User authentication using Stellar

This is a proof-of-concept of using a Stellar account for user authentication.

How it works

The service asks the user to send it a transaction for a unique amount. Once the transaction has been received, the service knows the user's address. In order to prevent an attacker from just guessing the unique amount and submitting their own transaction, the service prompts the user to confirm their address.

Known issues

This implementation is vulnerable to a session fixation attack, similar to the one that affected OAuth v1. The most plausible workaround I've thought of is that payments need to somehow embed the metadata {, session ID} (either natively by extending the Stellar protocol, or as a layer on top of it) -- that way the user can always verify which site they're authenticating to. I feel like there's probably a better solution though, and would be curious to hear if you have any ideas.


Leaving this window open, send ... STR to ... (...) to authenticate.