Implement Signature Authentication with Metamask + Express

[FlacoJones]

Description

This is a two part issue requiring knowledge of message signing with Metamask using personal_sign on the CLIENTSIDE, and how to recover addresses from signed messages using ether.js Cryptographic Utilities on the SERVER SIDE.

This feature is in support of crypto-native authentication for off-chain data for OpenQ. We have a MongoDB which will be home to non-critical off-chain data like bounty watchlists

Updates to user's info will be keyed on their Eth address, and authenticated as such using message signatures.

Authentication Flow

1. User attempts a write operation to the OpenQ-API (not needed for this task, just use a mock button)
2. User is prompted in Metamask to sign a message (simply the string 'OpenQ', message data itself is irrelevant)
3. That message is sent to OpenQ-GitHub-OAuth-Server /verifySignature route
4. The message signature is verified, the address is recovered, and validation confirms that the recovered address is equal to the address on the query string. This can be done in a new utility function called ecdsaRecover in the OpenQ-Github-OAuth-Server. Put it in a new folder called utils/ecdsaRecover.js.

Out of Scope

• Adding the signature as a cookie

Notes and Resources

We just need personal_sign for this, not EIP-712. More info on the various signing methods here: https://docs.metamask.io/guide/signing-data.html#a-brief-history

ethereum/go-ethereum#2940

[FlacoJones]

Just to note that this issue cuts across two repos - Frontend signs the message, a backend route on OpenQ-Github-OAuth-Server (soon to simply be renamed OpenQ-Auth since it does both OAuth and Web3 auth) will then recover address and compare against the desired resource ID to authorize.