Authentication

Verifying a message author

As a way to verify the author of a message as a legitimate user of your app, you will need to implement the following mechanism.

The backend server of your application should provide to your application a verification token obtained through SHA1 hash of the concatenation of:

  • a private key provided by Instaply
  • a random nonce, also sometimes called a salt (It's just a random string that you will generate on your servers, that allows us to detect repeated authentication and eventually, block that)
  • the customer ID

Example:

  • if the private key is: YOUR_PRIVATE_KEY
  • if the random nonce is: RANDOM_NONCE
  • and the customer ID is: `herve@exemple.com`

the verification token is computed as sha1("YOUR_PRIVATE_KEYRANDOM_NONCEherve@exemple.com")

For this example, the verification token would be f32b6e7dd372275c80c71fc55786b5a26d54576c

Instaply can provide implementation of the token generation code in various languages if needed. It can for example be done as follows in Python:

from hashlib import sha1
hasher = sha1()
hasher.update("YOUR_PRIVATE_KEYRANDOM_NONCEherve@exemple.com") #herve@exemple.com is the customer ID here, RANDOM_NONCE should be a randomly generated string
verification_token = hasher.hexdigest() 
print verification_token #this will print f32b6e7dd372275c80c71fc55786b5a26d54576c

In your iOS application, you will then use the following method to configure the INSInstaplyAccountManager:

      [[INSInstaplyAccountManager sharedManager] configureWithAPIKey:apiKey userID:userId type:INSUserIdTypeEmail randomNonce:nonce verificationToken:verificationToken];

where randomNonce and verificationToken are the values obtained from your backend server.
On Android, you will have to authenticate as follows:

      Authentication authentication = new Authentication(apiKey, nonce, digest, customerId, businessId, null);
      instaplySharedAPI.authenticate(authentication,MainActivity.this);

Thanks to those values, we can grant the customer access to his conversation, since we have the proof that your server identified him with the customerId. The proof is given by the fact that the verification token has been generated using you private key (which is not available to third parties) and the customerId.

Notice that for development and testing purpose we sometimes provide API keys for which you are not required to provide a nonce and a digest. This allows developers to quickly test our SDK in the context of their applications, without having to setup a server component. This is not a secure mechanism and it should not be used in production, only for testing.

Last updated on 11th Dec 2017