Backend
Keyri can be incorporated into any backend framework. The examples below show vanilla JS and Node.js specifically, but the basic cryptographic and API endpoint creation principles can be applied in other backend environments.
We recommend integrating Keyri as a module in your existing authentication server.
- Install a library into your project that can generate a keypair with ecdh algorithm in prime256v1 curve (e.g., the default 'crypto' node.js library) and also can receive keys in base64 format for generating shared secrets.
You need to generate public and private keys (RSA) for asymmetric encryption (to ensure that no one except you can access sensitive data). Those items must be unique and must remain static over the lifetime of your project. Since the publicKey is hardcoded on mobile side to initialize the Keyri SDK, and everything passed to your server from your mobile app will be encrypted using this publicKey, the only one way to decrypt this data is to use the privateKey associated with this publicKey.
We recommend storing the private key in a .ENV file, similar to how you would handle other sorts of API keys.
Example of RSA keys
publicKey: test1
privateKey: test2
- With the server's keypair created, you can create an API endpoint for linking your existing users directly from mobile to your backend.
- After you receive this information, you need to decrypt the cipher. This next block shows how you can decode cipher with crypto, ecdh-crypto and crypto-js libraries in node.js.
decoded cipher looks like this:
- userId is used to be a unique identifier, you can name it email+password and based on this field you can identify a user from your DataBase.
- After you have successfully decrypted cipher you can return an object to authenticate a user.
This code example shows how you can realize api-method to verify sessions and return auth data to client.
- You need to create an API method for authenticating users for Desktop agents (e.g. Web, Tablet, SmartTV, Desktop).
- Inside the request body you will receive a sessionId and sessionKey which must be passed to the Keyri server to do internal validation.
See below for an example of full implementation for the keyri-api.