How is origin defined for signing an authentication request?
alesito85 opened this issue · 6 comments
So in case of Scatter Desktop the origin is always "file://". Is there any way that an app that is requesting authentication receives the origin that has been used to sign the request?
Is there any case when an origin might be something else or can it be manually set in scatterjs-eos2?
Err, not sure how origin would even be file://?
Are you trying to use it from a vanilla html/js file without hosting it?
This seems to have been hardcoded for Scatter Desktop. The only issue is that this hasn't been documented and it's hard to do signature verification one doesn't know how is the message composed. Or I'm missing something...
What it hardcoded?
The only way I can think of that it gets a file:// prefix, is if you are just opening an html file from your computer without hosting it through a local server like http-server, nginx, or apache. There is no special logic for that (or even handling afaik) since that isn't something which would actually happen in the wild.
When I get a signature I need to know the message that was signed in order to verify the signature. Is there a way to get this message?
Until now the only way I found that works is by using static "file://" concatenated with nonce.
Ah, I see what you're asking.
Then yes, since you are running it from your drive, and also not putting in the optional parameter to specify what to be signed, then authenticate() is using the origin which in your case is the filepath.
You can pass in something else to sign instead: https://github.com/GetScatter/scatter-js/blob/master/mock-sites/eosjs/index.html#L219