Reputation: 694
Is it possible to provide access to the smart contract only from the application and block direct access?
For example, I have a game, and I want the players to interact, only through the application. But they can call functions if they just copy the ABI and contact address.
Is there any case to allow call public contract functions only through the application, using some kind of secret token? But I don’t know how to make such a secret token in the public blockchain.
Upvotes: 0
Views: 1323
Answers (2)
Reputation: 1890
(1) One way to handle this is to sign the transactions yourself instead of having the user do it. You can add a modifier to the function like onlyAdmin and designate your app's account address as the admin. Then those functions will revert if called by anyone else.
The problem with this is you will have to pay gas and have mechanisms in your game to ensure that users can not exploit usage of your signing key.
function doSomething(bytes32 userId) public onlyAdmin {
// ...
}
(2) The other thing you can do is set a value that gets hashed in the function, then verify that hash. In the game you can give the user the value that will pass verification, downside is you will have to make sure to update the hash after each use.
To do this you can emit an Event and listen for it then send a tx to update the appHash, but this costs you gas and may expose you to a timing attack depending on what the rest of your implementation is like.
You could also set the function to a locked state which you then unlock by resetting the appHash, but again this requires work and gas on your end.
bytes32 public appHash = '1s2a3d4g';
function doSomething(appSecret bytes32) public {
require(keccak256(appSecret) == appHash);
// ...
emit didSomething(msg.sender, appSecret);
}
With lock
bytes32 public appHash = '1s2a3d4g';
bool public locked = false;
function doSomething(bytes32 appSecret) public {
require(keccak256(appSecret) == appHash);
require(locked == false);
// ...
locked = true;
}
function unlock(bytes32 nextAppHash) public onlyAdmin {
appHash = nextAppHash;
locked = false;
}
Upvotes: 0
Reputation: 589
If secret token related logic is included in contract, that can be visible to anyone who runs node, so it seems to be difficult.
Normal web server can use cookie and domain name checking etc to protect api, but smart contract cannot access data outside contract, and data inside contracts are visible, so password protection is difficult.
Only possible solution seems using cryptographic digital signature, and use proxy server.
Proxy server control request from application, and create signed request to smart contract which permits request only from proxy server.
Upvotes: 2
Related Questions
- How to configure Web Apps such that they cannot be accessed directly?
- Restrict function access ONLY to one other specific contract in Solidity
- Restrict access of a connected app (Salesforce)
- Is it possible to make certain fields of a structure only available to contract owner?
- Is there any way to limit execution of smart contract only to my dapp?
- How to allow external application to access only one table?
- External party access to smart contract (Block Chain)
- Limit web service access to only one app
- SQL Server Database Access for My Application only
- Restrict Access to System Applications from Enterprise Solution