{"__v":9,"_id":"5702e47eb3cd0e20009ba408","category":{"project":"53fe6dc5addab8973c1af267","version":"53fe6dc5addab8973c1af26a","_id":"5702e2d2f2d6f336005e901f","__v":0,"sync":{"url":"","isSync":false},"reference":false,"createdAt":"2016-04-04T21:55:30.420Z","from_sync":false,"order":9,"slug":"distributed-authentication","title":"Distributed Authentication"},"parentDoc":null,"project":"53fe6dc5addab8973c1af267","user":"56b8f6ad43bbd10d0081d1f0","version":{"__v":19,"_id":"53fe6dc5addab8973c1af26a","project":"53fe6dc5addab8973c1af267","createdAt":"2014-08-27T23:46:13.941Z","releaseDate":"2014-08-27T23:46:13.941Z","categories":["53fe6dc5addab8973c1af26b","53fe71a2addab8973c1af276","53fe7d89addab8973c1af2b0","53fe7d8daddab8973c1af2b1","53fe836faddab8973c1af2ce","53ff9a4823a37e1d5cebafe1","53ff9e3723a37e1d5cebaff7","53ffaca523a37e1d5cebb039","53ffad2e23a37e1d5cebb03c","5400c7d2ec93b29b61d4f7be","5400f0e1ec93b29b61d4f7dd","54d5636323010a0d001aca81","54d565c1276f8e0d00feab54","54ff40532882a10d00546927","556606d25561af0d008208b7","558c91900b236c2500d37c9a","56180a14f8c9632100ac7599","564fb3a59b4fab1700187518","5702e2d2f2d6f336005e901f"],"is_deprecated":false,"is_hidden":false,"is_beta":false,"is_stable":true,"codename":"","version_clean":"1.0.0","version":"1.0"},"updates":[],"next":{"pages":[],"description":""},"createdAt":"2016-04-04T22:02:38.460Z","link_external":false,"link_url":"","githubsync":"","sync_unique":"","hidden":false,"api":{"results":{"codes":[]},"settings":"","auth":"required","params":[],"url":""},"isReference":false,"order":1,"body":"Before verifying a confirmation request, ensure that you’ve saved a copy of the user’s public key that we’ve sent you upon logging in. The redirect URI is hit with a single query parameter `payload` that contains a base64 encoded string. You’ll want to do the following:\n\n  * Decode the base64-encoded string\n  * Convert the string into a JSON object\n\nThis would look like the following using the Clef PHP library:\n[block:code]\n{\n  \"codes\": [\n    {\n      \"code\": \"$payload_bundle = Clef::decode_payload($_REQUEST[\\\"payload\\\"]);\\n$signed_payload = json_decode(payload_bundle[\\\"payload_json\\\"], true);\",\n      \"language\": \"php\"\n    }\n  ]\n}\n[/block]\nWith this object now, you’ll need to verify the signatures associated with this payload (of which should be user and application signature objects. You’d do this by doing a check against the signature object in each signature with the algorithm provided in the type property. The application signature will always be there. However, if the user’s signature does not exist, it’s because the user has not agreed to confirm the action you’ve specified.\n\nChecking this signature using the Clef PHP library looks like this:\n[block:code]\n{\n  \"codes\": [\n    {\n      \"code\": \"$user = User::find_by_clef_id($signed_payload[\\\"clef_id\\\"]);\\n\\\\Clef\\\\Clef::verify_custom_payload($payload_bundle, $user->public_key);\",\n      \"language\": \"php\"\n    }\n  ]\n}\n[/block]\n\n[block:callout]\n{\n  \"type\": \"warning\",\n  \"title\": \"Only Supported in PHP Library\",\n  \"body\": \"Currently, only our PHP library has out-of-the-box support for withdrawal confirmations. Check it out on [Github](https://github.com/clef/clef-php/tree/custom-actions#verifying-the-user-signed-payload-after-a-user-confirms-login-1).\"\n}\n[/block]","excerpt":"Your user confirmed your action! Or did they?","slug":"verifying-confirmable-requests","type":"basic","title":"Verifying Confirmable Requests"}

Verifying Confirmable Requests

Your user confirmed your action! Or did they?

Before verifying a confirmation request, ensure that you’ve saved a copy of the user’s public key that we’ve sent you upon logging in. The redirect URI is hit with a single query parameter `payload` that contains a base64 encoded string. You’ll want to do the following: * Decode the base64-encoded string * Convert the string into a JSON object This would look like the following using the Clef PHP library: [block:code] { "codes": [ { "code": "$payload_bundle = Clef::decode_payload($_REQUEST[\"payload\"]);\n$signed_payload = json_decode(payload_bundle[\"payload_json\"], true);", "language": "php" } ] } [/block] With this object now, you’ll need to verify the signatures associated with this payload (of which should be user and application signature objects. You’d do this by doing a check against the signature object in each signature with the algorithm provided in the type property. The application signature will always be there. However, if the user’s signature does not exist, it’s because the user has not agreed to confirm the action you’ve specified. Checking this signature using the Clef PHP library looks like this: [block:code] { "codes": [ { "code": "$user = User::find_by_clef_id($signed_payload[\"clef_id\"]);\n\\Clef\\Clef::verify_custom_payload($payload_bundle, $user->public_key);", "language": "php" } ] } [/block] [block:callout] { "type": "warning", "title": "Only Supported in PHP Library", "body": "Currently, only our PHP library has out-of-the-box support for withdrawal confirmations. Check it out on [Github](https://github.com/clef/clef-php/tree/custom-actions#verifying-the-user-signed-payload-after-a-user-confirms-login-1)." } [/block]