I have a web3 application where I use three types of wallets: MetaMask, WalletConnect, BianceChain, users can connect to these wallets,Problem is I can not detect which wallet user comes from, is there any way to distinguish them from each other?
Related
Im coming from the 'other' blockchains and not sure how we would authenticate a Hedera user on a DAPP. Essentially I need to create a minting DAPP.
I need the user to connect his wallet, pay using HBAR and get his token.
Do I need to use a wallet provider like hashpack or something?
Today there are limited, mostly custodial design options available. This is subject to change with HIP-179 External Transaction Signing for SDK and other clients.
Prior to HIP-179, most applications are either:
Using a single managed custodial account on their web server.
Tying a traditional login(email, password) or session to an application-specific generated Hedera account.
Asking users for keys as a login.
Involving some counterparty risk wherein a transaction is sent from a 3rd party wallet (e.g. sending hbar) and a promise to send a token, etc. back.
There are obvious security and scam concerns with most of these models. Once HIP-179 is in place it will be easier for extensions like HashPack and others to sign transactions.
Say, I have an interactive dapp, like a game and I want the user's actions to be saved on the blockchain (maybe these are moves in the game of chess, whatever).
So, from my understanding, options are:
Create dynamic wallet via web3, prefill it from the metamask and send as many transactions as I want.
Somehow negotiate with the user to trust the dapp and let metamask send transactions on user's behalf without pesky prompting.
What is the right option (if any)? Turns out, metamask has a whole permission escalation framework, yet I wasnt able to ask the right permission.
You can access user funds in several ways:
ask users to deposit in a smart contract and keep track of balances there
ask users to allow your smart contract to spend their tokens via ERC20 allowance
How often will user actions be saved on the blockchain?
Even if your dapp has access to all user funds via a shared wallet or ERC20 allow() + transferFrom() you'll still need somebody to trigger a transaction and pay gas fees whenever you're updating chain state.
I want to know if There Is a solution to send an email on a Code Name One app using Gmail Api,
i have an exception When i m using javaxmail,
error: cannot find symbol
import java.util.Properties;
symbol: class Properties
thanks in Advance.
You can use Display.sendMessage to send an email in Codename One. However, this is an "interactive" API that will launch the users email client and he'll need to press send to perform the actual emailing.
Alternatively you can use the sendgrid cn1lib to send an email via sendgrid. I would recommend against that though. If you send an email from the device that means your credentials (password etc.) would be on the device. A better way would be to contact your backend server and ask it to send the email for you. That way a hacker can't decompile your app and find out your credentials.
I agree with Shai's response, I'd just like to add a few more thoughts.
Sending emails from a mobile application (regardless of whether it is developed with Codename One) has two major problems:
the first problem, as mentioned by Shai, concerns the credentials: putting your Gmail account inside the client app code is a very bad idea;
the second problem is specifically about Gmail, since you're not referring to a generic mail service, but to Gmail itself: Stack Overflow is not the place to make recommendations on which services to use, however I can tell you why Gmail is probably not what you want to use. The main problem is that Gmail, when used for "third-party apps" (which Gmail considers insecure), doesn't allow you to change IP addresses frequently: if it notices an IP change, it blocks the service and forces you to manually unblock it in the security settings. Obviously the problem is minor if Gmail is contacted by your server that has a static IP address, but it becomes a big problem if Gmail is contacted directly from your users' phones, each of which will have a different IP.
That said, if your app made with Codename One needs to send emails (e.g. to activate new users), I recommend:
your app can use Codename One's Rest class to make a REST call to your RESTful server backend;
in your server, you could use an alternative service to Gmail that doesn't give problems if you change the server IP address every now and then or if you use the server both locally and remotely. For what is my experience, I can tell you that on my Spring Boot server I use org.springframework.mail.javamail.JavaMailSender, which is compatible with various mail services (just for information, I use a free ZohoMail account, however there may be many other alternative and equally valid mail services that I do not know).
As for using Codename One's Rest class, I'll point you to the developer guide (https://www.codenameone.com/developer-guide.html#_rest_api) and to this blog posts: https://www.codenameone.com/blog/terse-rest-api.html and https://www.codenameone.com/blog/new-rest-calls.html
When making Rest calls with Codename One, always keep in mind that there may be no Internet connection or other connectivity issues (or server-side errors), so careful handling of possible errors is critical.
I am new to cryptocurrency application development. I am using web3js library and reference is
https://web3js.readthedocs.io/en/1.0/web3-eth-accounts.html for managing wallet balance and multiple account address link with single wallet. How can i do this?
We want every user deposit ether comes to out(application) wallet so we can reduce transaction charges as for individual it will many times(between our app, ethernet, user address, so on) from one account to other.
Many exchanges implement an overlay SQL Database to manage account balances, as banks do.
The accounting API on bitcoin (or its' inheritance crypts) does not support that very well and it might get you confusing, which is why the accounting API has been deprecated.
You would need to:
Allow users to register accounts at your database.
Create an address using the RPC API, and associate it to the user logged in.
Monitor the user balance by logging every transaction associated to his wallets.
I have an application that runs on Windows Mobile 6 Professional PDA devices. The application is installed by browsing a url from the device and downloading a cab.
Users capture information in the application and this is then replicated back to a SQL 2005 server using merge replication and IIS v6.
Although the user needs to log into the application on the device anybody who knows the url could download and install. Also if you know a users password anyone with a device could update that users information.
I would somehow like to authenticate the devices either at the installation or replication stage (or both).
Is it possible to authenticate a device based on serial number or IMEI (mobile phone ID) number?
Is there a way to load a certificate onto the device so only certificated devices are allowed to connect?
I want a system that is not too hard to implement and support. The users must be able to update their own devices and they are not very good at remembering complicate procedures or password.
One possible solution would be to send the unique device id as part of authentication. There's a post on using GetDeviceUniqueID on the Windows Mobile Team Blog.
You could store this unique id when the user first connect to the server and verify it prior to each merge.
This approach helps to ensure that the user logging in is doing so from their own phone. It solves the problem of a remote intruder downloading your program to their own phone and logging into a legitimate users account. Of course, if such an intruder has access to your users phone AND password, all bets are off.
You have conflicting requirements:
The users must be able to update their
own devices and they are not very good
at remembering complicate procedures
or password.
and:
Also if you know a users password
anyone with a device could update that
users information.
If your users can only (barely) be expected to use a password, then you cannot expect to be able to protect in any case against anyone else who has their password.
There's no 'magic' authentication that will tell you a particular user or device is legitimate beyond what you provide.
You can password protect the download, you can load certificates, you can get the PDA information (and even the cellular information), but unless you add another authentication mechanism, at the end of the day all you've got is a password.
The password is your weakest link, and you seem to be indicating that you can't provide more strict access, but you somehow need it?
If you have another authentication channel (phone, email, SMS) then you can provide a more robust, meaningful authentication.
For instance, you could make your program operation dependent on a "public.key" file with a per-user public key that your server requires for use. Once the user logs in to your website, have them give you their phone number (so now you have the phone number and the password) and send an SMS with a link to a temporary download for the key. Make a new key for each user, keep their private key on the server, and encrypt (or at least authenticate) every transaction between the device and server using this key pair.
Now if someone else wants to pretend they are their user, they have to get that file in one of three ways:
They take it directly off the PDA (they also need the password, as the public key should be protected by the user password)
They get the user to request a new SMS link, and somehow get the link without having the phone
They change the phone number and request a new SMS link
In any case, you are validating not only the password, but also an associate phone number. You can make it hard for users to change the phone number (validate against their email as well when they request a phone number change, have them call in, etc).
Of course you can do the same with other channels of communication, but users are getting more and more used to SMS authentication and download, so it isn't too much more hassle.
-Adam
You could generate slightly different cab file for every download. The only difference would be security token your application would use as user/password analogue. That should be a public key for real security.
You could send them SMS with a code each time they access your application.