Device Verification
In this page you will get to know how the middleware securely handles the request coming from the user's actual device and how you can make the request for it to successfully work.
Summary
When making an important request, for example: approving a transfer or maybe cancelling a transfer. These operations are sensitive and if not careful they can be a major problem for the user. That's why the API endpoint requires the user to solve a 'Challenge' and here this can be a situation where the user has to enter the account PIN.
Steps to Generate a Signature
1. Get Challenge Response
The public key is required for this step. Below is a sample dart code that is generating the body for the load challenge POST request:
On line 1, the public key is retrieved from the device storage and on the 2nd line, the hash is generated by a package that uses RSA encryption. On the 4th line, the body of the request is json encoded. Finally, the POST request is being made on the 11th line with the body and the headers on /sessions/challenges.
Our goal in this step is to get the challenge id that will be sent from the server for the above request.
2. Preparing the data for making the signature
Now, we have the challenge id from the previous step, we need the username of the account as well. We have to add the following information in the header:
As you can see that the pin is required for this and there is a signature field as well. The signature field contains the following information:
Now, the header is ready and we can make the request to see if everything is working properly or not.
For example: when approving a transfer request, the request should be like the following:
Here the signature and the pin number is added in the header as the signature is required to approve the transfer.
Last updated