Today I would like to explain how does risitasApp deal with login, and to which degree does it ask for permissions to keychain.
To this day, Hive Keychain is the only login method available.
Keychain is a secured encrypted wallet for Hive. However Keychain can do more than just storing keys: it can also broadcast directly operations to the HIVE blockchain and sign transactions offchain.
First of all, I would like to clarify that risitasApp login mimics the login mechanics of the official UI.
The login mechanics consists of signing a string that consists of: hive account + timestamp
Then you take this string and sign it with your PrivateKey. We do this requesting Keychain to do the signing with requestSignBuffermethod. This method is available here: https://github.com/hive-keychain/hive-keychain-extension#requestsignbuffer
Once thesignatureis ready, it is sent to the backend for verification along with the unsigned string.
The verification takes place by checking the signature against the public key of the account. The last verification is checking that time timestamp is not older than 5 minutes.
Most importantly, the signature is requested with your POSTING key.