spruceid / siwe-go Goto Github PK
View Code? Open in Web Editor NEWA Go implementation of EIP-4361 Sign In With Ethereum verification
License: Apache License 2.0
A Go implementation of EIP-4361 Sign In With Ethereum verification
License: Apache License 2.0
When you have a parsing issue on PrepareMessage()
you get a Expired Message
message.
It is very funny that the parse message function cannot parse internally built messages I also tried the run test case swie_test.go, but it cannot pass. This repo is open to the public. werid.
message, err := siwe.InitMessage("example.com", "0x71C7656EC7ab88b098defB751B7401B5f6d8976F", "https://example.com", "2", map[string]interface{}{})
assert.Nil(t, err)
assert.Equal(t, "2", message.GetNonce())
//fmt.Print(message.String())
// verify nonce
resMessage, err := siwe.ParseMessage(message.String())
assert.Nil(t, err)
assert.Nil(t, message, resMessage)
The above code get an error, really interesting.
I get below error while importing library using go get -u github.com/spruceid/siwe-go
github.com/spruceid/siwe-go imports
github.com/ethereum/go-ethereum/crypto imports
github.com/btcsuite/btcd/btcec/v2/ecdsa tested by
github.com/btcsuite/btcd/btcec/v2/ecdsa.test imports
github.com/btcsuite/btcd/chaincfg/chainhash: ambiguous import: found package github.com/btcsuite/btcd/chaincfg/chainhash in multiple modules:
github.com/btcsuite/btcd v0.20.1-beta (/Users/aniket/go/pkg/mod/github.com/btcsuite/[email protected]/chaincfg/chainhash)
github.com/btcsuite/btcd/chaincfg/chainhash v1.0.1 (/Users/aniket/go/pkg/mod/github.com/btcsuite/btcd/chaincfg/[email protected])
Can someone suggest fix for this?
We should make sure the terms validation and verification are used consistently. We should validate a SIWE message when it is parsed or created. Validation includes schema validation and making sure the message complies with EIP-4361 spec. Verification means the EIP-191 signature is correct and is verified against a given optional domain, timestamp, nonce etc.
For this I propose, we do the following for validation:
As a result of the validation above, it should not be possible to get a SIWE message that is invalid. Then verification includes the following:
Hi,
Arthur from tally here. we use 'siwe-go' in the backend to authenticate SIWE requests. We noticed that it did not seem to work for users signing with Ledger+Metamask. I've put together some unit tests that duplicate the error.
You'll see that the javascript tests validate the signature, but the go tests for the same signature do not. We're not super familiar with how the cryptography works here. Do you know what the problem might be? We're looking for some help to fix the issue.
Happy to provide more context if that's helpful!
Tldr: I'm trying to sign (siwe) with my ledger at the tally website and got some errors. I was able to narrow down that it works on the JS code, (worked on https://login.xyz ) but it's not working with .GO
I put all replicable steps here:
https://github.com/afa7789/siwe-go
I have a question regarding siwe-go's error implementation. I am having difficulty debugging when there's some parsing/serialization error when using siwe.ParseMessage
this is mainly because the Error()
implementation hides the specific error message.
Specifically if I initialize using something like:
msg, err := siwe.InitMessage(
challengeReq.Domain,
challengeReq.Identifier,
challengeReq.URI,
"some-random-version", // incorrect siwe message version
msgOptions,
)
Then try to parse it using siwe.ParseMessage
, it will return an error Invalid Message
without explicitly specifying which part of the message is invalid. In this case, I think I should have a way to get Message could not be parsed
message from the error since the regex validation failed.
I want to try to open a discussion here on how to handle this. But there's generally 2 things that I think we need to address:
Error()
implementation.For (1), I think since siwe
already have Error types such as ExpiredMessage
, InvalidMessage
, InvalidSignature
, we can just make the error string public so that developers can type cast the error into one of these types and see the string message for themselves.
For (2), A way that I think should work is to break apart the regexp.Regexp
validation into smaller regexp.Regexp
so that we can find out exactly where the expression fail.
The "latest" tagged release, 0.2.0
, does not include the fix for messages signed using a Ledger (#19).
We should cut a new release so folks don't accidentally pull in the tagged release without the fix.
A declarative, efficient, and flexible JavaScript library for building user interfaces.
๐ Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. ๐๐๐
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google โค๏ธ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.