Content
@
https://warpcast.com/~/channel/fc-devs
0 reply
0 recast
0 reaction
Jack Dishman
@dish
hey is there a way to verify if an HTTP request is sent from a frame? like an access token use case: I'd like to authenticate requests server side for permissioned endpoints
5 replies
0 recast
6 reactions
Jack Dishman
@dish
something similar to privy.verifyAuthToken(authToken)
0 reply
0 recast
4 reactions
Tony D’Addeo
@deodad
signIn on client, verify message + signature on server
1 reply
0 recast
5 reactions
MJC
@mjc716
maybe not 100% assurance, but if you only generate auth token in frame when sdk.isLoaded and use that auth token in the request, you can be pretty confident not sure if answering your question exactly
1 reply
0 recast
1 reaction
Andrei O.
@andrei0x309
Is not important from where that data comes, is important to be valid, but the context data can be spoofed, if context provided a signature that matched the FC custody address then that would have been a strong security guarantee. Because that's missing the only way at the moment to validate that data and do some gated user action on the backend is to authenticate the user yourself in the frame, you could store the token on client depending on how the frame host is implemented it might work to keep user logged in for a longer time if that isn't a security risk(meaning is expected that there's single user for that device) Providing signed context with a signer key instead of a custody key(as a future potential solution) will also work but it will mean any signer key will be able to log in in your frame.
0 reply
0 recast
0 reaction
Joe Bae
@joebaeda
I've tried asking the mentor and the answer was like this, https://x.com/i/grok/share/g6T18z4JqwzRydPSG73upgDwb
0 reply
0 recast
1 reaction
