'How to do a secure login with web3 (Metamask)?
So, I want to do a webpage, where you have to log in with metamask, only.
I've seen that cryptokitties.co did a really good job, not even prompting for a password.
The only thing they require is a signature from you. But here is the thing I don't understand: What do you sign, that you are protected from a signature replay? Or are they protected from a signature replay in the first place?
What I thought about so far (but it didn't work):
- Using a nonce -> What happens if the client wipes localhost?
- Using time -> There are different timezones and taking UTC -> One can send the two requests almost instantly one after another.
However, if I invalidate the signed hash of the time on the server side and don't accept a second attempt, would this be a good practice?
Solution 1:[1]
You can try:
- Client sign a nonce
- Check with his public key that it is him and return a token (JWT) with encrypted information (expiration date, public key, etc)
- The user is already authenticated.
I think it can work, but possibly there is a better way.
These systems are zero knowledge
Sources
This article follows the attribution requirements of Stack Overflow and is licensed under CC BY-SA 3.0.
Source: Stack Overflow
| Solution | Source |
|---|---|
| Solution 1 | Rimander |