Search code examples
javascriptnode.jsmetamask

How to do a secure login with web3 (Metamask)?

So, I want to do a webpage, where you have to log in with metamask, only.

I've seen that cryptokitties.co did a really good job, not even prompting for a password.

The only thing they require is a signature from you. But here is the thing I don't understand: What do you sign, that you are protected from a signature replay? Or are they protected from a signature replay in the first place?

What I thought about so far (but it didn't work):

  • Using a nonce -> What happens if the client wipes localhost?
  • Using time -> There are different timezones and taking UTC -> One can send the two requests almost instantly one after another.

However, if I invalidate the signed hash of the time on the server side and don't accept a second attempt, would this be a good practice?

Solution

  • You can try:

    • Client sign a nonce
    • Check with his public key that it is him and return a token (JWT) with encrypted information (expiration date, public key, etc)
    • The user is already authenticated.

    I think it can work, but possibly there is a better way.

    These systems are zero knowledge