Shulou(Shulou.com)06/01 Report--

This article introduces the relevant knowledge of "what is the method of developing web applications in Ethernet Square and Metamask". In the operation of actual cases, many people will encounter such a dilemma, so let the editor lead you to learn how to deal with these situations. I hope you can read it carefully and be able to achieve something!

JSON Web token

A very popular way to log on to a standard Web system (and / or use its API) is to submit the password (the hashed client) to the authenticated endpoint and receive the token in return. This is often called JSON Web Token and usually works for a limited period of time (minutes to days). This is a good tutorial on standard implementation.

JSON Web Token is good, and I'm starting to think it's easy to validate myself on the blockchain. In fact, when you use Ethernet Square, you need to constantly improve.

If you treat an Ethernet address (which is just a sha3 hash of the public key) as an account on the site, you can easily prove that you own the account by signing a piece of data with the private key. This data is arbitrary and can be any random string provided by the website API. Therefore, we can use the address as the user name and bypass the need for a password. In fact, we don't even need to use blockchains to do this.

This is what Express looks like:

First, we need to use the private key for elliptic curve signature:

Var ethUtil = require ('ethereumjs-util'); / / > = 5.1.1var data =' i am a string';// Elliptic curve signature must be done on the Keccak256 Sha3 hash of a piece of data.var message = ethUtil.toBuffer (data); var msgHash = ethUtil.hashPersonalMessage (message); var sig = ethUtil.ecsign (msgHash, privateKey); var serialized = ethUtil.bufferToHex (this.concatSig (sig.v, sig.r, sig.s) return serialized

Don't worry too much about what these parameters are. Here are some cryptography, and I encourage you to read elliptic curve signatures. Bitcoin wikis are a good place to start.

In any case, once we have the signature components, we can package them with the user's address and send them all to the authentication endpoint.

POST/Authenticate

Var jwt = require ('jsonwebtoken'); var ethUtil = require (' ethereumjs-util'); function checkSig (req, res) {var sig = req.sig; var owner = req.owner; / / Same data as before var data ='i am a string' Var message = ethUtil.toBuffer (data) var msgHash = ethUtil.hashPersonalMessage (message) / / Get the address of whoever signed this message var signature = ethUtil.toBuffer (sig) var sigParams = ethUtil.fromRpcSig (signature) var publicKey = ethUtil.ecrecover (msgHash, sigParams.v, sigParams.r, sigParams.s) var sender = ethUtil.publicToAddress (publicKey) var addr = ethUtil.bufferToHex (sender) / / Determine if it is the same address as' owner' var match = false; if (addr = owner) {match = true } if (match) {/ / If the signature matches the owner supplied, create a / / JSON web token for the owner that expires in 24 hours. Var token = jwt.sign ({user: req.body.addr},'i am another string', {expiresIn: "1D"}); res.send (200,{ success: 1, token: token})} else {/ / If the signature doesn't match, error out res.send (500,500, {err: 'Signature did not match.'});}}

So basically, given some data, an address and an EC-signed component, we can safely prove that the address belongs to the person who signed the data. It's cool, right?

Once we are satisfied with the signature and address match, we can sign a JSON Web token for the server side of the address. In this case, the token is valid for 1 day.

Now we just need to put in some middleware to protect any service or modify the routing of protected information.

Middleware/auth.js

Function auth (req, res, next) {jwt.verify (req.body.token,'i am another string', function (err, decoded) {if (err) {res.send (500, {error: 'Failed to authenticate token.'});} else {req.user = decoded.user; next ();};});}

App.js

/ / Routesapp.post ('/ UpdateData', auth, Routes.UpdateData); …

If the Token provided corresponds to the user who sent the request, we will continue to request the route. Note that the middleware modifies the request. We need to reference this new user parameter because we know it is already set in our middleware.

POST/UpdateData

Function UpdateData (req, res) {/ / Only use the user that was set in req by auth middleware! Var user = req.user; updateYourData (user, req.body.data);...}

We finally got it! Your user is fully logged in, but no password is required.

UI aspect

How does the user actually sign this data in the browser? Metamask will help! Metamask is a neat chrome extension that injects web3 into your browser window.

Mycomponent.jsx

MakeSig (dispatch) {function toHex (s) {var hex ='; for (var iTunes: I {fetch (`${this.api} / authenticate`, {method: 'POST', body: JSON.stringify ({owner: user, sig: sig}), headers: {"Content-Type": "application/json"}) .then (res) = > {return res.text () }) .then ((body) = > {var token = JSON.parse (body) .token; dispatch ({type: 'SET_AUTH_TOKEN', result: token})})}

Once you have saved the auth token in reducer, you can call the authenticated endpoint. We finally got it!

Note that you must restore the vline r and s values from the signature. Metamask has a signature util module that shows how the signature is constructed. It can be deconstructed like this:

Var solidity_sha3 = require ('solidity-sha3'). Default;let hash = solidity_sha3 (data); let sig = result.result.substr (2, result.result.length); let r = sig.substr (0,64); let s = sig.substr (64,64); let v = parseInt (sig.substr (128,2))

Where r will be resolved to 0 or 1. Also note that this uses the solidity-sha3 module to ensure that this hash algorithm is the same as the hash algorithm used as the solidity native hash method (the hexadecimal string we are signing before hash).

Production preparation

I can't emphasize that every Web application that uses JSON Web token can easily take advantage of this today. Any user with an Metamask extension can simply bypass the login screen, which may be more secure than anything currently used to manage logins. This means less forgetting passwords, less wasted time and a happier user base.

And, you know, if you want your user to pay to the other party (or you or any other user on any other system that uses this user) without a middleman, or if you want to take advantage of millions of other features of Ethernet Square, then you need to do the same.

This is the end of the content of "what is the method of developing web applications by Ethernet Square and Metamask". Thank you for reading. If you want to know more about the industry, you can follow the website, the editor will output more high-quality practical articles for you!

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.