A pragmatic approach to developing and #shipping a production-grade #ÐApp  https://medium.com/@waya.ai/a-real-world-overview-to-developing-and-shipping-a-production-grade-%C3%B0app-the-pragmatic-approach-7efaa4a47d84 @blockimmo https://blockimmo.ch

We submitted our #DApp to #devcon4 #uxdesign awards today! Here's a sneak peek of our submission. Try out our transaction experience at https://blockimmo.ch @blockimmo @abcoathup

15) Feel free to try out our platform at https://blockimmo.ch . After onboarding, you can invest in commercial #RealEstate and our #STO (coming soon)! https://medium.com/blockimmo/investing-in-commercial-real-estate-with-blockimmo-4420ad96f759

14) Authenticating our users this way has really simplified things because at all layers of our stack we identify users with their fundamental identity - their public wallet address. This is becoming more and more common in #dapps. Notably @Peepeth and @CryptoKitties

13) Upon successful authentication, the user is authenticated with their Cognito federated identity (mapped to their wallet address), and temporary, limited-privilege credentials attached to this identity grants them access to other AWS services and their resources.

12) This builds on the strength of asymmetric #encryption / SHA-256 as well as AWS's solid, battle-tested services #AWS #security. Replay, MITM, and #DDoS attacks are prevented by authenticating in this way.

11) This allows the message the user signed to be constructed 'server'-side, with no user-input (prevents spoofing), and the signature can then be decoded 'server'-side to obtain the public address that generated this signature.

10) With AWS IAM Authorization, any requests to this endpoint with invalid credentials 403, and valid requests invoke the lambda function which can access the credentials used to invoke it in the caller context.

9) This message includes the temporary (unauthenticated) credentials the user was granted upon navigating to https://blockimmo.ch . These credentials are also required to invoke our #Serverless authenticates endpoint (a simple #lambda function behind API gateway).

8) However, we realized there was a simpler, bulletproof solution to authenticate our users, their wallet! Users log in to our #dapp by signing a message (usually via @metamask_io which supports both @LedgerHQ and @Trezor, but @ethstatus and Mist are also supported).

7) We initially built this around #decentralized #Identity providers, but this required users to download another app and made the #ux worse without much added value. And we had a bad gut feeling trusting them with such a critical role in our platform.

6) Secure login and #authentication was a priority of ours since day one. A social identity provider like Facebook or Google was never an option or seriously considered, but we wanted to avoid managing usernames and passwords.

5) Upon visiting https://blockimmo.ch , temporary unauthenticated #AWS credentials are granted to the user that enable some generic actions like browsing #RealEstate listings and logging-in.

4) Making this process as solid and #secure as possible is extremely important. In this thread, I'll describe how we did this by building on the strengths of both centralized and #decentralized infrastructure.

3) Before adding an address to our on-chain whitelist, the user's source of funds and identity must be verified and they must prove that the address belongs to them. This means sensitive user data is collected and stored as users are on-boarded to our platform. #onboarding

2) Our security #tokens are coded with regulatory compliance at the #ethereum #smartcontract level, and only whitelisted wallets may own them. Regulations require that at any given time the owner of a specific token can be properly identified if necessary.

1) A challenge of being a regulated platform in the #tokenized assets / securities space is complying with the #KYC / #AML requirements of the regulating jurisdiction (in @blockimmo 's case the triple-a jurisdiction of Switzerland / Lichtenstein the #cryptovalley).