Research
Security News
Quasar RAT Disguised as an npm Package for Detecting Vulnerabilities in Ethereum Smart Contracts
Socket researchers uncover a malicious npm package posing as a tool for detecting vulnerabilities in Etherium smart contracts.
@gimly-blockchain/rn-did-auth-siop-authenticator
Advanced tools
#### If React Native tools are not installed
This library module contains an OP (OpenID Provider) Authenticator implementation that can be used in React Native projects, it's basically a React Native wrapper around the "Self Issued OpenID Provider v2 (SIOP)" library reducing the implementation effort and troubleshooting involved with getting the SIOP library to work in a React Native environment.
Demo project rn-did-siop-example-app implements this library.
yarn global add react-native-cli
yarn global add rn-nodeify
To use this helper library you need to implement the following: First you create a new instance of OPAuthenticator. There are two static methods with different parameters:
this.opAuthenticator = OPAuthenticator.newInstance(options)
Use this method for simplified instantiation with only the most common parameters.
opDID: string
opKID: string
opPrivateKey: string
expiresIn: number // (optional, default is 6000ms)
didMethod: string // optional, IE. "ethr", "eosio". By default it is taken from the authentication requests did_methods_supported
When using typescript these fields are contained in class OPAuthenticatorOptions.
or for more fine-grained control use the OP.builder() from the SIOP library:
this.opAuthenticator = OPAuthenticator.newInstanceFromOP(OP.builder()
.withExpiresIn(expiresIn)
.addDidMethod("ethr")
.internalSignature(opPrivateKey, opDID, opKID)
.registrationBy(PassBy.VALUE)
.response(ResponseMode.POST)
.build())
see this openid-provider-siop section for details.
The next step is to get an authentication request from the RP (Relying Party) endpoint. Method "getAuthenticationRequestFromRP" will the call the RP endpoint to
retrieve the full authentication request based on a state identifier which has to be part of the QR code data,
besides the state field state we also need a redirectUrl field to know at which endpoint we can get the authentication request.
When using typescript it takes interface QRCodeValues as parameter.
(In case the entire authentication request is encoded in the QR code this step is not necessary.)
this.authRequestURI = await this.opAuthenticator.getAuthenticationRequestFromRP(qrContent as QRCodeValues)
getAuthenticationRequestFromRP will return (when using typescript) and object for interface ParsedAuthenticationRequestURI. This is the input parameter for then next step:
this.verifiedAuthenticationRequest = await this.opAuthenticator.verifyAuthenticationRequestURI(this.authRequestURI)
When verifyAuthenticationRequestURI method, the verification of authenticity of the request send by the RP succeeds, it will return an object for interface VerifiedAuthenticationRequestWithJWT.
Next there a helper method the extract DID information from the request, but this can also be done from within the VerifiedAuthenticationRequestWithJWT interface.
const rpDid = this.opAuthenticator.rpDidFromAuthenticationRequest(this.verifiedAuthenticationRequest)
rpDidFromAuthenticationRequest will return class RPDID containing DID information
export declare class RPDID {
id: string;
alsoKnownAs?: string[];
}
At this point the idea is that you present the DID information and ask the user for permission to send your DID back to the RP by using either a button or biometrics dialog. When the user approves you can call the final method "sendAuthResponse" which will send the requested (and signed) OP did information back to the RP callback endpoint:
try {
await this.opAuthenticator.sendAuthResponse(this.verifiedAuthenticationRequest as VerifiedAuthenticationRequestWithJWT)
this.setState({message: "Login successful"})
} catch (e) {
this.setState({message: "Error: " + e.message})
} finally {
...
}
(Except for rpDidFromAuthenticationRequest all methods will return a promise. Errors are raised using Promise.reject())
FAQs
#### If React Native tools are not installed
We found that @gimly-blockchain/rn-did-auth-siop-authenticator demonstrated a not healthy version release cadence and project activity because the last version was released a year ago. It has 3 open source maintainers collaborating on the project.
Did you know?
Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.
Research
Security News
Socket researchers uncover a malicious npm package posing as a tool for detecting vulnerabilities in Etherium smart contracts.
Security News
Research
A supply chain attack on Rspack's npm packages injected cryptomining malware, potentially impacting thousands of developers.
Research
Security News
Socket researchers discovered a malware campaign on npm delivering the Skuld infostealer via typosquatted packages, exposing sensitive data.