- Big news!Introducing Socket AI - ChatGPT-Powered Threat Analysis. Learn more →
@steemit/rpc-auth
Advanced tools
@steemit/rpc-auth
JSON-RPC 2.0 authentication using steem blockchain authorities
- 1.1.1latest
- Version published
- Maintainers
- 2
- Weekly downloads
- 373
- decreased by-25.4%
Weekly downloads
Readme
@steemit/rpc-auth
JSONRPC 2.0 authentication with steem authorities
Specification
Overview
Request signing for JSON-RPC 2.0 implemented using steem authorities.
Signed request
Requests are signed with steem keys belonging to the sender.
Example JSON-RPC request:
{
"jsonrpc": "2.0",
"id": 123,
"method": "foo.bar",
"params": {
"hello": "there"
}
}
Above request signed with the posting key belonging to foo:
{
"jsonrpc": "2.0",
"method": "foo.bar",
"id": 123,
"params": {
"__signed": {
"account": "foo",
"nonce": "1773e363793b44c3",
"params": "eyJoZWxsbyI6InRoZXJlIn0=",
"signatures": [
"1f02df499f15c8757754c11251a6e5238296f56b17f7229202fce6ccd7289e224c49c32eaf77d5905e2b4d8a8a5ddcc215c51ce45c207ef0f038328200578d1bee"
],
"timestamp": "2017-11-26T16:57:40.633Z"
}
}
}
Signature creation pseudocode:
# JSON+Base64 request params
params = base64(json_encode(request['params']))
# 8 byte nonce
nonce = random_bytes(8)
# ISO 8601 formatted timestamp
timestamp = date_now() # "2017-11-26T16:57:40.633Z"
# Signer account name
account = 'foo'
# Private posting key belonging to foo
signing_key = PrivateKey('...')
# Signing constant K (sha256('steem_jsonrpc_auth'))
K = bytes_from_hex('3b3b081e46ea808d5a96b08c4bc5003f5e15767090f344faab531ec57565136b')
# first round of sha256
first = sha256(timestamp + account + method + params)
# message to be signed
message = sha256(K + first + nonce)
signature = ecdsa_sign(message, signing_key)
Signature validation
- Entire request must be <64k for sanity/anti-DoS
- Request must be valid json and json-rpc
request['params']['__signed']must existrequest['params']['__signed']must be the only item inrequest['params']request['params']['__signed']['params']must be valid base64request['params']['__signed']['params']when base64 decoded must be valid jsonrequest['params']['__signed']['nonce']must exist and be a hex string of length 16 (8 bytes decoded)request['params']['__signed']['timestamp']must exist and be a valid iso8601 datetime ending in Zrequest['params']['__signed']['timestamp']must be within the last 60 secondsrequest['params']['__signed']['account']must be a valid steem blockchain accountrequest['params']['__signed']['signature']must be a hex string >= 64 chars (32+ bytes decoded)- construct
first = sha256( request['params']['__signed']['timestamp'] + request['params']['__signed']['account'] + request['method'] + request['params']['__signed']['params'] ).bytes() - construct
signedstring = sha256( K + first + unhexlify(nonce)).bytes() - check signature, signedstring against posting authorities for
request['params']['__signed']['account']
FAQs
JSON-RPC 2.0 authentication using steem blockchain authorities
The npm package @steemit/rpc-auth receives a total of 354 weekly downloads. As such, @steemit/rpc-auth popularity was classified as not popular.
We found that @steemit/rpc-auth demonstrated a not healthy version release cadence and project activity because the last version was released a year ago. It has 2 open source maintainers collaborating on the project.
Did you know?
Socket installs a Github app to automatically flag issues on every pull request and report the health of your dependencies. Find out what is inside your node modules and prevent malicious activity before you update the dependencies.