Skip to content

Latest commit

 

History

History
47 lines (37 loc) · 1.95 KB

README.md

File metadata and controls

47 lines (37 loc) · 1.95 KB

EthOTP

Build Status

EthOTP is a Node.js implementation of Ethereum One-Time Password (EthOTP) Authentication. It provides a costless mechanism of securely determining Ethereum address ownerships off-chain for any Ethereum network without transmission of the private key.

This module is to be used as middleware for conventional web authentication implementations such as session or token based authentication.

Authentication Workflow

  • Client requests a challenge-string from server
  • Server uses EthOTP to generate a challenge-string and send it to the client (whilst storing the challenge-string)
  • The client signs the challenge-string with their private key (via MetaMask/hardware wallet/whatever) and sends it back
  • Server receives the signed challenge-string and verifies (signature matching challenge-string) and validates (check that challenge-string is generated by EthOTP and not time expired) the challenge-string
  • Server then has proof of ownership of the address, and can then continue to authenticate the client via JWT or something else

Potential Use Cases

  • Message board where users are not allowed to post unless they have a certain amount of ETH or token
  • Removing username/password authentication requirements (sign in using address only, then linking that to accounts)

Usage

Generating a challenge

let challengeString = ethotp.generateChallenge();

Verifying a signed response

let isVerifiedAndValid = ethotp.validateAndVerify(message, signature, address);

isVerifiedAndValid is a boolean value representing whether the message was signed with the signature and that the address is the signer of the message

Installation

npm install ethotp

Running tests

npm test

Vulnerabilities / Issue reporting

If you find any vulnerabilities please let me know on github as an issue thanks ٩( ''ω'' )و