Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Bug: Domain only validation doesn't work for custom schemes #205

Merged
merged 13 commits into from
Oct 31, 2024
Merged

Bug: Domain only validation doesn't work for custom schemes #205

merged 13 commits into from
Oct 31, 2024

Conversation

mattheworris
Copy link
Contributor

Problem

Closes #200

@mattheworris mattheworris linked an issue Oct 28, 2024 that may be closed by this pull request
Bug: Domain only validation doesn't work for custom schemes #200
Closed
@mattheworris
Merge branch 'main' into 200-bug-domain-only-validation-doesnt-work-f…
a332dc1 
…or-custom-schemes
@mattheworris
Merge branch 'main' of github.com:ProjectLibertyLabs/siwf into 200-bu…
9312f42 
…g-domain-only-validation-doesnt-work-for-custom-schemes
@mattheworris
Merge branch '200-bug-domain-only-validation-doesnt-work-for-custom-s…
c0f3043 
…chemes' of github.com:ProjectLibertyLabs/siwf into 200-bug-domain-only-validation-doesnt-work-for-custom-schemes
@mattheworris
fix: lint errors
c85b0a3
@mattheworris mattheworris requested a review from wilwade October 29, 2024 13:54
@mattheworris mattheworris marked this pull request as ready for review October 29, 2024 13:54
wilwade
wilwade requested changes Oct 29, 2024
View reviewed changes
Copy link
Contributor

@wilwade wilwade left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Few fixes and questions, but I think the core validation logic is correct.

libraries/js/src/mocks/payloads.ts Outdated Show resolved Hide resolved
libraries/js/src/mocks/payloads.ts Outdated Show resolved Hide resolved
libraries/js/src/payloads.ts Outdated Show resolved Hide resolved
libraries/js/src/payloads.ts Outdated Show resolved Hide resolved
libraries/js/src/payloads.ts Outdated Show resolved Hide resolved
libraries/js/src/payloads.ts Outdated Show resolved Hide resolved
libraries/js/src/payloads.ts Outdated Show resolved Hide resolved
libraries/js/src/payloads.ts Outdated Show resolved Hide resolved
mattheworris
mattheworris commented Oct 30, 2024
View reviewed changes
libraries/js/src/mocks/payloads.ts
}

// Setup now so that it is consistent for the entire test run
const now = Date.now();

const loginMessageGood = (domain: string) =>
const loginMessageUrl = (url: string) =>
Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Allows to build test cases with different urls

mattheworris
mattheworris commented Oct 30, 2024
View reviewed changes
libraries/js/src/mocks/payloads.ts
signature: {
algo: 'SR25519',
encoding: 'base16',
encodedValue: u8aToHex(ExampleUserKey.keyPair().sign(loginMessageGood(domain))),
encodedValue: u8aToHex(ExampleUserKey.keyPair().sign(loginMessageGood())),
Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

domain will always match the URI in the test cases

mattheworris
mattheworris commented Oct 30, 2024
View reviewed changes
libraries/js/src/payloads.ts
@@ -25,6 +25,19 @@ interface SiwxMessage {
uri: string;
}

/**
Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Added: helpful for hover over in IDE

mattheworris
mattheworris commented Oct 30, 2024
View reviewed changes
libraries/js/src/response.test.ts Outdated
@@ -19,7 +19,9 @@ describe('getLoginResult', () => {
text: () => Promise.resolve('MOCK'),
} as any);

await expect(getLoginResult('fakeAuthCode', { loginMsgDomain: 'localhost' })).to.resolves.toMatchObject(example);
await expect(
getLoginResult('fakeAuthCode', { loginMsgUri: 'testnet.frequencyaccess.com' })
Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

localhost changed in ExampleLogin()

@mattheworris mattheworris force-pushed the 200-bug-domain-only-validation-doesnt-work-for-custom-schemes branch from 94c3b34 to 06f5b0d Compare October 30, 2024 19:24
@mattheworris mattheworris requested a review from a team October 30, 2024 20:11
@mattheworris mattheworris self-assigned this Oct 30, 2024
JoeCap08055
JoeCap08055 reviewed Oct 30, 2024
View reviewed changes
Copy link
Contributor

@JoeCap08055 JoeCap08055 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Hmm, I've lost quite a bit of context since SIWFv1, but I just want to point out that domain and uri are two separate and unrelated things in the "Sign in with Ethereum" (Sign in With X) spec.

domain is the domain of the app requesting a signin (ie, mewe.com)
uri is the URI of the signing app (ie, frequencyaccess.com)

We should make sure that our use of these fields is as the standard expects; at this point I'm a little unclear if it does.
(Realizing that this may work fine for SIWFv2, but may break when we re-integrate standalone wallets and/or the Talisman SIWS package)

JoeCap08055
JoeCap08055 approved these changes Oct 31, 2024
View reviewed changes
Copy link
Contributor

@JoeCap08055 JoeCap08055 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

My comments/concerns addressed in an external thread; looks good!

@mattheworris mattheworris requested a review from wilwade October 31, 2024 14:39
wilwade
wilwade reviewed Oct 31, 2024
View reviewed changes
docs/src/Actions/Response.md
@@ -107,7 +108,10 @@ Chain ID: frequency:{{chainReference}}
Issued At: {{issued-at}}
```

Inside the message, `{{domain}}` is the domain of the application requesting the sign-in. `{{domain}}` should match the domain contained in the `URI` field.
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

❤️

mattheworris
mattheworris commented Oct 31, 2024
View reviewed changes
docs/src/Actions/Response.md
@@ -107,7 +108,10 @@ Chain ID: frequency:{{chainReference}}
Issued At: {{issued-at}}
```

Inside the message, `{{domain}}` is the domain of the application requesting the sign-in. `{{domain}}` should match the domain contained in the `URI` field.
Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Domain clarification

@mattheworris mattheworris enabled auto-merge (squash) October 31, 2024 14:41
@mattheworris mattheworris disabled auto-merge October 31, 2024 14:42
@mattheworris mattheworris enabled auto-merge (squash) October 31, 2024 14:45
@mattheworris mattheworris disabled auto-merge October 31, 2024 14:46
wilwade
wilwade approved these changes Oct 31, 2024
View reviewed changes
Copy link
Contributor

@wilwade wilwade left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

💯 Thanks!

@mattheworris mattheworris merged commit ce36a68 into main Oct 31, 2024
6 checks passed
@mattheworris mattheworris deleted the 200-bug-domain-only-validation-doesnt-work-for-custom-schemes branch October 31, 2024 15:08
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@JoeCap08055 JoeCap08055 JoeCap08055 approved these changes

@wilwade wilwade wilwade approved these changes

Assignees

@mattheworris mattheworris

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Bug: Domain only validation doesn't work for custom schemes
3 participants
@mattheworris @wilwade @JoeCap08055