Comment on page

Request Validation

There are no logins. Verification of that a request was generated by a specific private key is usually handled by the protocol itself. This generally works OK, but in applications such as Province that require more frequent interaction, this can be quite expensive for users over time because of the network transaction costs. To help minimize the total transaction costs for users, we often make use of a different technique to verify that a request was generated by an agent that has control over the private and public key set without using the blockchain.
  1. 1.
    Often, a request will require a specified set of parameters within a JSON object. To start the process, this JSON is converted into a string. Example:const msg_to_sign = JSON.stringify(msg_json);
  2. 2.
    On the client side, the user will sign this transaction using their wallet generating a hash. Example:
    const msg = `0x${Buffer.from(msg_to_sign, 'utf8').toString('hex')}`;
    const sign = await ethereum.request({
    method: 'personal_sign',
    params: [msg, address, 'Example password'],
  3. 3.
    The client submits the string version of the JSON and the hash to the respective service.
  4. 4.
    The service then verifies the address of the hash using a library (such as ethers), which has a function to re-produce the address of the private key (wallet) that signed the data. This address is then used for identification to determine whether the consuming service generating the request is authorized to execute this request. Example: var address = ethers.utils.verifyMessage(msg, hash)