passport-cardano-web3
Advanced tools
Passport strategy for authenticating with Cardano wallet signatures.
This module lets you authenticate using a Cardano wallet in your Node.js applications. This implementation is based on CIP-0093 Authenticated Web3 HTTP Requests.
$ npm install passport-cardano-web3
The Cardano web3 strategy needs two parameters. The expirationTimeSpan is an mandatory parameter which represents the number of seconds for the payload experiation. The hostname is also mandatory and it is used to validate the endpoint url.
const passport = require('passport')
const CardanoWeb3Strategy = require('passport-cardano-web3').Strategy
const cardanoWeb3Strategy = new CardanoWeb3Strategy({
expirationTimeSpan: 30,
hostname: 'https://example.com'
})
passport.use(cardanoWeb3Strategy)
Each route can be configured to use this strategy. In order to attach this strategy to an endpoint, we need to configure the action option with a descriptive text about the goal of the endpoint. This action text will be shown to the user for validation. This is an example in the server side:
const passport = require('passport')
/*
* Login route
*/
router.post(
'/login',
passport.authenticate('cardano-web3', { action: 'Login', session: false })
)
In the client side, we will use the api.signData(addr: Address, payload: Bytes): Promise<DataSignature> defined in Cardano dApp-Wallet Web Bridge CIP-0030 to get the key and signature:
const payload = {
uri: 'https://example.com/login',
action: 'Login',
timestamp: Date.now(),
};
const signature = await cardano.signData(
address,
Buffer.from(JSON.stringify(payload)).toString('hex'),
);
const response = await fetch.post('/login', {
key: signature.key,
signature: signature.signature,
});
This strategy must not be used with GET requests. It's dangerous to send the wallet public key and signature in the query params. The request body must have the key and signature obtained from the singData method.
This strategy can be combined with other Passport strategies, like passport-session or passport-jwt.
The repository jmagan/cardano-express-web3-skeleton contains a complete implementation of this strategy combined with a jwt strategy. It uses the Cardano Web3 strategy to validate the login, register and reset endpoints and afterwards a jwt token is issued taking the responsability for the authenticated requests.
$ npm install
$ npm test
If you find it useful, please consider inviting me a coffee :)
FAQs
Cardano web3 authentication for Passport.
The npm package passport-cardano-web3 receives a total of 6 weekly downloads. As such, passport-cardano-web3 popularity was classified as not popular.
We found that passport-cardano-web3 demonstrated a not healthy version release cadence and project activity because the last version was released a year ago. It has 1 open source maintainer collaborating on the project.
Did you know?
Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.
Security News
AGENTS.md is a fast-growing open format giving AI coding agents a shared, predictable way to understand project setup, style, and workflows.
Security News
/Research
Malicious npm package impersonates Nodemailer and drains wallets by hijacking crypto transactions across multiple blockchains.
Security News
This episode explores the hard problem of reachability analysis, from static analysis limits to handling dynamic languages and massive dependency trees.