Login with blockchain: Everscale
This article is about how to use the Everscale blockchain and EVER wallet to authorize a user without creating a transaction in network.
Services such as Google, Apple, Facebook provide an opportunity to use one-click login. It speeds up the process and eliminates the need to fill out a form and remember a password. Blockchain wallet (browser extension) also can be used for registration and login. Method below also may help with linking wallet with regular account.
But first, let’s discuss what private and public keys are and how these keys are related to a blockchain wallet. Whenever you create a blockchain wallet, you are provided a private key and a public key that is associated with it. The public key can be shared and used for data encryption and signature verification. The private key is top secret and used for data decryption and signing. The wallet ability to sign data with private key as well as having a way to verify the signature are features that allows us to implement this solution.
Model of digital signature
- Signer feeds data to the hash function and generates hash of data.
- Hash value and signature key are then fed to the signature algorithm which produces the digital signature on given hash.
- Verifier feeds the digital signature and the verification key into the verification algorithm. The verification algorithm gives some value as output.
- Verifier also runs same hash function on received data to generate hash value.
- For verification, this hash value and output of verification algorithm are compared. Based on the comparison result, verifier decides whether the digital signature is valid.
How the login flow works
We can identify account using an address and cryptographically prove user owns it. To prevent the case where an intruder gets hold signature, we enforce the message to sign to be provided by backend and regularly changing.
- User fetches generated nonce from backend.
- User signs the nonce and sends signature to the server.
- Backend verifies signature and makes sure the user is the owner of the address.
- Backend changes the nonce.
- Backend returns access token.
I used React, Nest.js and MondoDB in the project, but working with these tools is beyond the scope of this article. If you need a more detailed tutorial, feel free to write about it in the comments.
Frontend
In order to be able to interact with the EVER wallet, we need a provider. I used everscale-inpage-provider package developed by broxus https://github.com/broxus/everscale-inpage-provider#readme
This is how the nonce is signed
Backend
Let’s have a look on some dependencies of Node.js project:
- @eversdk/core
- @eversdk/lib-node
- noble-ed25519
You can read more about eversdk here https://github.com/tonlabs/ever-sdk
I also used noble-ed25519 for working with cryptography, because the everscale-inpage-provider uses a different way of signing/verifying data than the TonClient from eversdk.
We know account address. And first of all we need to fetch this account data from the blockchain. For these purposes we can use GraphQL, adapted by TON Labs developers. Each full node on Everscale blockchain contains all information about all transactions. GraphQL acts as a protocol to it, which is additionally installed by the owner of the node and makes it possible to make a search query across the entire blockchain.
There is SDK method for decoding account data, but to use it, the ABI of the contract must be greater than version 2.1. We can’t use in with SafeMultisigWallet contract (user’s wallet), because its ABI version is 2.0. But given that the public key is in the first position in the account data and we know its data type, we can use partial decoding without using ABI.
OK. After all we have user address, public key extracted from account data, nonce and signature. Let’s make sure user is address owner.
It wasn’t so hard, was it? Again, if you have any question, feel free to ask.
