual-reactjs-renderer-demo-multipass repository to include how to verify these proofs, which can be found here:

https://github.com/greymass/ual-reactjs-renderer-demo-multipass/blob/0c71aec6de6882162ba75db87dbc01efed693bb5/src/Main.js#L33-L51

The proof itself is not persisted and is only available upon initial login, so additional checks are needed to see if the proof exists before validating it.

gtolarc commented 4 years ago

thx!! @aaroncox