create account

Steem Engine DEX: A technical deep-dive on JWT Authentication by beggars

View this thread on: hive.blogpeakd.comecency.com
steem-engine · @beggars ·
$0.63
Steem Engine DEX: A technical deep-dive on JWT Authentication
The new Steem Engine DEX adds a JSON Web Token (JWT) layer on-top of the exchange allowing users to safely login and verify they are who they say they are. It's a problem that has been solved in many different ways and for most decentralised blockchain applications, a secondary layer of authentication is not even required.

## Handshakes and secrets

When a user attempts to login to the DEX either through the Keychain extension or their Steem password/Posting key, all we know is their username. In the case of Steem Keychain, all we have is the username.

The old DEX simply stored the username in `localStorage` and referenced that to determine who the logged in user was. Because all operations require approval through Keychain or Steem Connect, it's a vanity thing. However, you could change the username to give the appearance of being logged in as someone else because all of the data fetching calls referenced this value.

Because you're verifying every single action taking place on the blockchain, only the real account holder can perform an action for a specific account. But, on the new DEX we needed the ability to have KYC (Know your customer) for legal compliance reasons to use some exciting upcoming features in the DEX.

## The flow

The process for how JWT tokens are created and users are truly logged in goes along the following lines:

- User attempts to login
- A request is made to the auth API to return an encrypted Steem memo containing an AES string with the users username and a randomly generated guid
	- The encrypted memo uses the users public posting key to encrypt using the steem-js memo function
	- The encrypted memo is sent back to the client containing an AES encrypted string
- The user then uses Steem Keychain or their password/private key to decode the memo with their private key revealing the AES string
- Server decrypts the AES string and confirms if it is valid and provides a JWT token to the user

**On the client-side an authenticated session looks like this:**

![image.png](https://files.steempeak.com/file/steempeak/beggars/RBeih3XJ-image.png)

In typical custom JSON form, you have a token which is valid for 1 hour. A token not pictured here (the refresh token) is then used to get a fresh new token on any subsequent requests when the token expires.

The token setup allows us to encrypt uploaded KYC documents and set constraints on who is permitted to access them in the application. It also allows us to securely store user settings and other personalised pieces of data that you do not want anyone else to be able to change except for the user.

While the process might seem convoluted when you break it down, from a UX perspective, it doesn't complicate the login process and the end user is really none the wiser to what is happening underneath the hood. As with anything, we're always looking for ways to improve what we've done, so there might be tweaks and changes over time to how this all works. For now, it seems to work quite well.
👍  , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , and 10 others
👎  
properties (23)
authorbeggars
permlinksteem-engine-dex-a-technical-deep-dive-on-jwt-authentication
categorysteem-engine
json_metadata{"app":"steempeak/2.0.6","format":"markdown","tags":["steem-engine","steemdev","steem","development","steemit"],"image":["https://files.steempeak.com/file/steempeak/beggars/RBeih3XJ-image.png"]}
created2019-11-13 17:00:00
last_update2019-11-13 17:00:00
depth0
children2
last_payout2019-11-20 17:00:00
cashout_time1969-12-31 23:59:59
total_payout_value0.320 HBD
curator_payout_value0.312 HBD
pending_payout_value0.000 HBD
promoted0.000 HBD
body_length3,005
author_reputation75,322,612,974,570
root_title"Steem Engine DEX: A technical deep-dive on JWT Authentication"
beneficiaries[]
max_accepted_payout1,000,000.000 HBD
percent_hbd10,000
post_id92,470,203
net_rshares3,013,291,011,981
author_curate_reward""
vote details (75)
@contrabourdon · 
@untersatz curate 100

Posted using [Partiko iOS](https://partiko.app/referral/contrabourdon)
👍  
properties (23)
authorcontrabourdon
permlinkcontrabourdon-re-beggars-steem-engine-dex-a-technical-deep-dive-on-jwt-authentication-20191116t211617155z
categorysteem-engine
json_metadata{"app":"partiko","client":"ios"}
created2019-11-16 21:16:18
last_update2019-11-16 21:16:18
depth1
children1
last_payout2019-11-23 21:16:18
cashout_time1969-12-31 23:59:59
total_payout_value0.000 HBD
curator_payout_value0.000 HBD
pending_payout_value0.000 HBD
promoted0.000 HBD
body_length93
author_reputation224,626,709,782,967
root_title"Steem Engine DEX: A technical deep-dive on JWT Authentication"
beneficiaries[]
max_accepted_payout1,000,000.000 HBD
percent_hbd10,000
post_id92,563,484
net_rshares42,656,540,881
author_curate_reward""
vote details (1)
@untersatz · 
<center>This post has been upvoted by witness [@untersatz](https://untersatz.steem.design). You've done a great job!
<sup>The [@untersatz](https://untersatz.steem.design) witness and manual curation is under the guidance of @contrabourdon and @organduo.</sup></center><center><sup>Current VP: 89.39%</sup></center>
👍  
properties (23)
authoruntersatz
permlinkkecvn9qd4r
categorysteem-engine
json_metadata""
created2019-11-16 21:16:39
last_update2019-11-16 21:16:39
depth2
children0
last_payout2019-11-23 21:16:39
cashout_time1969-12-31 23:59:59
total_payout_value0.000 HBD
curator_payout_value0.000 HBD
pending_payout_value0.000 HBD
promoted0.000 HBD
body_length314
author_reputation2,138,111,545,808
root_title"Steem Engine DEX: A technical deep-dive on JWT Authentication"
beneficiaries[]
max_accepted_payout1,000,000.000 HBD
percent_hbd10,000
post_id92,563,490
net_rshares5,361,422,762
author_curate_reward""
vote details (1)
Help/Feedback