Verifying a message author
As a way to verify the author of a message as a legitimate user of your app, you will need to implement the following mechanism.
The backend server of your application should provide to your application a verification token obtained through SHA1 hash of the concatenation of:
- a private key provided by Instaply
- a random nonce, also sometimes called a salt (It's just a random string that you will generate on your servers, that allows us to detect repeated authentication and eventually, block that)
- the customer ID
- if the private key is:
- if the random nonce is:
- and the customer ID is: `firstname.lastname@example.org`
the verification token is computed as
For this example, the verification token would be
Instaply can provide implementation of the token generation code in various languages if needed. It can for example be done as follows in Python:
from hashlib import sha1 hasher = sha1() hasher.update("YOUR_PRIVATE_KEYRANDOM_NONCEherve@exemple.com") #email@example.com is the customer ID here, RANDOM_NONCE should be a randomly generated string verification_token = hasher.hexdigest() print verification_token #this will print f32b6e7dd372275c80c71fc55786b5a26d54576c
In your iOS application, you will then use the following method to configure the
[[INSInstaplyAccountManager sharedManager] configureWithAPIKey:apiKey userID:userId type:INSUserIdTypeEmail randomNonce:nonce verificationToken:verificationToken];
where randomNonce and verificationToken are the values obtained from your backend server.
On Android, you will have to authenticate as follows:
Authentication authentication = new Authentication(apiKey, nonce, digest, customerId, businessId, null); instaplySharedAPI.authenticate(authentication,MainActivity.this);
Thanks to those values, we can grant the customer access to his conversation, since we have the proof that your server identified him with the customerId. The proof is given by the fact that the verification token has been generated using you private key (which is not available to third parties) and the customerId.
Notice that for development and testing purpose we sometimes provide API keys for which you are not required to provide a nonce and a digest. This allows developers to quickly test our SDK in the context of their applications, without having to setup a server component. This is not a secure mechanism and it should not be used in production, only for testing.