First I thought I could easily use private
like:
mapping (address => bytes32) private userPassword;
and so just check if the entered password is right:
function enter(bytes32 password) {
if (password == userPassword[msg.sender])
//do smth
}
But then I read this in solidity docs:
Everything that is inside a contract is visible to all external
observers. Making something private only prevents other contracts from
accessing and modifying the information, but it will still be visible
to the whole world outside of the blockchain.
So if I got it right, even if I use "private" visibility still everyone can see values of stored passwords. Then how should I store information that shouldn't be for public?
Best Answer
Users (contracts, trusted machines, other contracts) are identified by their Ethereum address.
Instead of storing their passwords, use
msg.sender
to authenticate.Since you don't want anyone participating without authorization, you need a list of addresses that are authorized. You create add/remove user functions and you ensure that only the authorized admin (usually called owner) is allowed to access those contract functions.
The access control list would be a list of ethereum addresses.
Some organizational ideas here: Are there well-solved and simple storage patterns for Solidity?
And here: https://medium.com/@robhitchens/solidity-crud-part-1-824ffa69509a
Hope it helps.