Merge pull request #15 from oasisprotocol/ptrus/feature/siwe-statement-validation

auth/siwe: validate statement

Author: ptrus

api/auth/jwt.go

@@ -29,6 +29,8 @@ const (
 
 	nonceTTL = 60 * time.Second
 	jwtTTL   = 30 * time.Minute
+
+	siweStatement = "Sign in to ROFL App Backend"
 )
 
 // CustomClaims are the claims for the JWT.
@@ -189,6 +191,17 @@ func SIWELoginHandler(redisClient *redis.Client, cfg *config.AuthConfig) func(w
 			common.WriteError(w, http.StatusUnauthorized, "invalid SIWE signature")
 			return
 		}
+		// Verify the statement.
+		statement := msg.GetStatement()
+		if statement == nil {
+			common.WriteError(w, http.StatusUnauthorized, "missing statement")
+			return
+		}
+		if *statement != siweStatement {
+			common.WriteError(w, http.StatusUnauthorized, "invalid statement")
+			return
+		}
+
 		// Verify the Chain ID if set.
 		if cfg.SIWEChainID != 0 && msg.GetChainID() != cfg.SIWEChainID {
 			common.WriteError(w, http.StatusUnauthorized, "invalid SIWE chain ID")

e2e/e2e_test.go

@@ -168,7 +168,7 @@ func doSIWELogin(t *testing.T, client *http.Client) string {
 	msg, err := siwe.InitMessage(siweDomain, addr.Hex(), "http://"+siweDomain, nonceRes.Nonce, map[string]interface{}{
 		"chainId":   1,
 		"version":   "1",
-		"statement": "Sign in to localhost",
+		"statement": "Sign in to ROFL App Backend",
 	})
 	require.NoError(err, "failed to build SIWE message")
 	msgHash := signHash([]byte(msg.String()))

frontend_test/src/main.js

@@ -25,7 +25,7 @@ loginBtn.onclick = async () => {
   const siweMsg = new SiweMessage({
     domain: "localhost",
     address: checksummed,
-    statement: "Sign in to localhost",
+    statement: "Sign in to ROFL App Backend",
     uri: "http://" + domain,
     version: "1",
     chainId: 1,