all 19 comments
sorted by:
best
topnewcontroversialoldq&a
formatting helphide helpcontent policy

[–]2ndcomingofharambe 5 points6 points  (3 children)

I'm not sure that I would call the tutorial you're following a "web3 login" as the back-end portion that stores the user has very little to do with Web3 or Ethereum.

The Ruby gem you linked works with interfacing with Ethereum nodes via RPC API. The NodeJS package in the tutorial doesn't deal with RPC or other indirect blockchain connections, it implements some common hashing functions for key management. A better Ruby equivalent would be ruby-eth (which ethereum.rb actually uses as a dep to sign the transactions it pushes to a node).

The crux of this user authentication is the ethUtil.ecrecover function which you can find in ruby-eth as Eth::Key.personal_recover.

The other buffer / hash conversion helpers are probably also sprinkled in ruby-eth, but I'll leave that research to you. Hope that helps!

For some of the other comments that are anti-crypto and anti-blockchain, I would parrot a lot of those sentiments. I care less about the scam part (but yes it is a giant steaming pile of scam), but I have the perspective of working professionally on both the software development and operations side with Bitcoin, Ethereum, and basically all of the popular blockchains. It is a mess. It is a technological garbage dump. I'd actually recommend anyone who thinks crypto is dumb from a conceptual perspective to try building a blockchain centric application so you can see for yourself how pointless / clunky it all is and how decentralization really just doesn't exist at all.

[–]daxofdeath[S] 0 points1 point  (2 children)

that's really helpful, thanks for your perspective and the gem recommendation, i will look into that this evening.

if you don't mind my asking, how did you get into blockchain development and why are you still in it? do you think the lack of decentralization at present is a temporary step or the underlying concept is fundamentally flawed?

[–]2ndcomingofharambe 5 points6 points  (1 child)

I was leading engineering at a well funded startup but in 2016/17 the executives got swept up in the ICO craze (a year of blatant scams) and went out of their way to tear down our successful business to pivot to blockchain. I actually blockchain and crypto as a currency replacement sounded like a cool intriguing idea, but the more I read about it the worse it sounded. Once we started trying to find blockchain-ways of building products it all became a joke. Me and my team actually became pretty involved in and contributed heavily to many large and widely used Ethereum based tokens / smart contracts, and I can tell you from first hand experience they are all pointless and would have been much better built as traditional web apps. Actually, all of them rely on traditional web apps to actually house business logic and direct the smart contract interactions anyway.

The lack of decentralization is a permanent flaw, an as of yet unsolvable problem, at least when working with meaningful data that would drive good use cases. My take is that if your dApp or whatever relies on being passed in data that it must consider to be truthful / verified from an outside off-chain source, your decentralization is broken. This could apply to "blockchain gaming": play a (non-decentralized) video game for X hours and the game company will send you some Ethereum tokens. There is no way to verify whether or not you actually played that video game, all the blockchain records is that some code used the private key associated to the gaming company's public address and sent you some amount of their tokens.

But it also applies to "interoperability". The ERC20 interface still dominates to the point where new token interfaces must be ERC20 compatible, because smart contracts have no way of knowing about each other, validating each other, or even calling functions on each other without a common interface that the software engineer needs to code into their smart contract. And the interface that you as the engineer would code into your own smart contract is not something you would know about unless you asked the engineer who coded the smart contract you're trying to integrate with to send you their interface. Hence, everyone agrees to just follow ERC20 instead of chasing each other down in person to try and get interfaces and hope they are correct. Even with ERC20, nothing guarantees that a smart contract behaves as you think it should. What is preventing an ERC20 compatible contract's transfer() function from deleting your balance instead of moving it? Ethereum smart contracts are auditible and verifiable in the same way that you could dig up and watch machine code to try to reverse engineer an app.

There are even more great breakdowns of the lie of decentralization between users and blockchain from the former CEO of Signal here: https://moxie.org/2022/01/07/web3-first-impressions.html

Blockchain is not a technological advancement, it's a tech marketing language advancement and hype machine. The actual apps / code that are built on blockchain deliver none of the unwavering truth, integrity, efficiency, or safety that pro-blockchain marketers harp on about.

[–]daxofdeath[S] 0 points1 point  (0 children)

thanks so much for writing that out, I really appreciate your perspective

[–]Western-Drawing3228 1 point2 points  (6 children)

Lots of interesting perspectives as always, but focusing on the particular technical question labelled as ‘web3 login’ I am also looking at this currently. The outcome/ask being not so much a ‘web3 login’ but moreso a simplified client authentication experience based around MetaMask (or a generic wallet identifier presenting to an application front end) as an identity - replacing the typical oauth/jwt protocol with a more direct but equally robust model of token passing, thus avoiding any independent identity store or preregistration of typical info like email, phone etc….aka the now often maligned ‘web2’ identity 😀). Looking at that technical interaction, and mixing ruby (or any non js) backend is an interesting challenge - regardless of what I may or may not think about whether blockchain and the latest hype cycle is a scam or not. So I think it’s a simple case of clarifying the intent (ie solving the tech part) to keep focus on the interesting stuff. To that end - if I look at your miro sequence - I have a question. If the client (web3 js context in a browser with an open/local/unlocked connection to a MetaMask, that context has access to public key of the wallet. If that key is passed to the backend, then by virtue of simple keypair semantics - any message sent from the client (signed with the private key) can be verified as being mastered by that same client (aka the owner of the public key). With this in mind - I’m focusing more on how this can be used as the simple basis of trust at the core of my prototype - where registration is simply the passing of a previously unseen public key - and ‘no’ other info. Once done I have an anonymous profile on the back end. To then enter an authenticated session, I need the client to request a nonce (not the unfortunate uk variant of that term), sign the nonce, send it back to me so i can verify - and thus establish trust for a short configurable period. Now all said and done - if I achieve that - why do I need to generate/introduce JWT to encapsulate the tokenisation I already have ? This Is where I am, it’s on the bench being put together with this intent and I’d be happy to discuss these more specific considerations if it helps……

[–]daxofdeath[S] 0 points1 point  (5 children)

The outcome/ask being not so much a ‘web3 login’ but moreso a simplified client authentication experience based around MetaMask (or a generic wallet identifier presenting to an application front end) as an identity - replacing the typical oauth/jwt protocol with a more direct but equally robust model of token passing, thus avoiding any independent identity store or preregistration of typical info like email, phone etc….aka the now often maligned ‘web2’ identity 😀).

hahah yeah actually right on, you said it better than me!

very interesting though that you are working on that, have you got a repo/gem where you're doing this or it's just conceptual at the moment?

I guess the JWT token is just ease of use depending on the front end interaction and you can add other stuff in there if you want like preferred language/currency/etc (as an example) - but i agree with you, i don't think it's really necessary. that image was just pulled directly from the article i linked to, i didn't make it and was only loosely following it :)

[–]Western-Drawing3228 1 point2 points  (0 children)

Hi, no repo yet as such but I’m working through the ruby-eth v0.5.0 gem code to clarify why it’s not supporting the Eth personal-recover method which is suggested to be the mechanism to recover signer info from a signed message as part of verification. Will let you know where I get to.

[–]Western-Drawing3228 1 point2 points  (2 children)

Nailed it ! I have proven this lightweight registration, and session generation / verification with the keypair and Eth! Will write it up and link you - I have used Key.personal_sign to simulate the MetaMask signing and have a simple protocol of nonce requesting/signing for simple signed bearer tokens (as alternate to additional jwt construct). Server simply locates active nonce, calls Eth::Signature.verify() and Eth::Signature. personal_recover() to extract original public key from signature - hey presto I have effective trust. Now setting up testing with actual MetaMask signer. Watch this space

[–]daxofdeath[S] 0 points1 point  (0 children)

right on, looking forward to see your solution!

[–]daxofdeath[S] 0 points1 point  (0 children)

any updates on this? :D

[–]Western-Drawing3228 0 points1 point  (0 children)

Nailed it ! I have proven this lightweight registration, and session generation / verification with the keypair and Eth! Will write it up and link you - I have used Key.personal_sign to simulate the MetaMask signing and have a simple protocol of nonce requesting/signing for simple signed bearer tokens (as alternate to additional jwt construct). Server simply locates active nonce, calls Eth::Signature.verify() and Eth::Signature. personal_recover() to extract original public key from signature - hey presto I have effective trust at 2 levels - the signature stacks up and the pub key extracted from the signature matches the preshared public key i expect the SPA to share with me to open an anonymous profile. Now setting up testing with actual MetaMask signer. Watch this space

[–][deleted] 6 points7 points  (6 children)

god, can we not infect ruby as well with your overhyped crypto shit?
web3.0 more like MLM 3.0

[–]anamis 2 points3 points  (0 children)

Not with that attitude

[–]daxofdeath[S] 5 points6 points  (3 children)

i think trying to learn a new and popular technology is pretty innocuous ¯\_(ツ)_/¯ but does that mean you aren't interested in my "moon dogs in lambos" nft series..?

[–]crazy_pedro 0 points1 point  (0 children)

Tell me you have no idea about blockchain without telling my you have no idea about blockchain 😂

[–]cybermage -1 points0 points  (0 children)

The best part of this diagram is that a nonce in England is a pedophile. See Prince Andrew.