If you want to authorize a user in your service by means of his Waves account, here's the solution. In general, you should redirect the user to the official Waves Client (https://beta.wavesplatform.com/ — to be changed later) with certain query parameters including some arbitrary data for him to sign.
That might be needed in cases when you need to work with user personal data and to be sure that a given blockchain account belongs to that user.
- You add the Waves Auth widget to your site.
- A user stumbles upon your site, and wants to log in using his Waves account.
- He clicks the widget button and gets redirected to the official Waves Client, along with some random data from the widget.
- There, the user chooses whether to log in or to cancel that chain of actions.
- If he proceeds, the data will be signed with the user's private key.
- The user then gets redirected back to your site, along with the signature and user's public key.
- You check the validity of the signature against the data provided for that user.
- If all is correct, the user is now authenticated in your service.
If the user interrupts the process, he stays on the Waves Client page.
Due to the length limitations of the query string all parameters are expressed with one character.
Basic path is
https://beta.wavesplatform.com#gateway/auth. Then the query parameters go.
?r=https://example.com — the URL of your service. It should be HTTPS-only. Required.
?n=Service%20Name — the name of your service. Required.
?d=randomChars — the data which is signed by the user's private key (Required).
?i=/path/to/the/icon.png — a path relative to the Referrer parameter. It hosts the logo of your app. (Optional).
?s=/path/to/an/API/method — a path to the method which redirect the user while the signing is successful. By default the user is redirected to the referrer root (Optional).
?debug=true — a flag to display error messages (Optional).
?d=randomChars — the same data which is passed along with the redirected user.
?s=base58EncodedSignature — a signature of the data which is signed by the user's private key.
?p=base58EncodedPublicKey — user's public key.
?a=base58EncodedAddress — user's Waves address.
You can use the
Waves.crypto.isValidTransactionSignature() method from @waves/waves-api npm package.
Signature is taken from the data in the following order: a
WavesWalletAuthentication string, then a string with your host parameter value, then a string with your data parameter value.