#dev 2025-06-08
2025-06-08 UTC
grufwub, NaomiAmethyst, [artlung], Mel, lanodan, Xe_, ikay, hacknorris, [ggirelli]1, jacensekai_, Maxpm7, rob32_, stefen7, suki_, ancarda_, vikanezrimaya_, karjala_, aurailus[d], parnikkapore_x, Xander, sebbu2, [artlung]1, [ggirelli]2, oodani, andrei_c, jak2k, Kolev, jak2k1, cappuccino, [ggirelli], leo60228, flipflop and GuestZero_ joined the channel
# 
sugardave So, I've been kicking around some thoughts on ways to implement IndieAuth and I finally came up with a naive implementation that uses an EVM wallet (i.e. MetaMask) to sign a message (proof you own the wallet) and compares the public address of the signer to a whitelist of addresses you wish to represent your authentication source. The sticky part is being able to keep track of the authorization code generated at the auth endpo
# sugardave Has anyone else done something similar? Thanks in advance for any ideas!
# IWDiscord <sugardave>
AramZS, AramZS_, andrei_c, hacknorris and bread joined the channel
geoffo joined the channel
# sugardave Zegnat: yeah, I've looked at it before. I am using Astro to run the site, so I am trying to come up with a pattern or integration specifically using EVM wallets that is simple for anyone to integrate with their Astro site. I have the basic authentication flow working, I am just trying to figure out how to compare the code generated on the initial auth request (my site creates that code and passes it to indielogin) to the one
ikay and AramZS joined the channel
# 
Zegnat Many will store the token in a database so they can ensure one time use. (Of course if you only store the token, database can mean just a file.) Alternatively state-less solutions exist where the auth code is something like a JWT. That way if someone contacts your server with the token, you can validate it with a signature check instead and your server can be stateless
# sugardave Zegnat: ah, okay...I will look into JWT, thanks!