dingir-exchange icon indicating copy to clipboard operation
dingir-exchange copied to clipboard

Published 20 hours ago verified publisher icon fluidex

design a basic auth mechanism

Open lispc opened this issue 4 years ago • 2 comments

lispc avatar Jan 26 '21 08:01 lispc

we can bind a user to a public_key. (for example, extract publickey from signature, then check hash(publickey) == address)

then we can follow https://huobiapi.github.io/docs/spot/v1/cn/#urls

for user:

package main

import (
    "crypto/sha256"
    "encoding/hex"
    "encoding/json"
    "fmt"
    "time"

    ...
)

func main() {
    prvKey := XXX_PrvKey

    url := XXX_URL

    req := &Req{XXX_Req}
    b, err := json.Marshal(req)
    if err != nil {
        panic(err)
    }



    address := XXX_Address

    timestamp := time.Now().Unix()
    // req data to sign
    reqSignData := []byte(fmt.Sprintf("POST\n%s\naddress=%s&SignatureVersion=1&timestamp=%d\n%s", url, address, timestamp, string(b)))
    // hashing
    h := sha256.New()
    h.Write(reqSignData)
    hash := h.Sum(nil)

    sig := prvKey.Sign(hash)
    if err != nil {
        panic(err)
    }

    fmt.Println("address: " + address)
    fmt.Println("timestamp: " + timestamp)
    fmt.Println("signature: " + hex.EncodeToString(sig))
    fmt.Println(url + "?address=" + address + "&SignatureVersion=1&timestamp=" + fmt.Sprintf("%d", timestamp) + "&signature=" + string(hex.EncodeToString(sig))) // final cancat URL
    fmt.Println("payload: " + string(b))
}

0xmountaintop avatar Jan 26 '21 08:01 0xmountaintop

for server,

  1. check current_timestamp-1s (?) < timestamp < current_timestamp
  2. the request is not replayed (binded to timestamp)
  3. verify (hash, pubkey, signature)

0xmountaintop avatar Jan 26 '21 08:01 0xmountaintop