Every DApp is authenticated and authorized by the user's address. The address is the key to accessing a decentralized application built on Ethereum.
Consider the example of CryptoKitties, a popular crypto collectable game built on Ethereum. The application identifies the user using their Ethereum address. A user can purchase kitties using their address and the ownership of the asset will be transferred to them.
The application lists all the kitties owned by the currently logged in address on a different page. You can easily track the assets using the address:
mapping(address => uint[]) kitties;
function getKitties(address _owner) returns(uint[]) { return kitties[_owner]; }
Any tasks involving the kitties can only be performed by their respective owners. This ensures proper authentication:
function transfer(uint _id, address _to) onlyOwner(_id) { // Code to transfer the kitty }
Similar procedures are followed throughout smart contracts to achieve authentication and authorization in the Ethereum DApp.
Since the addresses can be used to sign transactions externally without the need for a transaction, you can use this for other methods of authentication.
For example, use the ecrecover function to extract the address from a signed transaction. This allows anyone to verify the transaction origin and thereby authenticate the address:
ecrecover(hash, v, r, s);
You can use key files generated for each account as a method of authentication. Successful unlocks can be considered as a proper authentication and the address used can be assigned to the logged in user.
In an Ethereum DApp, authorization for actions performed happens mostly in the smart contract, and the private key acts as the authenticator. Some additional layer of security can be implemented as per the application's requirements. It finally boils down to the targeted users and the type of interactions they have with the application.
