Authenticate NEAR Users
Recently NEAR has approved a new standard that, among other things, enables users to authenticate into a backend service.
The basic idea is that the user will sign a challenge with their NEAR wallet, and the backend will verify the signature. If the signature is valid, then the user is authenticated.
Backend Auth with a NEAR Wallet​
Authenticating users is a common use-case for backends and web applications. This enables services to provide a personalized experience to users, and to protect sensitive data.
To authenticate a user, the backend must verify that the user is who they say they are. To do so, the backend must verify that the user has access to a full-access key that is associated with their account.
For this three basic steps are needed:
- Create a challenge for the user to sign.
- Ask the user to sign the challenge with the wallet.
- Verify the signature corresponds to the user.
1. Create a Challenge​
Assume we want to login the user into our application named application-name.
We first need to create a challenge that the user will sign with their wallet. For this, it is recommended to use a cryptographically secure random number generator to create the challenge.
import { randomBytes } from 'crypto'
const challenge = randomBytes(32)
const message = 'Login with NEAR'
Here we use crypto.randomBytes to generate a 32 byte random buffer.
2. Ask the User to Sign the Challenge​
The signMessage method needed to sign the challenge is supported by these wallets:
- Meteor Wallet
- Here Wallet
- Near Snap
- Nightly Wallet
- WELLDONE Wallet
- NearMobileWallet
- MyNearWallet
- Sender
The message that the user needs to sign contains 4 fields:
- Message: The message that the user is signing.
- Recipient: The recipient of the message.
- Nonce: The challenge that the user is signing.
- Callback URL: The URL that the wallet will call with the signature.
// Assuming you setup a wallet selector so far
const signature = wallet.signMessage({ message, recipient, nonce: challenge, callbackUrl: <server-auth-url> })
3. Verify the Signature​
Once the user has signed the challenge, the wallet will call the callbackUrl with the signature. The backend can then verify the signature.
Loading...
