Skip to content
No description, website, or topics provided.
CSS PHP JavaScript ApacheConf
Branch: master
Clone or download

Latest commit

Fetching latest commit…
Cannot retrieve the latest commit at this time.

Files

Permalink
Type Name Latest commit message Commit time
Failed to load latest commit information.
api
css
font-awesome
fonts
img
js
LICENSE.txt
README.md
index.php
logout.php
oneblock_schema.sql

README.md

Title: 1Block address authentication server-side API protocol (1Block)
Author: Monte Ohrt @mohrt
Status: Draft

API

  • Run the database schema on your mysql server.
  • Check api/DAO.php for db setup.
  • Place the contents of this repo in the root folder of your web server.
  • Be sure .htaccess is allowed from apache

The 1Block server-side is a REST API that must adhere to the following protocol.

These endpoints can reside on a longer URL path, they are shortened to a single word for brevity.

GET /login

This endpoint will generate a challenge string of the format:

HTTPS: oneblock://{host}/{path}/login?x={nonce}

HTTP: oneblock://{host}/{path}/login?x={nonce}&u=1

host = hostname for service path = URL path to login REST endpoint nonce = unique 32 char hex string

RETURN:

Header: Content-Type: application/json

Body: {"challenge":"CHALLENGE_STRING"}

OPTIONS /login

More recently browsers are checking OPTIONS before a POST. Handle the request and set access control.

headers: Access-Control-Allow-Origin: * Access-Control-Allow-Headers: Content-Type

POST /login

headers: Access-Control-Allow-Origin: * Access-Control-Allow-Headers: Content-Type

This endpoint needs to use a Bitcoin library to verify the signature against the public address. if valid, the address is used to identify the account (or register a new one if applicable.) It will respond with 200 for success and 403 for invalid. It willreturn a JSON payload of:

{"hasRevoke":1}

or

{"hasRevoke":0, "revokeURL":"URL"}

If this is an existing account hasRevoke will be set to 1. If not, a revokeURL must be supplied, something like: "https://host.dom/path/to/setrevoke". The client will then respond with the revoke information to this endpoint. This happens only for new

POST /check

This endpoint is repeatedly checked from the website to see if a successful login has been completed. If so it sets up the session redirects the user to a logged in page.

POST /setrevoke

This is the endpoint to set the revoke data on a new account. This happens on the first registration of the ID.

OPTIONS /setrevoke

More recently browsers are checking OPTIONS before a POST. Handle the request and set access control.

headers: Access-Control-Allow-Origin: * Access-Control-Allow-Headers: Content-Type

POST /revoke

This is the endpoint to revoke and replace an ID.

OPTIONS /revoke

More recently browsers are checking OPTIONS before a POST. Handle the request and set access control.

headers: Access-Control-Allow-Origin: * Access-Control-Allow-Headers: Content-Type

You can’t perform that action at this time.