Typically, you will not need authentication because these are features that are pretty specific to the BitBadges website. However, in some cases, you may.
The Blockin execution flow is simple:
1) Fetch Challenge
Request a challenge from the POST /api/v0/auth/getChallenge route.
constres=awaitBitBadgesApi.getSignInChallenge({ chain:"Ethereum", address:"0x.....",// hours: 168})/* res = { nonce: "...", params: { address: "0x....", expirationDate: "...", ... }, "blockinMessage": "https://bitbadges.io wants you to sign in with your Ethereum account...." }*/
1.5) Edit Challenge
The challenge returned by the API is a base challenge. You can edit certain fields if desired (like resources aka scopes or expiration time). Certain fields though like uri, domain, statement, nonce must remain consistent.
For scopes, we use the resources field. Specify the following strings (in full) directly in the resources fields for each authorized scope you want. Full Access overrides all of them. Note that we are looking to fine-grain the scopes further in the future. See https://github.com/BitBadges/bitbadges-indexer/blob/master/src/blockin/scopes.ts for the up to date values.
// We use a "Label : Explanation" format for the scopesconstSupportedScopes= ['Full Access: Full access to all features.','Report: Report users or collections.','Reviews: Create, read, update, and delete reviews.', 'Read Profile: Read your private profile information. This includes your email, approved sign-in methods, connections, and other private information.',
'Update Profile: Update your user profile information. This includes your email, approved sign-in methods, connections, and other private information, as well as your public facing profile.',
'Read Address Lists: Read private address lists on behalf of the user.','Create Address Lists: Create new address lists on behalf of the user (private or public).','Update Address Lists: Update address lists on behalf of the user.','Delete Address Lists: Delete address lists on behalf of the user.','Create Auth Codes: Create new authentication codes on behalf of the user.',//Still need signature for this'Read Auth Codes: Read authentication codes on behalf of the user.','Delete Auth Codes: Delete authentication codes on behalf of the user.','Send Claim Alerts: Send claim alerts on behalf of the user.', 'Read Claim Alerts: Read claim alerts on behalf of the user. Note that claim alerts may contain sensitive information like claim codes, secret IDs, etc.',
'Create Secrets: Create new secrets on behalf of the user.','Read Secrets: Read secrets on behalf of the user.','Delete Secrets: Delete secrets on behalf of the user.','Update Secrets: Update secrets on behalf of the user.', 'Read Private Claim Data: Read private claim data on behalf of the user (e.g. codes, passwords, private user lists, etc.).'
];
Send the signed message via POST /api/v0/auth/verify. This will grant a Express.js session cookie which is valid for whatever amount of hours you specify in the request. The params should match match what is returned from Step 2.
constres=awaitBitBadgesApi.verifySignIn({ chain:"Ethereum", message:"https://bitbadges.io wants you to sign in with your....", signature:"...."})//console.log(res.success)
4) Check health of sign in
At any time, you can check the health of the signin by POST /api/v0/auth/status.
BitBadges uses for authenticating users for private and authenticated functionality. See the Blockin documentation for more implementation documentation. The challenge message should be what you get from step 1 below. Note that challenges are generated dynamically (nonces are different), so you will have to fetch fresh ones.