Architecture: Singning web3 for Users

Moralis General
#1

Hi,

I want to pay for my customers web3 gaz, so I thought I could do the following:

  • Have some cloud functions doing the web3 calls for the user, requiring the user to be logged and authorized to do the actions.

This is flagged as unsecure by the documentation (I guess because the private key will be in the cloud function, and that there is no special mechanism to encrypt the code ?)

So, I went to a second approach: I create a custom node server, with a REST API that would be triggered by cloud functions.

But then, how can I protect the REST calls coming from the moralis cloud to my private node server, and making sure the request comes from a logged in user ? Can I pass a user in a request and check he is logged in from my node server ?

#2

if you have your own server, at that moment you can send info about the user, for example the session token, then you can check the session token in your moralis server database in order to identify and validate the user.

#3

if you have your own server

Iโ€™m a little bit lost: you mean if I have my own nodejs server ?

To sumup: Moralis would handle loggin, cloud functions would send a REST request, including user token session and my nodejs would check the session before answering the request ?

Cheers

#4

yes, I mean if you have your own server where you make those REST requests from cloud code.

yes, you can do those steps that you described there, you can also set a secret key if you want to those REST requests so that you know that only from cloud code are coming those requests to your server

#5

you can also set a secret key if you want to those REST requests so that you know that only from cloud code are coming those requests to your server

well, this secret key would not be safe, (exactcly as the private web3 key is not) isnโ€™t it ? And thatโ€™s my issue, that is exactly why Iโ€™m building this server :frowning:

#6

That is another layer, not meant to replace the other checks