Overview

OmniAuth is a flexible authentication system utilizing Rack middleware. Many use it for Ruby on Rails web applications to authenticate users through third-party applications like Github or Twitter. Check out a list of available provider strategy implementations on the OmniAuth wiki.

Task

Implement an Ethereum provider strategy for OmniAuth that can easily integrate with an existing Rails application's User controller. For example, the authentication flow would look like the following:

1. Create a User model/extend an existing User model by the fields eth_address and eth_nonce used for Web3 authentication.

• populate existing User records with a random value for eth_nonce

2. Create a signup/login workflow that allows for Web3 authentiation
3. Connect to Web3: Check for any Ethereum provider like MetaMask and warn the users if it's not available.
4. Get Ethereum Account: Connect to Web3 provider and gently request accounts

   await ethereum.request({ method: 'eth_requestAccounts' });

5. Check the database against the first available account.

• If it does not exist: allow the user to create an account (username, eth_address, eth_nonce).
• The nonce is a random number (anything goes) that needs to be changed after every login.
• If it exists, gently ask the user to sign a message containing the nonce from the database.

  await ethereum.request({ method: 'personal_sign', params: [ message, account ] });

6. Authenticate user: verify the signature of the signed nonce. If the nonce (fetched from the database) signed by the users returns the address that is on the record in the database eth_address, consider the user authenticated. If not, abort.

• might be handy to use existing Ruby gems for Ethereum EC recovery

7. Shuffle nonce: after successful auth, replace the existing nonce with a new nonce to avoid signature spoofing. The lifetime of the nonce is the same as the session.
8. Retroactive: assuming an already populated user database, users can connect with their Ethereum account.

• This requires giving all existing users a random nonce (once)
• Subsequently, all users that sign up with different strategies should also get a random nonce
• Adding an Ethereum address to your account is the same process as authentication later

Deliverables

• An omniauth-ethereum strategy for OmniAuth 2.x, compatible with the latest Rails 6.x
• Basic documentation on how to integrate and use it
• Rails Demo with nothing but OmniAuth Ethereum strategy and the ability to sign up/log in

Resources

• The workflow explained using the web3 JS apis: https://www.toptal.com/ethereum/one-click-login-flows-a-metamask-tutorial

https://github.com/q9f/omniauth-ethereum.rb/actions/runs/3749320342/jobs/6367668505

If so, why do they need to be duplicated?

ref https://github.com/q9f/ethereum-on-rails#api-apiv1usersindexshow

upstream ref se3000/ruby-eth#57

1. have to include branch: main (good on you) was getting:

❯ bundle
Fetching https://github.com/q9f/omniauth-ethereum.git
fatal: Needed a single revision
Git error: command `git rev-parse --verify master` in directory
/Users/project/core has failed.
Revision master does not exist in the repository
https://github.com/q9f/omniauth-ethereum.git. Maybe you misspelled it?
If this error persists you could try removing the cache directory
'/Users/beebe4/.rvm/gems/ruby-2.7.2/cache/bundler/git/omniauth-ethereum-2fd54d8c03f57fcb075461c8088506557d671a3f'

So added:

`gem 'omniauth-ethereum', :github => 'q9f/omniauth-ethereum', branch: 'main'`

2. Now getting this:

❯ bundle
Fetching https://github.com/q9f/omniauth-ethereum.git
WARNING: /Users/beebe4/.rvm/rubies/ruby-2.7.2/bin/ruby is loading libcrypto in an unsafe way
[1]    43323 abort      bundle