Passwordless authentication based on public/private key signatures.
ECDSA implementation for Laravel/Dingo API with the help of elliptic-php and keccak packages.
composer require ivanciric/ecdsa-auth
Library uses package auto-discovery feature, so you don't need to set the service provider manually.
Publish the package configuration
php artisan vendor:publish
After publishing configuration, you can edit the available options in config/ecdsaauth.php
Option | Details |
---|---|
user_provider | User class that should be used when attempting to authenticate an incoming API request. Default: \App\User::class |
lookup_field | Field that should be initially checked when attempting to authenticate an incoming API request. Default: email |
verification | If you require users to be verified (e.g. email verified) in order to access the data, set this otion to true. Default: false |
verified_field | If you've set the verification to true, state the field which marks the user as verified. Default: email_verified |
verified_pass_condition | Value of the verified_field that marks the user as verified. Default: 1 |
key_lookup_field | Field which contains the public key of the user. This could be Ethereum address or pure Ecdsa public key. Default: crypto_key |
authorization_header | Name of the header which holds the authorization payload. Default: authorization |
authorization_methods | Methods allowed in the authorization header. They denote supported encryption algorithms. Default: ['eth', 'ecdsa'] |
message_property | Key in the payload which contains the message. Default: message |
signature_property | Key in the payload which contains the signature. Default: signature |
error_messages | Array of various friendly error messages. |
This package presumes you have Dingo API setup. Edit the config/api.php file and set the auth key as follows:
'auth' => [
'ivanciric\EcdsaAuth\Authenticator'
]
You should set the lookup_key and key_lookup_field in the package config to reflect your user properties.
Protect your routes by specifying the middleware:
$api->version('v1', ['middleware' => 'api.auth'], function ($api) {
...
});
Authorization header should contain the payload in the following forms:
Eth eyJlbWFpbCI6ImhhQG1hLnRvIiwibWVzc2FnZSI6IjkyNThhNjQ0Y2FmZTZ...
or
Ecdsa eyJlbWFpbCI6ImhhQG1hLnRvIiwibWVzc2FnZSI6IjkyNThhNjQ0Y2FmZTZ...
Payload itself is a base64 encoded json with the following properties:
{
"email": "h@ma.to", // user's email or alternative lookup field
"message": "message that you've signed", // string
"signature": "3046022100a94c1a..." // signed message
}
All properties are configurable.