Auth: OTP, JWT & SiweMessage

[MSghais]

Description

This is a full-stack issue, mobile and backend.

We need an AUTH between the Mobile app, Web, and Backend.
This can be done through OTP, JWT, Siwe message of an EVM wallet, or Starknet.

We already have a Twillio endpoints for OTP.

• Generate OTP with Twillio.
• Verify JWT
• Expo auth
• Saved User in DB
• Create session in schema prisma, and saved in DB

[estherbreath]

I am applying to this issue via OnlyDust platform.

My background and how it can be leveraged

I am a smart contract and full stack developer and would like an opportunity to work on this issue.
Using my background, I would;

1. Implement smart contracts for secure authentication logic 
2. Develop backend APIs to interact with contracts and handle JWT creation 
3. Create mobile app UI using Expo for user interaction 

How I plan on tackling this issue

                 For the Frontend (Mobile), I would;
    ◦ Implement OTP generation using Twilio API 
    ◦ Create login screen with phone number input 
    ◦ Send OTP request to backend 
    ◦ Input OTP field for verification 
    ◦ Implement JWT storage and refresh mechanism
      For Backend, I would; 
    ◦ Set up Twilio integration for OTP generation 
    ◦ Create endpoint for OTP generation 
    ◦ Implement JWT creation and verification 
    ◦ Design Prisma schema for user sessions 
    ◦ Create database operations for saving users and sessions 
              Authentication Flow: 
    ◦ User enters phone number in mobile app 
    ◦ App sends request to backend for OTP generation 
    ◦ Backend generates OTP via Twilio and stores it temporarily 
    ◦ User receives OTP and enters it in app 
    ◦ App sends verification request to backend 
    ◦ Backend verifies OTP and creates JWT if valid 
    ◦ Backend saves user info and session in database 
    ◦ Return JWT to mobile app for storage 
            Security Measures;
    ◦ Implement proper error handling and logging 
    ◦ Use HTTPS for all API calls 
    ◦ Set appropriate JWT expiration times 
    ◦ Implement rate limiting on OTP requests 
             Finally for Testing;
    ◦ Write unit tests for backend functions 
    ◦ Create integration tests for full authentication flow 
    ◦ Perform security audits on both frontend and backend 
               ETA: 3days

[0xdevcollins]

I am applying to this issue via OnlyDust platform.

My background and how it can be leveraged

Hi, I'm Collins a frontend and blockchain developer, and an active contributor on OnlyDust. You can check out my profile here: https://app.onlydust.com/u/0xdevcollins. This is my first time contributing to this repository, and I’m excited about the opportunity to contribute. Looking forward to collaborating!

How I plan on tackling this issue

To implement authentication across the mobile app, web, and backend, I will establish a comprehensive auth system using OTP, JWT, and possibly Siwe messages from EVM wallets or Starknet.

I will start by utilizing the existing Twilio endpoints to generate and verify OTPs for user authentication. After verifying the OTP, I’ll implement JWT for secure session management. I’ll also integrate Expo for handling authentication on the mobile side.

Once a user is authenticated, I will save their details in the database and create a session in the Prisma schema to manage their session state effectively.

[JoE11-y]

I am applying to this issue via OnlyDust platform.

My background and how it can be leveraged

I'm Joseph a blockchain developer with over four years in blockchain and backend development, I’ve worked across different ecosystems, handling everything from smart contract design to on-chain interactions and protocol integration. I focus on building secure, scalable, and reliable blockchain applications, managing both on-chain and off-chain infrastructure.

How I plan on tackling this issue

Begin by studying the codebase to ensure design consistency, then proceed to work on the task.

1. Study current codebase design
2. Leverage all provided resources within the issue to get a better grasp of the task at hand.
3. Implement the task.
4. Add tests to make sure the changes are working and no adverse effects
5. And lastly optimize

[bhavyagosai]

I am applying to this issue via OnlyDust platform.

My background and how it can be leveraged

Hey, I am Bhavya, a seasoned frontend engineer with two years of professional experience. I have been working with react, react native, nextjs, typescript, shadcn, tailwindcss for a while now. Have worked previously on the joyboy app too! Was active previous ohack so am very much familiar with the afk monorepo codebase.

How I plan on tackling this issue

The task at hand here is to handle cross auth bw mobile and web. The approach would be:

• OTP Generation and Verification (Twilio)

  • User enters their phone number.
  • Mobile/Web app makes an API call to backend to generate an OTP.
  • Use Twilio SDK to send OTP to the phone number.
  • Save the OTP with a short expiry in Redis or in-memory store.
  • On OTP submission, call backend to verify OTP.
  • If valid, generate JWT token for session management.

• JWT Verification:

  • Generate JWT upon successful OTP verification.
  • Payload: { userId, phone, timestamp, ... }. (just an example)
  • Secret: Use a strong HMAC SHA-256 secret key.
  • Mobile: Secure storage (AsyncStorage or SecureStore for Expo).
  • Web: Store in HTTP-only cookies.
  • Also verify JWT on backend for protected routes

• Expo Auth (kind of similar with web also)

  • Store JWT token securely.
  • On app load, retrieve the token to auto-login users if valid.

• User Management and Database Storage

  • On OTP verification, check if the user exists in the database.
  • If not, create a new user in the User or whichever relevant table.
  • Save the JWT in the Session or whichever relevant table.

• Session Handling and Refresh Tokens

• Use refresh tokens stored in the Session table after JWT expiry.

  • On token expiration, allow frontend to call an /auth/refresh endpoint.
  • Issue a new JWT if the refresh token is valid.

Ideally we can have both OTP based and SIWE based auth and then lead to the same backend session handling with JWT-based sessions and Prisma database.

ETA should be 3-4 days (can prioritise if needed)

[suhas-sensei]

I am applying to this issue via OnlyDust platform.

My background and how it can be leveraged

i have experience in blockchain previously as personal projects and OS, so hoping to make use of them here and mark my first odhack contribution

[jaiminRaiyani]

I am applying to this issue via OnlyDust platform.

My background and how it can be leveraged
I am Jaimin Raiyani, a computer engineering student and a software engineer with extensive experience in full-stack development, specifically using technologies like Node.js, JavaScript, and various backend frameworks.

My technical skills in backend development, combined with my knowledge of RESTful APIs and authentication mechanisms, make me well-equipped to tackle the challenges of integrating secure authentication across multiple platforms. Additionally, my familiarity with databases (like Prisma) enables me to efficiently manage user data and sessions.

How I plan on tackling this issue
Requirement Analysis: I would start by analyzing the specific authentication requirements for the mobile app, web app, and backend, considering factors like user experience, security needs, and technology stack.

Designing the Workflow:

OTP Generation and Verification: Leverage Twilio’s API to generate and send OTPs to users’ mobile numbers. Implement an endpoint to handle OTP verification, ensuring robust error handling and user feedback.

JWT for Session Management: After verifying the OTP, I would generate a JWT to manage user sessions. This token would be sent to the client (mobile/web) for subsequent API requests.

User and Session Management:
Utilize Prisma to create schemas for user and session data, ensuring secure storage and retrieval of user information. This allows for efficient management of user sessions and helps prevent unauthorized access.

Implementation: I would implement the authentication flow step-by-step, starting from OTP generation to session management, ensuring each part is well-tested and secure.

Testing and Optimization: Rigorous testing will be performed to identify and resolve any security vulnerabilities, as well as to ensure a seamless user experience across platforms.

Documentation: Finally, I would document the entire process, providing clear guidelines for future developers to understand the authentication system and its integration points.

[jrmncos]

I am applying to this issue via OnlyDust platform.

My background and how it can be leveraged

I'm a Software Enginer backend SR. I know about authenticantion, I already impemented it in previous jobs (for example API written with Spring boot, Django REST)

How I plan on tackling this issue

I will follow the description as it is

[ShantelPeters]

I am applying to this issue via OnlyDust platform.

My background and how it can be leveraged

I have extensive experience in full-stack development, particularly with authentication systems. My background includes integrating OTP solutions using Twilio, managing JWT-based authentication, and working with both mobile and web applications. Additionally, I have a solid understanding of database management and session handling, which is crucial for this task.

How I plan on tackling this issue

To implement the authentication system, I will start by generating OTPs using Twilio's endpoints and ensuring they can be sent and verified within the mobile and web applications. Next, I will implement JWT verification to securely authenticate users after successful OTP validation. For mobile authentication, I will integrate Expo Auth to streamline the user experience.

Once authenticated, I will create user entries in the database using Prisma, ensuring that user sessions are managed effectively. This will involve setting up the necessary database schemas and handling session persistence. I will also ensure robust error handling and logging throughout the process to facilitate debugging and enhance security. After completing the implementation, I will conduct thorough testing to verify the entire authentication flow across mobile and web platforms.

[aniruddhaaps]

I am applying to this issue via OnlyDust platform.

My background and how it can be leveraged

I am a solidity dev. A new-comer here, willing and ready to contribute to contribute to solve the issue.

[caxtonacollins]

I am applying to this issue via OnlyDust platform.

My background and how it can be leveraged

I am applying to this issue via https://app.onlydust.com/p/landver

I am a fullstack developer worked with various frameworks over the years, i have been trying to contribute to various open source project over the years. currently i am transitioning into the web3 space.

How I plan on tackling this issue

I am going implement a flow that integrates OTP with JWT for secure authentication.

i will use twilio's API to generate an OTP and send it to the user's phone number via SMS and verify the imput of the user by comparing the OTP with the stored one and checking if its still valid;

Upon successful OTP verification, a new JWT token containing the user’s ID and other relevant claims will be generated.

Expo for the mobile app, i will store the received JWT securely on the client side using AsyncStorage.

am going to sace the user in the database and create a session and saave in prisma

[mimisavage]

I'd love to give this a go.

[Akshola00]

Is it okay if I tackle this?

[Sagar-Puniyani]

Implementation Plan for Multi-Platform Authentication Solution.

proposed solution:

1. The issue can be solved by the using of request and verify of the OTP by Twilio.
2. We will create a session schema in Prisma to persist session tokens, allowing session tracking and easy invalidation when needed.
3. After OTP verification, our backend will issue a JWT, containing the user ID and necessary claims. This token will be stored securely on the client and validated with each request.
   4.Cross-Platform Integration: Utilize Expo in the mobile app to store and manage JWTs, ensuring seamless login on both mobile and web.