I need to verify on my own domain/server the user which has connected his MetaMask wallet is the owner of a specific NFT in order to allow him special functions? Basically, I want to give the user access to an area that only the owner of this NFS would have.
My original NFT is sold in opensea but I can't use the opensea hidden-area option to just give the user a hidden password since the next owner (after reselling) and the old owner would have the same password and old owners could still access like this. But I need that only the current owner has access.
My user/visiter can already connect with MetaMask at my own domain and I get the public ETH address of the active account but since this is only javascript and my backend is PHP I can't just post the MetaMask info to my PHP backend since this would be easy to trick/hack.
How can I make sure the current connected MetaMask Account is the same as the NFT owner (which I know) and allow to access a URL only for this user?
My current state is that the user connects his MetaMask and I use opensea API to check who is currently the owner of the NFT. I can compare both eth addresses but the flaw in this is obviously that I use ajax to send the MetaMask public address to my backend which is only for testing since this is of course zero save!
Thank you in advance for any idea, help, tip I can get.
PS: My backend is PHP
After hours and days of researching, I found a solution that works for me.
Here are the needed steps.
Use the MetaMask API to let the user connect with your site. This is pretty easy and good explained in the MetaMask API.
Once you want to verify the MetaMask owner is the legit owner of an NFT you need first query OpenSea (or another place) the current owner of the NFT. In my case, I use the OpenSea API for my specific NFTs. Once you got the owner you are ready to verify.
On your site you need to ask the user to sign a custom message with MetaMask. There are different options to do that. More about this here: MetaMask Signing. I send for example a short text message with a unique code that I first created in my PHP Backend. Doing that I also save the code and custom message into my MySQL.
Once the user has signed you get the signing code which you can send back to your PHP backend via ajax etc. without a problem. Only the owner of the Account which you requested in the signing code is able to sign with the correct account.
Once you got the signing code in your PHP Backend you can use Fast Elliptic Curve Cryptography in PHP and php-ecrecover to check the code against the unique code you created before and the message the user signed. As a response, you get the Signer Account ETH Address and you are ready to compare. If the Signers ETH Address is the same as the NFT owner you are ready to go and you can consider the signer the owner of the NFT.
I believe this is safe to use but I am not an expert on that. In my case, this only authorize an NFT owner for a certain closed area in my community page and there are not really high risks involved but maybe somebody raises some security thoughts on that. However, I found that other NFT pages and even Opensea work similarly.
I hope this points someone in the right direction, I lost quite some time figuring this out because most solutions are Node.js etc. but not with PHP backends.
Related
Does Shopify have a mechanism to supply a redirect URL on store owner login at https://shopify.com/login. Note, this is not customer login, but store owner.
Mailchimp provides this functionality with a redirect_uri query string parameter. In the example below, after logging in, Mailchimp will redirect the user to https://somesite.com:
https://login.mailchimp.com/oauth2/authorize?response_type=code&client_id=1234567890&redirect_uri=https%3A%2F%2Fsomesite.com
It sounds a little confusing. First of all. You seem to be concerned about whether a customer at a Shopify store (someone with an account to buy stuff and checkout) is logged in? Why? What on earth does that have to do with your App?
If you are truly concerned about that, your Shopify App, installed in the Shopify store, can accept a secure callback with the logged in customer, and you can use the API to get their details.
So there cannot be an answer to your question in my opinion, because your use case seems really mixed up in your explanation. Perhaps you can draw some boxes, connect them with arrows, publish that somewhere public, and start a discussion from there.
I log into the iTunes connect and get the following message:
An updated contract is now available. Before you can offer your content in new iTunes Store territories, a user with the Legal role must agree to the new contract in the Contracts, Tax, and Banking module.
I go in the Contracts, Tax and Banking module and I see this (see screenshot). What am I suppose to do?
If there is not a request next to the new contract, it means the user you logged in with likely does not have the legal role. Go to manage users and see if your current user has that authorization. If your current log in does not, you will need to find a user that does, or get yours approved.
A client I work with wants to know if it's possible to use the Yodlee API to look up recent transactions on any credit card.
They'd like it to work without the user needing to be signed up with Yodlee, either directly at the site, or indirectly through a branded partner.
I assume this would be possible if the credit card company itself shared it's transaction data with Yodlee directly, and made it available to their API customers, but I haven't been able to figure this out from the docs available on their website, and haven't been able to reach anyone at Yodlee themselves to ask.
I work for Yodlee. Sorry to hear you're having a hard time getting a hold of us. To answer your question, yes the user has to explicitly authorize any application that leverages the Yodlee API and explicitly add access to their financial accounts for that application.
Best,
Grace
Yodlee screenscrapes websites to retrieve it's information.
Which means that they physically (but in an automated fashion) visit the website in a browser (IE8). Thus to pull any information down they have to visit the website, log in successfully, (optionally but more so on more banks; authenticate the computer) and then they can see all of the information that the user sees. Their API acts as a real time bridge between you (the end user using your website or app) and this browser.
So you have to either implement their very much so convoluted Yodlee API or use one of their generic hosted pages and direct the user to it where upon he/she enters the necessary information. You also have to have an agreement with them too. You also have to convince the user to do it :)
I came across this problem with a company's intranet that we run (powered by Wordpress) - it's got us all stumped.
When attempting to authenticate a user using the Google Contacts API, an error is returned after granting permission to access the user's contact list and before full authentication is given, but no details are given as to what the error actually is.
It was working absolutely fine until one day in late April/early May it suddenly stopped working.
We we're using the following scope: http://www.google.com/m8/feeds/contacts/default/full.
An interim solution has been put into place, using the Google+ API instead. This is working well, except that the API is not providing the user's email address after authenticating, only their profile details.
We absolutely need the email address in order to limit access to the website to people with certain email addresses, as well as intergrate properly with WordPress' user management, generating new user accounts and linking them to authenticated email addresses.
We'd really appreciate any help!
You're not providing much in the way of details, but Google+ Sign-in should have what you want, and it comes with pre-cooked PHP code, see https://developers.google.com/+/quickstart/php
Also, you can go through the basic login flow and if you use a scope like "openid email" you’ll definitely get the email address; see https://developers.google.com/accounts/docs/OAuth2Login
I can not praise with my contribution here, because I am new user,
but would help if I can.
I have a big problem and I do not know how to solve it, please help.
In the same Paypal account with the default email address: email1#somedomain.com, there is 7 more emails:
email2#somedomain.com
email3#somedomain.com
email4#somedomain.com
email5#somedomain.com
email6#somedomain.com
email7#somedomain.com
that's the maximum allowed number of emails under one PayPal account (8).
So we are using API on several pages, and only one API signature can be done in the paypal
interface, so same API signature is used for each web page.
We would like to define where will money go - to which email address inside the same PayPal account.
We use Premium PayPal account, and we know that for logo change, email remove and so on, we would need Business account,
but for defining money receiver email address inside the same PayPal account
we suppose that it can be defined, otherwise we do not se a point of having several email addresses inside one same PayPal account.
The problem is that always is shown default email when making a purchase :S
We tried to define SUBJECT:
SUBJECT=merchantEmailAddress
N O T E: Typically, a merchant grants third-party permissions to a shopping cart...
And set merchantEmailAddress email2#somedomain.com.
In sandbox it works like a charm as soon as we put it on production, default mail is shown again.
Please if anyone had the same issue help.
Thank you very much, this forum is great and I realise that without nice people and contribution as well there would be no answers.
regards
You would not be using SUBJECT unless dealing with Permissions and making calls on behalf of 3rd party PayPal accounts.
You're working with a single PayPal account, so you won't be using SUBJECT at all. You'll use the credentials like you are already.
That said, I'm not sure I'm following you entirely what trying to send to different emails. I don't understand the end goal with that..?? The API credentials are what are going to tell the system where to drop the money, or pull data from, or whatever.
If you're just trying to get different logos to show up during checkout you can do that with parameters in your standard button code or API requests.
Let me know if that helps or not. Again, I'm not sure I'm understanding what you're after here.