Example code for Homing Space
This page contains 3 files that a merchant's tech team has to create; in order to welcome Homing Space users onto their website! The 3 files we wrote are in PHP, but you can use any suitable language.
Read the technical documentation on how and when to use these three files.
This is the first file. Let's call this "merchant.php"
It contains the form with practically just TWO input form. The first input asks for the user's persona username. The second one is hidden or read-only. It's value would be a specially formatted string that contains the scope names (explained in the tech documentation)
You MUST state clearly the Homing Space username of the person whos keys were used to manage this entry into your website. Why? Because that name would be presented to the user coming in and he/she should not get confused.
If you want you can also add recaptcha into this form; if you think hackers are going to keep submitting this form. But NEVER ask for any other inputs from the user -- especially password!
This actually contains the main business logic. Let us call this "homingentry-sign.php"
This file is the "action" for the first file. This file uses the libsodium (NaCL) library to do the cryptographic signing, etc.
The following is the 3rd file -- the end point which the user eventually comes to (once he/she is authenticated) This file is the one that finally takes the person into the merchant's website.
In this example we are merely showing the $_GET and $_POST variables. that are available here.
Obviously this endpoint is a serious piece of code for your website -- you would need to check your special OTP that got passed here, you may need to chedck the fingerprint of the user (in case he/she had come with another persona username), dataase activities, Session cookie activities and so on.
In case of mobile-apps, you would need to redirect the browser to open your app on the phone.
In case the website is working on a regular computer, then the job of this particular code is to give a special numeric OTP displayed on the screen of the browser -- so that the user can then enter that into his computer, and get inside!
VERY IMPORTANT: The full URL of this endpoint MUST be given in the second file, if the browser has to return back here!