{"id":20272325,"url":"https://github.com/steemit/rpc-auth","last_synced_at":"2026-03-04T14:31:10.392Z","repository":{"id":72308918,"uuid":"110747084","full_name":"steemit/rpc-auth","owner":"steemit","description":"JSON-RPC 2.0 request authentication with Steem authorities","archived":false,"fork":false,"pushed_at":"2018-09-25T01:41:45.000Z","size":78,"stargazers_count":8,"open_issues_count":6,"forks_count":17,"subscribers_count":18,"default_branch":"master","last_synced_at":"2025-04-11T04:41:55.436Z","etag":null,"topics":[],"latest_commit_sha":null,"homepage":"","language":"TypeScript","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":null,"status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/steemit.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":null,"code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2017-11-14T21:31:22.000Z","updated_at":"2024-08-15T10:04:41.000Z","dependencies_parsed_at":null,"dependency_job_id":"5fe3d9bf-a19d-44fb-90eb-6c7d1e71f871","html_url":"https://github.com/steemit/rpc-auth","commit_stats":null,"previous_names":[],"tags_count":0,"template":false,"template_full_name":null,"purl":"pkg:github/steemit/rpc-auth","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/steemit%2Frpc-auth","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/steemit%2Frpc-auth/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/steemit%2Frpc-auth/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/steemit%2Frpc-auth/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/steemit","download_url":"https://codeload.github.com/steemit/rpc-auth/tar.gz/refs/heads/master","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/steemit%2Frpc-auth/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":30083738,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-03-04T13:22:36.021Z","status":"ssl_error","status_checked_at":"2026-03-04T13:20:45.750Z","response_time":59,"last_error":"SSL_read: unexpected eof while reading","robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":false,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":[],"created_at":"2024-11-14T12:42:52.085Z","updated_at":"2026-03-04T14:31:10.002Z","avatar_url":"https://github.com/steemit.png","language":"TypeScript","funding_links":[],"categories":[],"sub_categories":[],"readme":"\n@steemit/rpc-auth\n=================\n\nJSONRPC 2.0 authentication with steem authorities\n\n\nSpecification\n-------------\n\n### Overview\n\nRequest signing for [JSON-RPC 2.0](http://www.jsonrpc.org/specification) implemented using [steem](https://steem.io) authorities.\n\n### Design Goals\n\n* Do not require request header modification.\n    * Result: Signature/auth must be in message body\n* Signed requests do not violate json-rpc spec.\n    * Result: Extensions must go into `params`.\n* Method name is not obscured so that it may be routed properly to the correct handler/backend.\n    * Result: `method` remains unchanged by signing.\n\n### Signed request\n\nRequests are signed with steem keys belonging to the sender.\n\nExample JSON-RPC request:\n```json\n{\n    \"jsonrpc\": \"2.0\",\n    \"id\": 123,\n    \"method\": \"foo.bar\",\n    \"params\": {\n        \"hello\": \"there\"\n    }\n}\n```\n\nAbove request signed with the posting key belonging to `foo`:\n```json\n{\n    \"jsonrpc\": \"2.0\",\n    \"method\": \"foo.bar\",\n    \"id\": 123,\n    \"params\": {\n        \"__signed\": {\n            \"account\": \"foo\",\n            \"nonce\": \"1773e363793b44c3\",\n            \"params\": \"eyJoZWxsbyI6InRoZXJlIn0=\",\n            \"signatures\": [\n                \"1f02df499f15c8757754c11251a6e5238296f56b17f7229202fce6ccd7289e224c49c32eaf77d5905e2b4d8a8a5ddcc215c51ce45c207ef0f038328200578d1bee\"\n            ],\n            \"timestamp\": \"2017-11-26T16:57:40.633Z\"\n        }\n    }\n}\n```\n\nSignature creation pseudocode:\n```python\n\n# JSON+Base64 request params\nparams = base64(json_encode(request['params']))\n\n# 8 byte nonce\nnonce = random_bytes(8)\n\n# ISO 8601 formatted timestamp\ntimestamp = date_now() # \"2017-11-26T16:57:40.633Z\"\n\n# Signer account name\naccount = 'foo'\n\n# Private posting key belonging to foo\nsigning_key = PrivateKey('...')\n\n# Signing constant K (sha256('steem_jsonrpc_auth'))\nK = bytes_from_hex('3b3b081e46ea808d5a96b08c4bc5003f5e15767090f344faab531ec57565136b')\n\n# first round of sha256\nfirst = sha256(timestamp + account + method + params)\n\n# message to be signed\nmessage = sha256(K + first + nonce)\n\n\nsignature = ecdsa_sign(message, signing_key)\n```\n\n### Signature validation\n\n  1. Entire request must be \u003c64k for sanity/anti-DoS\n  1. Request must be valid json and json-rpc\n  1. `request['params']['__signed']` must exist\n  1. `request['params']['__signed']` must be the only item in `request['params']`\n  1. `request['params']['__signed']['params']` must be valid base64\n  1. `request['params']['__signed']['params']` when base64 decoded must be valid json\n  1. `request['params']['__signed']['nonce']` must exist and be a hex string of length 16 (8 bytes decoded)\n  1. `request['params']['__signed']['timestamp']` must exist and be a valid iso8601 datetime ending in Z\n  1. `request['params']['__signed']['timestamp']` must be within the last 60 seconds\n  1. `request['params']['__signed']['account']` must be a valid steem blockchain account\n  1. `request['params']['__signed']['signature']` must be a hex string \u003e= 64 chars (32+ bytes decoded)\n  1. construct `first = sha256( request['params']['__signed']['timestamp'] + request['params']['__signed']['account'] + request['method'] + request['params']['__signed']['params'] ).bytes()`\n  1. construct `signedstring = sha256( K + first + unhexlify(nonce)).bytes()`\n  1. check signature, signedstring against posting authorities for `request['params']['__signed']['account']`\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fsteemit%2Frpc-auth","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fsteemit%2Frpc-auth","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fsteemit%2Frpc-auth/lists"}