5

The near wallet login callback only provides ?account_id=<cyberfeng.testnet>&all_keys=<public-keys> and the receiving side cannot verify the request is authentically coming from NEAR wallet. Checking the referrer header is unreliable as a hacker can use curl or other http clients to send fake requests

A signature or something that can be verified would be ideal

Does this exist?

Caleb Gates
  • 914
  • 7
  • 20

1 Answers1

1

Partial Answer:

I've since learned that the preferred method for user verification is to:

  1. Send a wallet.near.org request for the user to add a function access key to their account.
  2. You'll then have the function access key available to your websites local storage
  3. You can then use that function access key to sign requests as the user for the specified function. You can also verify the key was added to their Near Name account which confirms access to their identity.

Unfortunately this method requires:

  1. The user to pay a small transaction fee
  2. The User to add an access key to their account
  3. The requester to specify a target contract for the function access key

Outstanding Question:

Is there a simple way to sign a transaction with the local storage access key held at wallet.near.org and return that result so that I can query the users keys & verify that an existing key signed the transaction.

Why:

  1. It's gasless - My new users have limited or 0 funds
  2. I don't want to train users to add unnecessary access keys to their accounts
  3. I don't need function access. I just need to securely verify their identity
Caleb Gates
  • 914
  • 7
  • 20