Server Side Verification

[seantheyahn]

Greetings,

As you are already well aware, in almost every situation with these types of authentications there is a need for server-side verification, unfortunately I haven't found anything on CafeBazaar developer documentations, it would be great if you provide the necessary APIs for server-side verification.

[erfan-mehraban]

Authentication from Bazaar servers is done by Bazaar client. Client send the information required for verifying the user and the app to the server and handle the server response.
If what you mean is that we provide an API in order to be used by developers’ servers, I am afraid this is not available yet but it is one of our long-term plans.
At the moment, Login with Bazaar is only accessible in Bazaar application.

[seantheyahn]

Yes, I meant server-to-server API, like the one for purchase verification. In almost every case the apps and games that require login have a backend (otherwise the login doesn't make much sense) and a login without server-side verification is not complete, since any user can claim to be someone else therefore they cannot be authenticated and this type of login is not very helpful other than providing a unique ID for the client. I hope this will be available very soon.

[erfan-mehraban]

Connection between bazaar client and server are secure through token handling and ssl method. Also connection between bazaar client and your app are secure by checking certificate sign. So any attacker cant exploit or change these data by changing just one application. (It needs to mention that each attacker can just attack her account because login in bazaar needs phone verification).

[amirhnir]

After CafeBazaar authentication, when my app sends the "accountID" to my server, how can I be sure this is not fake?
So a server-side verification is necessary for this.

[erfan-mehraban]

As i mentioned, your app can check bazaar certificate sign (of course this is happening implicitly in current
CafeBazaarAuth sdk).

@amirhnir

[MohammadJamali]

could you please provide us with more information about how to check the authenticity of the provided user id. getSignedInAccountFromIntent always returns null regardless of the decision I've made (1.0.0-beta01), getLastSignedInAccount gives me a base64 which is an encrypted string.

how can i verify this base64 using bazaar certificate sign?

[erfan-mehraban]

getSignedInAccountFromIntent should called once at first.
Account ID verification can not be done alone. The source of this ID, which is a Bazaar application, is validating with application sign (which is done by SDK).
So you do not need another validity just by using the official SDK of the bazaar.
@MohammadJamali (sorry i missed the comment notification)

[AliA74]

I think there is a misunderstanding, Connection between our app and Bazaar app is secure, Ok we understood and done with it.
When we get User BazaarID we need to send this to our own backend server. Anyone can send this request and claim to be someone else. So Authentication mechanisms provide a way to validate the authenticity of the request. We need a signature or some backend to backend API so that we can validate that this BazaarID was got from BazaarClient and nobody else can claim to own this BazaarID.
Please refer to this link for an example of GooglePlay Login.

[amirhnir]

Interesting. After 3 years, we are still discussing the explanation of a simple issue 😂

[MohammadJamali]

I'm officially offering to join the CafeBazaar developer team voluntarily to help solve this issue