如何使用 web3 (Metamask) 进行安全登录?
[英]How to do a secure login with web3 (Metamask)?
问题描述
So, I want to do a webpage, where you have to log in with metamask, only.
所以,我想做一个网页,你只需要使用 metamask 登录。
I've seen that cryptokitties.co did a really good job, not even prompting for a password.我已经看到cryptokitties.co做得非常好,甚至没有提示输入密码。
The only thing they require is a signature from you.他们唯一需要的是您的签名。 But here is the thing I don't understand: What do you sign, that you are protected from a signature replay?但这是我不明白的事情:你签署了什么,你被保护免受签名重放? Or are they protected from a signature replay in the first place?或者他们是否首先受到签名重放的保护?
What I thought about so far (but it didn't work):到目前为止我的想法(但没有奏效):
- Using a nonce -> What happens if the client wipes localhost?使用 nonce -> 如果客户端擦除 localhost 会发生什么?
- Using time -> There are different timezones and taking UTC -> One can send the two requests almost instantly one after another.使用时间 -> 有不同的时区并采用 UTC -> 几乎可以立即一个接一个地发送这两个请求。
However, if I invalidate the signed hash of the time on the server side and don't accept a second attempt, would this be a good practice?但是,如果我在服务器端使签名的时间哈希无效并且不接受第二次尝试,这是一个好习惯吗?
1 个解决方案
解决方案1
0 2022-03-04 15:53:05
You can try:你可以试试:
- Client sign a nonce客户签署随机数
- Check with his public key that it is him and return a token (JWT) with encrypted information (expiration date, public key, etc)用他的公钥检查是他,并返回一个带有加密信息(到期日期、公钥等)的令牌(JWT)
- The user is already authenticated.用户已通过身份验证。
I think it can work, but possibly there is a better way.我认为它可以工作,但可能有更好的方法。
These systems are zero knowledge这些系统是零知识
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.