On my site I do not want to use email/pass authorization, but insteand I'd like to use Metamask sign functionality (it is impossible to work with site without Metamask or browser with web3).
I suppose to implement something like this:
- client generates any random string/pin code.
- on "login" click sign it and sends alongside with pincode to server (I know that I can use any static phrase and it doesn't increases overall security).
- there signature checked and public key/address derived.
- if user with such public key/address found – generate standard JWT and use it with all following REST requests.
I am wondering is it safe enough or I missed something important?
Best Answer
This has been done multiple times, but this is one that really goes into details on it
https://www.toptal.com/ethereum/one-click-login-flows-a-metamask-tutorial