So, I want to do a webpage, where you have to log in with metamask, only.
I've seen that cryptokitties.co did a really good job, not even prompting for a password.
The only thing they require is a signature from you. But here is the thing I don't understand: What do you sign, that you are protected from a signature replay? Or are they protected from a signature replay in the first place?
What I thought about so far (but it didn't work):
- Using a nonce -> What happens if the client wipes localhost?
- Using time -> There are different timezones and taking UTC -> One can send the two requests almost instantly one after another.
However, if I invalidate the signed hash of the time on the server side and don't accept a second attempt, would this be a good practice?
CodePudding user response:
You can try:
- Client sign a nonce
- Check with his public key that it is him and return a token (JWT) with encrypted information (expiration date, public key, etc)
- The user is already authenticated.
I think it can work, but possibly there is a better way.
These systems are zero knowledge
CodePudding user response:
Okay, so while @Rimander has some good input, I found the exact way how to do it.
Turns out that the exact same question was asked before here: https://ethereum.stackexchange.com/questions/35664/authenticating-a-user-via-metamask-like-cryptokitties
And this is a pretty good tutorial on how to do it:
The interesting point: The server is the one giving you the message to sign, you sign it and therefore verify that it's you. Afterwards, one can proceed like @Rimander proposed, by returning a JWT.