Skip to content
This repository has been archived by the owner on Jun 11, 2024. It is now read-only.

Using api without sending passphrase #10

Closed
fix opened this issue Mar 22, 2016 · 1 comment
Closed

Using api without sending passphrase #10

fix opened this issue Mar 22, 2016 · 1 comment
Labels
type: duplicate

Comments

@fix
Copy link
Contributor

fix commented Mar 22, 2016
edited
Loading

In order to prevent from sending passphrase through the API, on opening an account, it should be done the following way.

  1. user request opening an account sending publicKey (/api/account/open?publicKey=...)
  2. server create a random token, encrypt it with publicKey and send it back
  3. user decrypt it with private key and send the token back to server (/api/account/open?publicKey=...&token=...
  4. server compare both tokens. If equals, the user is auth.

Ideally the IP should be matched, and token invalidated if IP change or after some time.

as for creating transactions, it should be clear in the doc that the API cannot be used safely, but lisk-js instead.
@fix fix mentioned this issue Apr 6, 2016
Closed
@karmacoma karmacoma added this to the Mainnet Launch milestone Apr 12, 2016
@karmacoma karmacoma self-assigned this Apr 12, 2016
@karmacoma karmacoma removed this from the Mainnet Launch milestone May 19, 2016
This was referenced May 23, 2016
Closed
Open
@karmacoma karmacoma removed their assignment Jun 14, 2016
@fix
Copy link
Contributor Author

fix commented Aug 30, 2016

closing it as duplicate of #39

@fix fix closed this as completed Aug 30, 2016
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
type: duplicate
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@karmacoma @fix