DAuth Verification

The ETH address for the verification key in testnet is:

0xf3b4e49Fd77A959B704f6a045eeA92bd55b3b571

Verification Sample Code

1. Proof Verification

DAuth/core provide a "verifyProof" method to verify proof. The term "proof" in this context refers to a piece of evidence or verification that includes both the signed data and the metadata associated with the signature.

import {verifyProof} from "@dauth/core"; 
const result = await authOtpConfirm({ // same as the authOauth() function
   code,
   request_id: 'The id related to the TX or userOp',
   mode: 'proof',
   id_type: "mailto"
})

const isValid = verifyProof(result.data) 

The following is the source code for verifyProof, you can implement it in your preferred language.

import { utils } from "ethers";
export const verifyProof = (
  proof: IOtpConfirmReturn,
  dauthSignerAddress = "0xf3b4e49Fd77A959B704f6a045eeA92bd55b3b571"
) => {
   const {auth, signature} = proof
    // String to hexlike
    const sig = "0x" + signature
    const {acc_and_type_hash, request_id} = auth
    // request_id can be two types: string or hex
    // The request_id can have two types of values: a simple string or a hexadecimal string.
    // If the length of the request_id is 64 characters, it is treated as a hexadecimal string.
    // Otherwise, if the length is different from 64, it is treated as a regular string.
    const request_id_hash = request_id.length === 64
        ? utils.arrayify("0x" + request_id) : utils.keccak256(utils.toUtf8Bytes(request_id))
    // Concat data
    const msg = utils.defaultAbiCoder.encode(
        ["bytes32", "bytes32"],
        ["0x"+ acc_and_type_hash, request_id_hash])
    // Hash and turn to bytes
    const msgHash = utils.arrayify(utils.keccak256(msg))
    // Computes the EIP-191 personal message digest of message.
    // Personal messages are converted to UTF-8 bytes and prefixed with \x19Ethereum Signed Message: and the length of message.
    const msgHashWithPrefix = utils.hashMessage(msgHash)

    const recoveredAddress = utils.recoverAddress(msgHashWithPrefix, sig);

    return recoveredAddress.toLowerCase() === dauthSignerAddress.toLocaleLowerCase()
};

2. JWT Verification

• jwt document

  • when using dauth with sign_mode jwt, after user authentication, a JWT token is returned.

  • Inside JWT token's payload, there are multiple fields including:

  {
    "alg": "RS256", 
    "sub": "5ab801895f32e926912710e276f728bab070b90790b6bcd17eeb7382a4955cb5",
    "idtype": "mailto",
    "iss": "dauth.network",
    "aud": "demo",
    "iat": 1690272920,
    "exp": 1690276520
  }

  • fields inside payloads:

    • alg: algorithm using for signing JWT, which is RS256.

    • sub: subject or user that passes authentication, it is a kecc256 hash of user account

    • idtype: account type

    • iss: issuer

    • aud: audience

    • iat: JWT issued time

    • exp: JWT expired time, usually it is 1 hour(3600 seconds) after iat

  • To use JWT token in your own code:

    • first find a suitable JWT library for your programming language and your framework here: https://jwt.io/libraries

    • then, Get JWT public key here: https://demo-api.dauth.network/dauth/sdk/v1.1/jwks.json

    • With the library and public key, you can call verify:

      • verifies whether JWT is signed by the owner of the public key,

      • verifies whether JWT token expired,

      • extract all data inside payload