Code Monkey home page Code Monkey logo

tonapi's Introduction

TonAPI

Introduction

tonapi.io is an API for TON blockchain developed by Tonkeeper team. It allows to work with indexed blockchain information via API.

Authorization overview

Authorization should be performed in to steps, redirect user to the auth page, and exchange authToken to regular API token and check ton account ownership.

1) Redirect user to the auth page

To perform auth user must be redirected to special page where auth can be checked tonapi.io/login?{params}

Params supported:

  • redirect_url[optional] string, url where user will be redirected after successful auth
  • callback_url[optional] string, url which will be called from backend in after successfull auth
  • app_idstring, identifier of the app. Name and icon of the app will be used on the authorization page. (not supported yet)

One of the params redirect_url or callback_url must be passed. Please note that authToken wich you will get after authorization flow is ONE TIME USE, SHORT LIVING token wich should be exchanged to persistent token serverside via tonapi.io/v1/oauth/getToken. Just receiving authToken is not a proof of successful user authorisation and can be possibly swapped or be stolen by attacker.

In case of success the callback_url or redirect_url will be triggered with following GET params added:

  • success – boolean, true in case if auth was successfully performed (not supported yet)
  • auth_token[optional] string, one-time-use token
  • error_code[optional] string, in case of success=false short text code of error (not supported yet)
  • error_text[optional] string, in case of success=false text human readable description of error (not supported yet)

Examples:

{
    "success": true,
    "auth_token": "abcd..."
}
{
    "success": false,
    "error_code": "auth_rejected",
    "error_text": "User canceled authorization"
}

2) Fetching persistant token via tonapi.io/v1/oauth/getToken method.

After successfully obtaining auth_token via process described below /auth method should be called from server side to check that the auth_token is valid.

Authorization header must be passed to this method the same way as any other methods in tonapi.io API. Token can be obtained with t.me/tonapi_bot telegram bot. Learn more about serverside and clientside flows.

Example header:

Authorisation: Bearer AppTokenHere

Serverside auth header:

var options = {
    host: 'tonapi.io',
    path: '/v1/nft/getCollections',
    headers: {
        'Authorization': 'Bearer ' + serverSideAppToken,
    }
};
http.request(options, () => {}).end();

Clientside auth header:

var options = {
    method: 'post', 
    headers: new Headers({
        'Authorization': 'Bearer '+clientSideAppToken, 
    }), 
}
fetch("https://tonapi.io/v1/nft/getCollections", options)

There are two types of AppTokens that can be generated by t.me/tonapi_bot, serverside token and clientside token.

Following POST params needed by this method:

  • auth_token, string, the token wich was returned by the method below
  • rate_limit, number, request per seconds
  • token_type, string [client, server], type of token which will be used to indicate the app

Examples:

{
    "success": true,
    "user_token": "abcd...",
    "address": "EQrt...s7Ui",
    "pubkey": "Pub6...2k3y", // base64-encoded Ed25519 public key
    "signature": "Gt562...g5s8D=", // base64-encoded ed25519 signature
    "wallet_version": "v4R2", // supported values: "v3R1", "v3R2", "v4R1", "v4R2"
    "client_id": "abc"
}
{
    "success": false,
    "error_code": "auth_rejected",
    "error_text": "User canceled authorization"
}

Decentralised proof of ownership

It is possible to check proof of ownership, without fully relying in TONAPI. Here is the example of code needed to check signature and be sure that user have access to provided wallet. https://github.com/tonkeeper/ton-connect/blob/main/tonconnect-server/src/TonConnectServerV1.ts#L36

OAuth demo

Simple auth demo using tonapi.io, tonkeeper and oauth login flow with desktop and mobile support View Demo Before you looking this demo read the definition of oauth login flow and go oauth implementation


Quick start guide:

1) git clone git@github.com:startfellows/tonapi-oauth-demo.git
2) cd tonapi-oauth-demo
3) yarn
4) yarn start

Look at the source code for more details

TONApi authorization

Serverside and clientside flows

Tonapi can be used both from client side as well as from server side. In some cases from both sizes at the same time. From code perspective there is not much of a difference, but its important to not use serverside token anywhere in client side, and at the same time to use clientside tokens only on client side. The reason for this is because client side token has additional limitations per IP, while serverside token can be banned in case of large amount of flood requests to the api, so should be limited by the developer.

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. 📊📈🎉

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google ❤️ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.