feat: add sign in with ethereum to signInWithWeb3 (#1082)

## What kind of change does this PR introduce?

This PR adds SIWE (Sign-In-With-Ethereum) support to auth-js, related to
[this PR on /auth](supabase/auth#2069)

## What is the current behavior?

Multiple providers & SIWS (Solana) supported

## What is the new behavior?

Add SIWE (Ethereum) support.

## Additional context

The types are inspired by the the [viem](https://viem.sh/) library,
which has minimal & modern types, but they were simplified and copied
over to the local code to remove dependency on it.

Author: Bewinxed

src/GoTrueClient.ts

@@ -32,6 +32,7 @@ import {
   _ssoResponse,
 } from './lib/fetch'
 import {
+  deepClone,
   Deferred,
   getItemAsync,
   isBrowser,
@@ -110,9 +111,18 @@ import type {
   SolanaWeb3Credentials,
   SolanaWallet,
   Web3Credentials,
+  EthereumWeb3Credentials,
+  EthereumWallet,
 } from './lib/types'
 import { stringToUint8Array, bytesToBase64URL } from './lib/base64url'
-import { deepClone } from './lib/helpers'
+import {
+  fromHex,
+  getAddress,
+  Hex,
+  toHex,
+  createSiweMessage,
+  SiweMessage,
+} from './lib/web3/ethereum'
 
 polyfillGlobalThis() // Make "globalThis" available
 
@@ -648,7 +658,10 @@ export default class GoTrueClient {
 
   /**
    * Signs in a user by verifying a message signed by the user's private key.
-   * Only Solana supported at this time, using the Sign in with Solana standard.
+   * Supports Ethereum (via Sign-In-With-Ethereum) & Solana (Sign-In-With-Solana) standards,
+   * both of which derive from the EIP-4361 standard
+   * With slight variation on Solana's side.
+   * @reference https://eips.ethereum.org/EIPS/eip-4361
    */
   async signInWithWeb3(credentials: Web3Credentials): Promise<
     | {
@@ -659,11 +672,153 @@ export default class GoTrueClient {
   > {
     const { chain } = credentials
 
-    if (chain === 'solana') {
-      return await this.signInWithSolana(credentials)
+    switch (chain) {
+      case 'ethereum':
+        return await this.signInWithEthereum(credentials)
+      case 'solana':
+        return await this.signInWithSolana(credentials)
+      default:
+        throw new Error(`@supabase/auth-js: Unsupported chain "${chain}"`)
+    }
+  }
+
+  private async signInWithEthereum(
+    credentials: EthereumWeb3Credentials
+  ): Promise<
+    | { data: { session: Session; user: User }; error: null }
+    | { data: { session: null; user: null }; error: AuthError }
+  > {
+    // TODO: flatten type
+    let message: string
+    let signature: Hex
+
+    if ('message' in credentials) {
+      message = credentials.message
+      signature = credentials.signature
+    } else {
+      const { chain, wallet, statement, options } = credentials
+
+      let resolvedWallet: EthereumWallet
+
+      if (!isBrowser()) {
+        if (typeof wallet !== 'object' || !options?.url) {
+          throw new Error(
+            '@supabase/auth-js: Both wallet and url must be specified in non-browser environments.'
+          )
+        }
+
+        resolvedWallet = wallet
+      } else if (typeof wallet === 'object') {
+        resolvedWallet = wallet
+      } else {
+        const windowAny = window as any
+
+        if (
+          'ethereum' in windowAny &&
+          typeof windowAny.ethereum === 'object' &&
+          'request' in windowAny.ethereum &&
+          typeof windowAny.ethereum.request === 'function'
+        ) {
+          resolvedWallet = windowAny.ethereum
+        } else {
+          throw new Error(
+            `@supabase/auth-js: No compatible Ethereum wallet interface on the window object (window.ethereum) detected. Make sure the user already has a wallet installed and connected for this app. Prefer passing the wallet interface object directly to signInWithWeb3({ chain: 'ethereum', wallet: resolvedUserWallet }) instead.`
+          )
+        }
+      }
+
+      const url = new URL(options?.url ?? window.location.href)
+
+      const accounts = await resolvedWallet
+        .request({
+          method: 'eth_requestAccounts',
+        })
+        .then((accs) => accs as string[])
+        .catch(() => {
+          throw new Error(
+            `@supabase/auth-js: Wallet method eth_requestAccounts is missing or invalid`
+          )
+        })
+
+      if (!accounts || accounts.length === 0) {
+        throw new Error(
+          `@supabase/auth-js: No accounts available. Please ensure the wallet is connected.`
+        )
+      }
+
+      const address = getAddress(accounts[0])
+
+      let chainId = options?.signInWithEthereum?.chainId
+      if (!chainId) {
+        const chainIdHex = await resolvedWallet.request({
+          method: 'eth_chainId',
+        })
+        chainId = fromHex(chainIdHex as Hex)
+      }
+
+      const siweMessage: SiweMessage = {
+        domain: url.host,
+        address: address,
+        statement: statement,
+        uri: url.href,
+        version: '1',
+        chainId: chainId,
+        nonce: options?.signInWithEthereum?.nonce,
+        issuedAt: options?.signInWithEthereum?.issuedAt ?? new Date(),
+        expirationTime: options?.signInWithEthereum?.expirationTime,
+        notBefore: options?.signInWithEthereum?.notBefore,
+        requestId: options?.signInWithEthereum?.requestId,
+        resources: options?.signInWithEthereum?.resources,
+      }
+
+      message = createSiweMessage(siweMessage)
+
+      // Sign message
+      signature = (await resolvedWallet.request({
+        method: 'personal_sign',
+        params: [toHex(message), address],
+      })) as Hex
     }
 
-    throw new Error(`@supabase/auth-js: Unsupported chain "${chain}"`)
+    try {
+      const { data, error } = await _request(
+        this.fetch,
+        'POST',
+        `${this.url}/token?grant_type=web3`,
+        {
+          headers: this.headers,
+          body: {
+            chain: 'ethereum',
+            message,
+            signature,
+            ...(credentials.options?.captchaToken
+              ? { gotrue_meta_security: { captcha_token: credentials.options?.captchaToken } }
+              : null),
+          },
+          xform: _sessionResponse,
+        }
+      )
+      if (error) {
+        throw error
+      }
+      if (!data || !data.session || !data.user) {
+        return {
+          data: { user: null, session: null },
+          error: new AuthInvalidTokenResponseError(),
+        }
+      }
+      if (data.session) {
+        await this._saveSession(data.session)
+        await this._notifyAllSubscribers('SIGNED_IN', data.session)
+      }
+      return { data: { ...data }, error }
+    } catch (error) {
+      if (isAuthError(error)) {
+        return { data: { user: null, session: null }, error }
+      }
+
+      throw error
+    }
   }
 
   private async signInWithSolana(credentials: SolanaWeb3Credentials) {

src/lib/types.ts

@@ -1,6 +1,8 @@
+import { EIP1193Provider } from './web3/ethereum'
 import { AuthError } from './errors'
 import { Fetch } from './fetch'
-import type { SolanaSignInInput, SolanaSignInOutput } from './solana'
+import type { SolanaSignInInput, SolanaSignInOutput } from './web3/solana'
+import { EthereumSignInInput, Hex } from './web3/ethereum'
 
 /** One of the providers supported by GoTrue. */
 export type Provider =
@@ -673,7 +675,46 @@ export type SolanaWeb3Credentials =
       }
     }
 
-export type Web3Credentials = SolanaWeb3Credentials
+export type EthereumWallet = EIP1193Provider
+
+export type EthereumWeb3Credentials =
+  | {
+      chain: 'ethereum'
+
+      /** Wallet interface to use. If not specified will default to `window.solana`. */
+      wallet?: EthereumWallet
+
+      /** Optional statement to include in the Sign in with Solana message. Must not include new line characters. Most wallets like Phantom **require specifying a statement!** */
+      statement?: string
+
+      options?: {
+        /** URL to use with the wallet interface. Some wallets do not allow signing a message for URLs different from the current page. */
+        url?: string
+
+        /** Verification token received when the user completes the captcha on the site. */
+        captchaToken?: string
+
+        signInWithEthereum?: Partial<
+          Omit<EthereumSignInInput, 'version' | 'domain' | 'uri' | 'statement'>
+        >
+      }
+    }
+  | {
+      chain: 'ethereum'
+
+      /** Sign in with Ethereum compatible message. Must include `Issued At`, `URI` and `Version`. */
+      message: string
+
+      /** Ed25519 signature of the message. */
+      signature: Hex
+
+      options?: {
+        /** Verification token received when the user completes the captcha on the site. */
+        captchaToken?: string
+      }
+    }
+
+export type Web3Credentials = SolanaWeb3Credentials | EthereumWeb3Credentials
 
 export type VerifyOtpParams = VerifyMobileOtpParams | VerifyEmailOtpParams | VerifyTokenHashParams
 export interface VerifyMobileOtpParams {