Server-side processing
There are few things to check when receiving SignedResponse data (blisache_message and blisache_signature) on your backend’s processing endoint.
First you want to verify blisache_message against blisache_signature to be sûre the message has not been tempered with. You can either :
- Download Blisache public keys using the
get public keyendpoint and verify the signature on your own. - Send your
SignedResponseto theverify signatureendpoint and get a success or error response.
Then you will have to base64 decode blisache_message to get the raw json response. That json response deserializes to either BlisacheResponse<T>, T being dependant on the called endpoint, or BlisacheErrorResponse if an error happened.
In both cases there will be some action, result and timestamp fields. You will want to check that action match your intent, that result is a success and that timestamp is not too old. The appreciation of not too old is up to you but the general idea is to protect against replay attacks.