A user found a bug where the SDK was sending an expired BLS session sig. I discovered that we aren't checking the expiration when we are checking if we need to resign the session key. We do this check for ECDSA, because it's built into SIWE, but we can't use SIWE verification for the BLS session sig, because SIWE doesn't understand BLS.
This makes it so that we check the expiration and issued at time, and then throw an error if they're not valid. The calling function (checkNeedToResignSessionKey()) catches errors and will try to re-sign if the SIWE is expired.
A user found a bug where the SDK was sending an expired BLS session sig. I discovered that we aren't checking the expiration when we are checking if we need to resign the session key. We do this check for ECDSA, because it's built into SIWE, but we can't use SIWE verification for the BLS session sig, because SIWE doesn't understand BLS.
So we're checking the sig already, and this PR just copy/pastes the timestamp verification code from the SIWE repo here: https://github.com/spruceid/siwe/blob/main/packages/siwe/lib/client.ts#L289
This makes it so that we check the expiration and issued at time, and then throw an error if they're not valid. The calling function (
checkNeedToResignSessionKey()
) catches errors and will try to re-sign if the SIWE is expired.