HiveAuth client library

in HiveDevs6 months ago

Yesterday, HiveAuth (formely Hive Authentication Services or HAS) has been released. Hive Keychains, Peakd and Hive.Blog have released a new version that adds support to this new secure way of login yourself to a Hive frontend without having to enter your private key on a computer. All you need is a compatible wallet app (Hive Keychain) installed on your mobile phone.

@arcange is the person behind the HiveAuth project and has made available a HiveAuth server and a wrapper library that facilitate the integration into an existing app.

HiveAuth in a nutshell

The basic idea of HiveAuth is to create a communication channel between an app (frontend such as Hive.Blog or Peakd) installed on your computer (or also your mobile phone) and a wallet app installed on your mobile phone. When authenticating yourself or performing an action that requires signing with your private key (post, comment, vote etc...), instead of giving your private key to the app, or instead of installing a browser extension (Hive Keychain) on a computer you don't trust, you can use the wallet app on your mobile phone.

The app makes a request to HiveAuth server which then transmit it to the mobile wallet app. The mobile wallet app then uses the key you already stored in it to sign the transaction and returns the signed data to the app via HiveAuth server. During this process, neither the app or HiveAuth server will know the private key. Only the trusted mobile wallet app will have the key.

HiveAuth Client library

When I integrated HiveAuth to the Condenser, I took the opportunity to create my own wrapper library. It is based on @arcange's HiveAuth Wrapper Library but it's taking the event based approach to minimise the use of callback functions for more clarity and it also minimises the user of timeout and intervals internally. This refactoring of the library also allowed me to understand more how things work.

Installation

The HiveAuth Client library is available on GitHub: https://github.com/quochuy/hive-auth-client

It's also available as an NPM package that can be installed to your project with the following command:
yarn add hive-auth-client

Then simply import it into your script:
import HasClient from 'hive-auth-client';

Configuration

Once imported, you will need some little configuration. The following command, will instantiate the client class and define the hostname for the HiveAuth server to use:
const client = new HasClient('hive-auth.arcange.eu', '', true);

You will also need to configure some metadata to identify your app to the mobile wallet app:

const APP_META = {
    name: 'Hive Blog',
    description: 'Hive Blog',
    icon: 'https://hive.blog/images/hive-blog-logo.png',
};

Finally, you will have to create an auth object that will store authentication data for the user. This auth data is to identify your session with the HiveAuth server:

const auth = {
    username: undefined,
    token: undefined,
    expire: undefined,
    key: undefined,
};

Authentication + Challenge

The first thing you'll need to do is handle the login to your app by requesting an authentication with the mobile wallet app and at the same time request a challenge to sign with a posting key (or any other type of private keys depending on what your app needs to do).

The client library will auto-connect the websocket when attempting to send a message and will automatically attempt a reconnection if it is dropped.

Broadcasting a transaction

Similarly to authenticating, to broadcast a transaction you just setup your event handlers first, then call client.broadcast();

Documentations

My HiveAuth Client library will only help you handle communication between your app and the HiveAuth server. You can see the list of available methods and events on the NPM page:
https://www.npmjs.com/package/hive-auth-wrapper

For a complete integration, you still need to understand and handle the rest of the HiveAuth protocol. For that, checkout the HiveAuth documentations:
https://docs.hiveauth.com/

Sort:  

instead of giving your private key to the app, or instead of installing a browser extension (Hive Keychain) on a computer you don't trust

So is the main use case that you can perform actions on a computer that you don't trust? So you can for example have your phone with you and go to a friend's computer and log in to your own Hive account on their computer and perform actions without ever having to enter your private key on their computer?

You shouldn't really trust even your own computer. It's very hard to prevent desktop and browser exploits.

Or if you go on travel and need to access Hive from a computer in an Internet cafe.

Yep, makes sense. And I get now how it is useful for that. I think it wasn't presented in that way, though (ability to use your Hive account on computers you don't trust), but rather as a new, standard way to log in, which didn't make sense to me as I didn't see how it improves the security of an app making a signing request directly to a wallet like Hive Keychain.

As @smooth mentioned it, you can't always trust your own computer either: virus, malware, keylogger, hack etc...

Well, there are many attacks for both desktop and mobile devices, and I would certainly not consider a mobile device as more secure than desktop. You can lose a mobile device, it can more easily get stolen, there are wifi attacks over insecure networks, all sorts of apps require all sorts of intrusive permissions, and so on. The typical protections like drawing a shape or similar to unlock the device wouldn't stop someone from either brute-forcing into your device or simply disassembling it and reading from its disk.

And, as an additional point, if you really care about security, it's not like you can install clean Linux on a mobile device and install only software packages you know and have checked, so that you only have open-source software on your machine and you know what everything does and how it works. This kind of thing is standard if you operate a server. And you would encrypt any sensitive information like passwords, you wouldn't at all store them as plain text. I don't know how you can achieve any of this basic level of security on a mobile device.

You can lose a mobile device [...] disassembling it and reading from its disk

As @stoodkev mentioned in his replies, keys stored in your phone are encrypted twice, first with your wallet password, then with your fingerprint signature. Should someone get access to your phone storage, he would need both your password and finger to decrypt it.

there are wifi attacks over insecure networks

All data traveling between your mobile and the HAS server are encrypted. Even the HAS server acting as a gateway has no idea of what's going on between the App and the wallet storing your keys (keychain)

If like me you had paranoid, you shouldn't use a mobile at all. These things have been designed to share information, not to secure it.
Moreover, you shouldn't use any front-end you didn't create yourself or fully analyze the source code and the infrastructure it runs on.

When it comes to having a little ease of use, sometimes you have to make a few compromises. In this case, HiveAuth may be an "acceptable" solution that, to the extent of what is feasible at the code, protocol and infrastructure level, does not compromise on security. Anyway, That's how I designed it.

Nothing is 100% secure, I guess you need to minimise the risks. If you have to use an untrusted computer, better use your mobile than entering the keys on that computer.

If the WIFI network is being sniffed, it's still OK because the keys are not being transmitted between the wallet and the frontend only the request and the signed content.

As for loosing the phone and the person brute forcing into the device, even if they read the disk, the keys would be encrypted in the local storage of the wallet app, I don't think Hive Keychain stores keys in plain text (@stoodkev let me know if I'm wrong). Some phones also have a protection system where you can remotely wipe the phone or it will self-wipe under brute force.

@arcange can also give more details regarding the security side of HiveAuth.

The keys stored are encrypted at least once with the PIN, twice if using biometrics.

Thank you for all the hard work you did to make the HiveAuth launch a success.

Does it mean we can connectvour hivevkeys to any wallet app we have?

No. Only Hive Keychain app at the moment.

I really love experiencing updated versions and good to know that peaked now updated though I love using ecency for hive more.

Your content has been voted as a part of Encouragement program. Keep up the good work!

Use Ecency daily to boost your growth on platform!

Support Ecency
Vote for new Proposal
Delegate HP and earn more


The rewards earned on this comment will go directly to the person sharing the post on Twitter as long as they are registered with @poshtoken. Sign up at https://hiveposh.com.

Congratulations @quochuy! You have completed the following achievement on the Hive blockchain and have been rewarded with new badge(s):

You distributed more than 100000 upvotes.
Your next target is to reach 105000 upvotes.

You can view your badges on your board and compare yourself to others in the Ranking
If you no longer want to receive notifications, reply to this comment with the word STOP

To support your work, I also upvoted your post!

Check out the last post from @hivebuzz:

Hive Power Up Month - Feedback from February day 20

Thanks for the tutorial. I have to reblog.

this is very convenient for users, thanks to all friends who have worked hard to release it.

Congratulations @quochuy! Your post has been a top performer on the Hive blockchain and you have been rewarded with the following badge:

Post with the highest payout of the day.

You can view your badges on your board and compare yourself to others in the Ranking
If you no longer want to receive notifications, reply to this comment with the word STOP

Check out the last post from @hivebuzz:

Hive Power Up Month - Feedback from February day 22

good job!