Example of a secure application that uses TonConnect 2.0 and TonProof with a backend partially on Ruby on Rails

[vtamara]

Summary

This step proposes to explain how the examples https://github.com/ton-connect/demo-dapp-backend and https://github.com/ton-connect/demo-dapp-with-backend work, how you can test them in a local environment and how to safely expand them to implement most of your backend in a different programming language (Ruby on Rails in the case of the article, but you can adapt to your preferred back-end language and framework). We further propose to keep the example running on a server provided by the author during 15 days.

The approach of this footstep of having two backends, is not trivial when it considers security, because the authentication on the Ruby backend needs to decrypt the JWT (JSON Web Token) generated by the first backend in go. Both backends must be coordinated with a secure way to generate/use safe JWTs, and for that the first backend in go must be improved to generate JWTs hard to decrypt except for the Ruby backend that also needs cryptographic tools.

Context

If you are developing an application with a back-end in your preferred programming language and framework (for example, python, node.js, Ruby on Rails), you may find it very difficult to authenticate with TonConnect 2.0 because:

1. There is only one Backend example available in the "go" language https://github.com/ton-connect/demo-dapp-backend and it's not that easy to understand what it does. Even after understanding it, translating it to a different programming language can be hard, because it requires specific cryptographic tools and a data structure with mutexes to keep the checked wallets that used the backend recently.
2. The corresponding Typescript frontend is at https://github.com/ton-connect/demo-dapp-with-backend but it's also not easy to understand how it interacts with the backend.

Goals

Assist Hack-a-tonx 2023 participants as well as TON application developers that require a backend, TonConnect 2.0 authentication on the frontend, and transaction security.

Deliverables

• An article about how the https://github.com/ton-connect/demo-dapp-backend and https://github.com/ton-connect/demo-dapp-with-backend examples work , how to deploy them locally, how to change the backend of the example, and how to securely connect them to a second backend in a different programming language and framework.
• The github repository with the sourcecode of a full example including: first backend in go patched, second backend in Ruby on Rails, frontend patched to use first backend for checking proof of wallet and generating JWT, and using the second backend to do other requests but authenticated with JWT generated by first backed and instructions to deploy it locally coordinating both backends to generate/use secure JWT.
• The previous example operating on a server provided by the author during 10 days.

Definition of Done

• [ ] Section that explains how the backend in "go" works, how to deploy it locally, and how to configure it with environment variables.
• [ ] Section that explains how the frontend works, how to deploy it locally, how to change it to use the backend deployed by you.
• [ ] Section with screenshots detailing for each operation in the frontend how the information flows between the frontend and backend with HTTP requests and responses.
• [ ] Section that explains how to modify the backend and the frontend to interact with a second backend in a completely different language/framework while maintaining secure communications and transactions between the frontend and the new backend after the initial authentication with the first backend. The second backend is exemplified with a Ruby on Rails implementation. The details of how to produce secure JWTs with the first backend, that can be decrypted practically only by the second backend is given along with the cryptographic tools required in the second backend.
• [ ] Repository with a working example including modified frontend, modified first backend, second backend in Ruby on Rails and starting script.
• [ ] Example operating during 10 days on a server provided by the author

Reward

US$500

(The author has advanced in this footstep and he would like to complete it.)

[SwiftAdviser]

Very good! LGTM!

Moreover, I think we need something like this for Python, too.

[tvorogme]

BTW if this can help - here example of checking proof from Ton Connect on python

[vtamara]

BTW if this can help - here example of checking proof from Ton Connect on python

Great, thank you. As you show it, it is complex to check the proof that must be done for every new wallet once, and then it should keep it in a datastructure with mutexes of recently checked wallets, and it is hard to implement it right in a new running backend.

Besides you didn't present how to generate the JWT (JSON Web Token) and how to verify it in the backedn in every request.

The method I propose, is simpler and shorter for the developer, it doesn't require implementing the checking of the proof, it will do it with the first backend simply patched https://github.com/ton-connect/demo-dapp-backend, it doesn't implement either the generation of the JWT to be used in every request.

The method I propose just requires in the second backend to verify in every request the JWT (JSON Web Token) generated by the first backend and sent by the frontend in every request.

Of course both backends must be coordinated to generate/verify the JWT and I plan to present how to do this coordination securely ---if it is done poorly (as it happens with the original example at https://github.com/ton-connect/demo-dapp-backend) the JWT could be decrypted easily.

Besides I will explain how the backend, only for valid requests, will authenticate in a secure way the wallet that passed the proof verification (avoiding forgering attempts of the wallet address).

[tactfunc]

Looks good to me.

Hope can add more content and security focus. We have been dealing with this since implement TonConnect in our DApp.

[vtamara]

Looks good to me.

Hope can add more content and security focus. We have been dealing with this since implement TonConnect in our DApp.

Ok

[SwiftAdviser]

Looks good to me. Hope can add more content and security focus. We have been dealing with this since implement TonConnect in our DApp.

Ok

UPDATE: After a discussion with TON Tech, they're ready to support tutorials for non-js backend by Python as an alternative to JS, but not Ruby on Rails.

[vtamara]

torial

Thanks a lot for informing.

IMHO mass adoption would be more massive accepting developers that use different environments, frameworks, backends and programming languages.

[delovoyhomie]

UPDATE: After a discussion with TON Tech, they're ready to support tutorials for non-js backend by Python as an alternative to JS, but not Ruby on Rails.

In this regard, this issue can be closed? When the need arises, you can always reopen it.