Using SteemConnect for server side authentication
SteemConnect
In a previous post I explained how I'm exploring the integration of SteemConnect in the SteemMakers website. Part of this integration is required to enable client side functionality such as voting to start with. Another requirement is for the server to serve certain functionality based on user rights. At SteemMakers we are not experienced website developers and that's why SteemConnect is such a good solution for us. It takes away all difficult security matters so we don't have to worry about it.
Server side
One last proof of concept that needed to be done was to make server side decisions based on the user. Since SteemConnect is focused around enabling the client to interact with the blockchain. Something we have in mind is to enable certain users to add entries to the database. This requires identification before serving this functionality. Thanks to the excellent support by @fabien I quickly got to the basic implementation idea. I didn't want to store the access key on the server because that would mean security measures. The username alone is not enough because that can be tampered with easily on the client. The access token and username are available on the client and can be read by the server from the cookie over a secure connection. The trick is to verify this data from the server as well using https://steemconnect.com/api/me?access_token=here_the_token. Basically verifying the user from the serverside as well.
Database additions
To allow user rights some additions needed to be made to the database. For this we recreated the diagram in dbForge Studio Express for MySQL instead of MySQL Studio. The transition went rather smooth, we kept MySQL and just changed the tools. Some minor changes were needed but the update went unnoticed.
Minimal implementation
If you are interested in the details to implement this functionality yourself you can have a look at the code in Github. This commit has the minimal implementation as described above to be able and continue our work on the SteemMakers' website. I hope this information can help someone out in the future. At this point in time you can see the code in action on www.steemmakers.com/test/test.php. These pages will be removed in the near future but it should be easy to reproduce this functionality based on the commit.
As a not logged in user the functionality is limited:
A logged in user without rights will also have limited functionality:
An elevated user will have extra functionality:
Next steps
Next step for us is to use to integrate this proof of concept in the site.
Help us out
Anyone interested is free to join and help out. We're especially looking for help on the guidelines and for curators. The code is available on Github, have a look and join us on Discord!
Utopian proof of work: GitHub commit
Posted on Utopian.io - Rewarding Open Source Contributors
Thank you for the contribution. It has been approved.
Hi @jefpatat, have you seen this warning?
You can contact us on Discord.
[utopian-moderator]
Oh, thanks for mentioning, I noticed this before on other projects but not here, I just ignore warnings from github, I don't really use the web interface.
My personal opinion is that it's a leftover from prehistoric *nix times for whatever reasons (linecounting, not being able to show the last text because it is "not on a line"). I'm a Windows guy using 2018 tools. My toolchain has no issues with it and doesn't give me a warning.
I agree that on a bigger level this opinion might be flawed but in our usecase it's ok.
You can read about Steem Connect docs written by yours truly here https://www.steemfiles.com/steemconnect_notes.html