hello
i have a problem when i use this method bitauth.sign() , I put it in the request header i have this error :
" TypeError [ERR_INVALID_CHAR]: Invalid character in header content ["x-signature"]"
any help please thanks

Maybe i don't see it in the code, but it looks like that responses are not signed at all?
How would this prevents a MITM to temper a response?

The dist/bitauth.browser.min.js is nearly a half a MB, and impacts initial loadtime performance of webapps.

I recently wrote a Closure Extern File and made a cljsjs package for BitAuth:
cljsjs/packages#223

@crisptrutski suggested that I request upstream if you could put a copy of the browserified and minified code in your releases.

Thanks!

is it just because the SIN carries an additional few pieces of metadata, such as the SIN type? Or is it for security? As far as I understand the public key is sent with every request, so it's not being kept secret.

one more question: the bitcoin community is very much against reusing private keys, but it seems like SINs are meant to be reused. How do you reconcile the two?

Attempting to use bitauth as part of the bitpay node.js module, and seeing

crypto.js:202
  var ret = this._handle.final();
                         ^
Error: error:06065064:digital envelope routines:EVP_DecryptFinal_ex:bad decrypt
    at Error (native)
    at Decipher.Cipher.final (crypto.js:202:26)
    at Object.decrypt (/home/.../node_modules/bitauth/lib/decrypt.js:7:23)
    at new Bitpay (/home/.../bitpay.js:53:27)

Has this been encountered yet? Was not having this problem on Node 0.10.33, seems new to 0.12.0

Encryption and decryption methods only work in Node.js. The browser bundle is missing these features.

I will not lose what i work hard for this is to show that if you have the keys its your assets BTC/ETH CRYPTOLIFE

• Document a specification on how services and applications can integrate BitAuth
• Incorporate compatibility with BitID, and proposed BitID BIP.
• Review https://github.com/skubit/bitid-android and add compatibility server-side for such schemes.

A standard utility is a function for recovering a public key from a signed message.

See, for instance, https://github.com/ethereum/ethereumj/blob/80be70c3428f244706c6fc6ac67e1bd5374eeb05/ethereumj-core/src/main/java/org/ethereum/crypto/ECKey.java#L527

Please make a tagged release for 0.3.1

Also, it would help me out over in my CLJSJS package for bitauth if you guys could attach bitauth.bundle.js and bitauth.browser.min.js to the tagged release, since I am clumsily building these payloads right now for the cljsjs/bitauth JAR on clojars, and the CLJSJS maintainers have expressed they would prefer not to do things this way.

Thanks again guys for all of your hard work!

Trying to install bitauth on a Windows machine and fails with a result
sh scripts/make-dist.sh - si not an executable command or batch file...

In the npm_log at the end I see error:
"953 verbose stack Error: [email protected] postinstall: npm run make-dist
953 verbose stack Exit status 1
953 verbose stack at EventEmitter. (C:\Program "

See more here: https://jwt.io/
Would be nice to see a description on the README.

I'm sorry to report that the browserified version of this is now broken as of 0.3.1, and as such my upstream wrapper https://github.com/xcthulhu/clj-bitauth cannot function with the latest version of this package.

When running npm install:

Error: Cannot find module 'sinon' from 'bitauth/node_modules/bitcore'

Mocha tests are included to run with Node.js however there isn't an html file to load the tests in a web browser.

Is there any middleware that adds encryption to this? Signature is nice but I would love all data to be encrypted on the client with the server public key and decrypted on the server with the server private key and vice versa. Would be nice to have another piece of middleware for this. Any plans for this?

There is an existing proposal with working implementations (Darkwallet, Mycelium, mediawiki) . It would be great to give a motivation how BitAuth improves over BitID. This is not clear from the blogpost https://github.com/bitid/bitid

When attempting to follow the instructions in the Development section of the README for creating a browser-compatible version of Bitauth, the make-dist.sh script doesn't check the relative or absolute path for the browserify and uglifyjs modules. So, the script will fail but say "Done!" regardless. ;)

The signed data looks like it is just the url with the params concatenated: https://github.com/bitpay/bitauth/blob/master/examples/client.js#L40

I expect a nonce to be included somewhere so that an attacker is unable to reuse a signature. I'm able to successfully run the following command multiple times against the example server.

curl --header 'x-pubkey: 02d7cfea0841ca90c67f5260013e2fadf86c7fe3587c58851e4489736bb8ed5863' --header 'x-signature: 304502210082b5d01ed62594a66382824236a5932a1ffcdb375a76d7adebbb5a0e803537d90220144c23ac7e576e1be157bc38e595279c18fe214f4a0a728084c0269fd52b5fec' http://localhost:3000/pizzas

Implementing BIP32-style hierarchical SINs would be a fantastic mechanism for creating many identities, but controlled by one individual.

Just like electrum provides mnemonic versions of private keys, it would be great if Bitauth could provide this too, directly within the library itself.

This would make memorizing the key much easier for the end user, allowing them to carry their identity with them across devices with minimum friction.

For example, provide two more methods:

bitauth.decodeSinMnemonic(String) -> String - Would take in the mnemonic string as an argument, and output the raw SIN as the return value. This method would be used internally by:

bitauth.getPublicKeyFromPrivateKeyMnemonic(String) -> String - Would take in the mnemonic string as an argument, and output the public key.

I'm not certain at which point the mnemonic should be generated. I considered inside bitauth. generateSin(), but it seems it would be out of place there - thoughts on how you would go about it?

This sounds a lot like EnigForm to me. But with enigform i can store my private key on an OpenPGP SmartCard or USB stick.

http://wiki.buanzo.org/index.php?n=Main.Wp-enigform-authentication

This is on the horizon: http://www.w3.org/TR/WebCryptoAPI/

It would be great if bitauth was ready and supporting this as soon as implementations start to emerge in browsers.

As per #12, the included test server should reject requests that that do not correctly include a nonce.

The latest release is 0.3.2, which uses an old version of https://github.com/cryptocoinjs/secp256k1-node

https://github.com/bitpay/bitauth/blob/90ac1f5f3d088e71383880083642111bcae0b8f7/package.json

I can't manage to build that old version with Node.js v12, only with 10.

Could you update the dependency and release a new build?

Did you consider just using HTTP-Signatures:
https://web-payments.org/specs/source/http-signatures/

If you were aware of it I am interested to know why you felt it was insufficient?

I'm sorry to report that the latest version has broken the support for the Google Closure Compiler that previous versions provided.

This is a blocker for cljsjs/packages#255 , which is in turn a blocker for getting unicode support into my Clojure(Script) port https://github.com/xcthulhu/clj-bitauth .

I am using the following as my extern file:

var BitAuth = {
    "getPublicKeyFromPrivateKey": function (privateKey) {},
    "getSinFromPublicKey": function (publicKey) {},
    "generateSin": function () {},
    "sign": function (data, privateKey) {},
    "verifySignature": function (data, publicKey, hexSignature, callBack) {},
    "validateSin": function (sin, callBack) {}
};

Perhaps BitPay should host the extern file, since you own the API? At any rate I'm bummed that this doesn't work and I have to resort to the old version without UTF-8 support 😕

So I have a port of BitAuth to Clojure, and I am trying to work out differences in the implementations.

One basic problem is that JavaScript can't really handle unicode with codepoints above 65535 (see http://stackoverflow.com/q/19354455 for a discussion of this issue).

The solution I have been using elsewhere is to turn strings lists of bytes (or byte-arrays or whatever) using UTF-16 encoding. This works in ClojureScript because the hashing function goog.crypt.sha256 takes lists of bytes, and we always have the Closure libraries around. So the right thing to do might be to swap out hash.js for obvious-closure-library.

A type 1 SIN is associated with a bitcoin sacrifice (See: https://en.bitcoin.it/wiki/Identity_protocol_v1#Creating_sacrifice_transactions). This could enable non-boolean levels authentication. Depending on the amount of bitcoin sacrificed, access can be granted with more granularity.
An example app using this would be a forum where you need to sacrifice 0.01 btc to read, and 0.05 to post. An type 1 SIN which sacrificed 0.05 btc could read and post, and one with a 0.02 sacrifice could only read. Another could be an email server requiring a 0.01*x btc identity for every x emails sent (thus reducing spam). The benefits of adding costs to identity are many, and non-boolean authentication lets apps manage different levels of costs easily.

Does the readme example server need to use the middleware?

app.use( bitauth.middleware );

For bip32 wallets, it would be nice to have a recommended bip32 path that conforms to bip43 for generating the auth key. Will bitauth itself will become a bip standard? Because it should use that number in that case.

Error during installation when bitauth is a dependency:

Building browser bundle for bitauth...
scripts/make-dist.sh: 2: scripts/make-dist.sh: node_modules/.bin/browserify: not found
Minifying bitauth...
scripts/make-dist.sh: 4: scripts/make-dist.sh: node_modules/.bin/uglifyjs: not found
Done!

• There is an important bug fix in key calculation