Skip to content

Instantly share code, notes, and snippets.

@Falci

Falci/Login with Handshake.md

Last active September 21, 2020 21:04
Show Gist options
  • Star 0 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
  • Save Falci/aeeec4b2adb392f5bf2edf31415b777c to your computer and use it in GitHub Desktop.
Save Falci/aeeec4b2adb392f5bf2edf31415b777c to your computer and use it in GitHub Desktop.
Download ZIP
Raw
Login with Handshake.md

Hey folks, I'd like to share my view of the "login with HNS" feature (https://director.namebase.io/apps/p/login-with-handshake)

Overview:

  • Username and password.
  • Get the password and SHA-256;
  • Get the hash and use it as a private key, then using secp256k1 (https://en.bitcoin.it/wiki/Secp256k1) generate the public key
  • Get the public key and store it in HNS as a TXT for a domain: auth=02b562858a301a8721923b89df9963d30101639ac690cce5f555529b778c3dbfc7

When you login on a website using your Google account, you trust Google, but not necessarily the website you're log in;

My "login with HNS" feature needs a trustable player as well.

It could be a Chrome extension, Namebase, Bob wallet, or any other.

I created my one: http://auth.sinpapeles/

If you wanna try, I also have another website that requires login, and sends you this auth page.

For this demos, just ignore that both are subdomain of .sinpapeles/ Pretend they are 2 completely distinct website, and you only trust in auth.sinpapeles

Also, if wanna try, make sure to use a strong password. For instance, the above example can be found on Google, so be aware.

Demo: http://social.sinpapeles/

This page (http://auth.sinpapeles/generator) helps you to generate the public key.

How it works

  • When you click on "Login using your domain" the Social generates a challenge and sends it to Auth.
  • Auth ask your domain, and dig to retrieve its TXT and get the public key
  • Using your password, Auth will sign a message (that is the challenge) and send it back to Social
  • The callback contains:
    • The domain name
    • The public key
    • The challenge
    • The signed message
  • Social doesn't trust Auth, so it checks if that domain really has that public key
  • Social checks if that public key signed the challenge
  • Social also check if the challenge was the same (stored in its session) {not in this order}
  • If everything is ok, Social uses the domain as the handler/username

Side notes

Technically, this is not a Handshake only thing. I can login using my personal domain falci.me.

If you lost your password, you can generate a new one and update the TXT.

Keep in mind that you'll need to wait for DNS propagation.

Right now, Social is redirecting you to Auth. You have no choice but trust on Auth.

In the ideal scenario, Social should redirect you to hns://login?challenge=123&callback=social.sinpapeles... so your browser would redirect you to the correct and trustable Auth-equivalent player

I'd love to hear opinions about this

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment