Override of the default Strapi v4 email provider to work with Web3 wallets in hybrid mode.
Creating a hybrid Authentication/Authorization system based on the default Email provider of Strapi v4 REST API framework. Let the user being able to authenticate by signing unique off-chain ECDSA messages to avoid replay attacks.
In order to achieve our goal, to let the user experience being simpler as possible, and to let the standard email provider from Strapi untouched as much as we will:
- Adopt a username only authentication method
- Use the username field to store the unique wallet address
- Make the email field optional
- Ignoring username and password on user update
- Deprecate the password field as we will authenticate users with ECDSA signed message
- Create an entity/model (or content-type as Strapi defines) named AuthMessage that we will use to avoid replay attacks
- Implementing Web3.js library to recover() address who signed the message
It's important to permanently store on our off-chain infrastructure the list of already signed messages in order to avoid replay attacks. Imagine that a hacker was able to save a signed message from an user, if we do not invalidate it the attacked would be able to authenticate during lifetime. To avoid security issues and, I implemented the use of a starting letter on the generated messages. In cases like losing the stored list you will be able to invalidate all the "old generation" by simply changing the starting letter and start using the new one (A to B) and start again freshly.
User will be created as not confirmed without email. When a user update his account filling email we follow the standard confirmation workflow.
Copy and paste the files inside your Strapi v4 project. Add the required .env parameters to your Strapi v4 project .env file.
You have to set User-permissions for the new Content-type and the new Authentication provider. To do so go on Strapi backend > Settings > USERS & PERMISSIONS PLUGIN > Roles, and enable only the following methods:
- Public: ['find']
- Authenticated: []
- Public: ['callback', 'emailConfirmation']
- Authenticated: ['emailConfirmation', 'update', 'me']
You need to have Strapi v4 framework with User Permissions plugin.
Strapi comes with a full featured Command Line Interface (CLI) which lets you scaffold and manage your project in seconds.
Start your Strapi application with autoReload enabled. Learn more
npm run develop
# or
yarn develop
Start your Strapi application with autoReload disabled. Learn more
npm run start
# or
yarn start
Build your admin panel. Learn more
npm run build
# or
yarn build
Strapi gives you many possible deployment options for your project. Find the one that suits you on the deployment section of the documentation.
- Resource center - Strapi resource center.
- Strapi documentation - Official Strapi documentation.
- Strapi tutorials - List of tutorials made by the core team and the community.
- Strapi blog - Official Strapi blog containing articles made by the Strapi team and the community.
- Changelog - Find out about the Strapi product updates, new features and general improvements.
Feel free to check out the Strapi GitHub repository. Your feedback and contributions are welcome!
- Discord - Come chat with the Strapi community including the core team.
- Forum - Place to discuss, ask questions and find answers, show your Strapi project and get feedback or just talk with other Community members.
- Awesome Strapi - A curated list of awesome things related to Strapi.
🤫 Psst! Strapi is hiring.