Verify SIWE signature via ECDSA recovery#170
Merged
Merged
Conversation
siwe verify only length-checked the signature and trusted the Address line in the message, so anyone could mint a JWT for any address by quoting it (request a nonce for the victim, build a message, send any 132-char signature). Recover the signer from the EIP-191 personal_sign signature with k256 + keccak256 and require it to equal the asserted address before issuing a token; the nonce check (single-use) stays. Adds round-trip + malformed-signature unit tests, and updates the e2e suite to sign with a real key (and assert a forged signature is now rejected with 401).
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
What
Closes the auth bypass in SIWE verification.
verify_siweonly length-checked the signature and trusted theAddress:line in the message — so anyone could mint a JWT for any address: request a nonce for the victim, build a message quoting their address, and send any 132-char signature.How
Recover the signer from the EIP-191
personal_signsignature (k256 ECDSA recovery + keccak256) and require it to equal the address asserted in the message before issuing a JWT. The single-use nonce check stays. The FE already signs SIWE withpersonal_sign, so the live flow is unaffected.Test
Notes
SETTLEMENT_PLACEHOLDER) with a0x0000fallback, so strict server-side order verification would reject real orders. It needs the finalized settlement-contract domain shared with the FE — tracked as a follow-up. Orders remain authenticated by the JWT, which now requires a real wallet signature to obtain.