This is a value for value post: see the explanation in the footer.
If anyone else wants to look HAS authentication in Python, the code is all here:
HAS - Hive Authentication Service from Python
First of all HAS is cool, I like the way it operates. If you don't know, HAS is @arcange's authentication service where you give authorisation to a Hive website or dapp using QR codes you snap with Hive Keychain on a phone. Once you are authenticated, if you do anything that requires a signature (liking a post, writing a comment etc.) Hive Keychain will ask again for authorisation.
I've used it quite a bit logging on to public computers where I don't have or can't have Hive Keychain installed. I can log on, do something and then log out and be 100% sure that there is no way anyone else can use my credentials or access my account.
On Mobile
The system also works (mostly) on mobile. There are some technical issues when moving from app to app on phones (I'm using an iPhone) and behind the scenes, support for the underlying websocket protocol could improve, but it does work.
What's the problem we're solving here?
Let's just back up and restate what the problem we're trying to solve is.
When you log on to Facebook or Twitter, you do that with a username and password. Those centralised services will check your username and password against their internal database, record that you've logged in and then put an invisible "cookie" on your computer and every time you ask for a page from their site, their central servers will look at your cookie and if it is valid, they'll let you do anything you're allowed to:
- look at the content you can see,
- post under your name,
- generally make use of their service.
On Hive the websites and dapps you use have a significant difference: there is no central database of usernames and passwords, instead we have public and private keys.
And when we say public keys, we really do mean public: here are my keys for Hive!
The public keys are those things which start STM.... The beauty of this system is that if you hold the Private Key, you can publicly "sign" a message which proves you have the Private Key to match any of those Public Keys.
Nobody else can do that and you don't need to actually show anyone the Private Key.
Private Key Store APP (PKSA)
Except that signing something with you Private Key is a semi complex cryptographic challenge which only a computer can really do for you. This is a snippet of code as an example:
For example, the ECC in "ecc.Signature" stands for Elliptic-curve cryptography which is the underlying system a lot of this is based on.
If you ever wondered what Hive Keychain is actually doing in your broswer, that fragment of code is the kind of thing which happens when you click yes on a pop up to do something.
The point here is that you aren't sending a key, you're just proving that you have the private key to match the same public key which anyone can see is recorded in your Hive profile.
Hive Keychain and Hivesigner or PeakLock are all PKSAs - Private Key Store Apps. You have to trust your private keys to those services and they shouldn't let your keys out. Only sending signatures back to services that need to know you are you.
Side note: delegated authority
You can see in my list above that my Posting section is big: each of the names in that section have been given Posting Authority by me. If one of those account signs a transaction from me but with their posting key, not mine, it will be accepted as coming from me.
Making HAS work in Python
I started out with the idea that I would like to have a Python only based website, probably using the framework Flask. A long time ago when I was learning to code again, I managed to integrate Hive Keychain sign in with Flask and that work is here:
Python Flask Hive Keychain Demo
In reality, most of the hard work is done on the web page by Javascript code written by the Hive Keychain team.
Once I actually started to implement HAS (and you can see the first failed attempt here) I realised this was a slightly bigger thing to implement than I thought.
The reality is, just like authenticating with Hive Keychain, using HAS on a website, is probably better done using the Javascript which @arcange supplies on his site.
Diving in
I'm not sure why I did this after coming to realise how I should be using HAS, but I kept on going and set myself the challenge of doing the complete authentication in Python from the protocol documents which @arcange has posted.
And it would appear that I'm the first to have done this. The Hive Keychain team has integrated the functionality for their mobile app to act as a PKSA but all the website and services which offer HAS right now have done so using @arcange's Javascript.
Well I've done it. The code is not really finished because I haven't really figured out how this can be used but it's up there and open.
There's a stub of a command line which can authenticate a Hive account and I have behind the scenes code to sign any challenge and send any transactions.
If anyone else wants to look the code is all here, it's a bit of a mess right now but I want to improve it especially if anyone tells me their interested in using it:
What's missing is probably a Python version of this Javascript functionality. I'm just wondering if that's what I should be building.
I'm not sure where to go with this right now, I have to move back to working on things directly necessary for my @v4vapp though this all fits with my desire to have a much better front end. My conundrum is that whilst I'm happiest coding in Python, the reality is websites are far better written in any of the Javascript frameworks.
In addition, I'm traveling to Australia soon with @apshamilton for our first in person court hearing on the Crypto Class Action.
Thanks to @arcange
All of this work stems from @arcange and I had numerous calls with him to get to this point. We found a couple of tiny issues with the documentation but he has built a remarkably solid solution.
I feel sure that there are probably some uses for this Python interface and one in particular I'm thinking about is a way to authenticate with Hive for using an API. If anyone reading this likes that idea, get in touch with me.
Value for Value
For the last few months while building @v4vapp I was generously supported by the DHF. Going forward I have a much more modest support which covers direct server costs and a little of my time.
If you appreciate the work I do on and around Hive, you can express this directly: upvoting posts on Hive is great. Also consider a direct donation (there's a Tip button on Hive or a Lightning Address) on all my posts.
Support Proposal 244 on PeakD
Support Proposal 244 with Hivesigner
Support Proposal 244 on Ecency
Vote for Brianoflondon's Witness KeyChain or HiveSigner
